Re: cifs multiuser sends wrong uid:gid [solved]

[steve <steve@xxxxxxxxxxxx>]

On 12/04/13 12:27, Jeff Layton wrote:
> On Fri, 12 Apr 2013 11:20:15 +0200
> steve <steve@xxxxxxxxxxxx> wrote:
>
> > Hi
> > samba 4.0.5
> > openSUSE 12.3 cifs-utils-5.9
> >
> > I have a share:
> > [users]
> > path = /home/users
> > read only = No
> >
> > I mount it as root:
> > h16:/tmp # kinit Administrator
> > Password for Administrator@xxxxxxxx:
> >
> > hh16:/tmp # klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: Administrator@xxxxxxxx
> >
> > Valid starting Expires Service principal
> > 04/12/13 11:06:37 04/12/13 21:06:37 krbtgt/HH3.SITE@xxxxxxxx
> > renew until 04/13/13 11:06:30
> >
> > hh16:/tmp # mount.cifs //hh16.hh3.site/users /mnt --verbose
> > -osec=krb5,multiuser
> > mount.cifs kernel mount options:
> > ip=192.168.1.16,unc=\\hh16.hh3.site\users,sec=krb5,multiuser,user=steve,pass=********
> >
> > .
> > 2013-04-12T11:05:49.678122+02:00 hh16 cifs.upcall: key description:
> > cifs.spnego;0;0;3f000000;ver=0x2;host=hh16.hh3.site;ip4=192.168.1.16;sec=krb5;uid=0x0;creduid=0x0;user=steve;pid=0xaa9
> > 2013-04-12T11:05:49.678807+02:00 hh16 cifs.upcall: ver=2
> > 2013-04-12T11:05:49.678950+02:00 hh16 cifs.upcall: host=hh16.hh3.site
> > 2013-04-12T11:05:49.681949+02:00 hh16 cifs.upcall: ip=192.168.1.16
> > 2013-04-12T11:05:49.681974+02:00 hh16 cifs.upcall: sec=1
> > 2013-04-12T11:05:49.681981+02:00 hh16 cifs.upcall: uid=0
> > 2013-04-12T11:05:49.681986+02:00 hh16 cifs.upcall: creduid=0
> > 2013-04-12T11:05:49.681991+02:00 hh16 cifs.upcall: user=steve
> > 2013-04-12T11:05:49.682443+02:00 hh16 cifs.upcall: pid=2729
> > 2013-04-12T11:05:49.683046+02:00 hh16 cifs.upcall: find_krb5_cc: scandir
> > error on directory '/run/user/0': No such file or directory
> > 2013-04-12T11:05:49.683488+02:00 hh16 cifs.upcall: find_krb5_cc:
> > considering /tmp/krb5cc_1000
> > 2013-04-12T11:05:49.683902+02:00 hh16 cifs.upcall: find_krb5_cc:
> > /tmp/krb5cc_1000 is owned by 1000, not 0
> > 2013-04-12T11:05:49.684385+02:00 hh16 cifs.upcall: find_krb5_cc:
> > considering /tmp/krb5cc_3000034
> > 2013-04-12T11:05:49.684779+02:00 hh16 cifs.upcall: find_krb5_cc:
> > /tmp/krb5cc_3000034 is owned by 3000034, not 0
> > 2013-04-12T11:05:49.685567+02:00 hh16 cifs.upcall: find_krb5_cc:
> > considering /tmp/krb5cc_3000032
> > 2013-04-12T11:05:49.686041+02:00 hh16 cifs.upcall: find_krb5_cc:
> > /tmp/krb5cc_3000032 is owned by 3000032, not 0
> > 2013-04-12T11:05:49.686352+02:00 hh16 cifs.upcall: find_krb5_cc:
> > considering /tmp/krb5cc_0
> > 2013-04-12T11:05:49.686638+02:00 hh16 cifs.upcall: find_krb5_cc:
> > FILE:/tmp/krb5cc_0 is valid ccache
> > 2013-04-12T11:05:49.686919+02:00 hh16 cifs.upcall: handle_krb5_mech:
> > getting service ticket for hh16.hh3.site
> > 2013-04-12T11:05:49.687248+02:00 hh16 cifs.upcall: handle_krb5_mech:
> > obtained service ticket
> > 2013-04-12T11:05:49.687523+02:00 hh16 cifs.upcall: Exit status 0
> >
> >
> > hh16:/tmp # su steve2
> > steve2@hh16:/tmp> kinit steve2
> > Password for steve2@xxxxxxxx:
> > steve2@hh16:/tmp> cd /mnt/steve2
> > steve2@hh16:/mnt/steve2> touch j
> > touch: cannot touch ‘j’: Permission denied
> > 2
> > 2013-04-12T11:10:48.599379+02:00 hh16 cifs.upcall: key description:
> > cifs.spnego;3000034;20513;3f000000;ver=0x2;host=hh16.hh3.site;ip4=192.168.1.16;sec=krb5;uid=0x2dc6e2;creduid=0x2dc6e2;pid=0xb5a
> > 2013-04-12T11:10:48.599412+02:00 hh16 cifs.upcall: ver=2
> > 2013-04-12T11:10:48.601816+02:00 hh16 cifs.upcall: host=hh16.hh3.site
> > 2013-04-12T11:10:48.601840+02:00 hh16 cifs.upcall: ip=192.168.1.16
> > 2013-04-12T11:10:48.601847+02:00 hh16 cifs.upcall: sec=1
> > 2013-04-12T11:10:48.601852+02:00 hh16 cifs.upcall: uid=3000034
> > 2013-04-12T11:10:48.601857+02:00 hh16 cifs.upcall: creduid=3000034
> > 2013-04-12T11:10:48.602956+02:00 hh16 cifs.upcall: pid=2906
> > 2013-04-12T11:10:48.602978+02:00 hh16 cifs.upcall: find_krb5_cc: scandir
> > error on directory '/run/user/3000034': No such file or directory
> > 2013-04-12T11:10:48.603432+02:00 hh16 cifs.upcall: find_krb5_cc:
> > considering /tmp/krb5cc_1000
> > 2013-04-12T11:10:48.604677+02:00 hh16 cifs.upcall: find_krb5_cc:
> > /tmp/krb5cc_1000 is owned by 1000, not 3000034
> > 2013-04-12T11:10:48.605262+02:00 hh16 cifs.upcall: find_krb5_cc:
> > considering /tmp/krb5cc_3000034
> > 2013-04-12T11:10:48.605779+02:00 hh16 cifs.upcall: find_krb5_cc:
> > FILE:/tmp/krb5cc_3000034 is valid ccache
> > 2013-04-12T11:10:48.607568+02:00 hh16 cifs.upcall: find_krb5_cc:
> > considering /tmp/krb5cc_3000032
> > 2013-04-12T11:10:48.608414+02:00 hh16 cifs.upcall: find_krb5_cc:
> > /tmp/krb5cc_3000032 is owned by 3000032, not 3000034
> > 2013-04-12T11:10:48.608948+02:00 hh16 cifs.upcall: find_krb5_cc:
> > considering /tmp/krb5cc_0
> > 2013-04-12T11:10:48.609470+02:00 hh16 cifs.upcall: find_krb5_cc:
> > /tmp/krb5cc_0 is owned by 0, not 3000034
> > 2013-04-12T11:10:48.610854+02:00 hh16 cifs.upcall: handle_krb5_mech:
> > getting service ticket for hh16.hh3.site
> > 2013-04-12T11:10:48.615154+02:00 hh16 cifs.upcall: handle_krb5_mech:
> > obtained service ticket
> > 2013-04-12T11:10:48.615189+02:00 hh16 cifs.upcall: Exit status 0
> > hh16:/tmp #
> >
> > That seems fine except that the wrong uid:gid has been sent to the mount
> > for steve2 so he can't write to his cifs mounted folder.
> >
> > To investigate this, I made his folder 0777 and then created a file in
> > the share:
> >
> > hh16:/home/users # chmod 0777 steve2/
> > hh16:/home/users # su steve2
> > steve2@hh16:/home/users> cd /mnt/steve2
> > steve2@hh16:/mnt/steve2> touch testfile
> > steve2@hh16:/mnt/steve2> ls -l
> > total 1024
> > -rw-r--r-- 1 steve2 Domain Users 0 Apr 12 09:58 j
> > -rwxrwxr-x+ 1 3000019 users 0 Apr 12 11:14 testfile
> >
> > cifs has sent 3000019:100 as the uid:gid It should send 3000034:20513
> >
> > Question:
> > - why is user=steve specified on the mount command? (I am unix user
> > steve. steve2 is a domain user, but I'm doing the mount as root)
> Probably because you're su'ing to root without clearing your
> environment. If you don't specify a username, then mount.cifs will
> scrape the value of $USER out of your environment and stuff that into
> the field. It really matters little here though -- the username is
> ignored when you use kerberos. All that matters is the ticket.
>
> > - What am I doing wrong?
> At first glance, I have to wonder whether "steve2" is mapped to the
> same uid on the client and server. It seems likely that on the client
> that this krb5 user maps to 3000034, but on the server it maps to
> 3000019.
Hi Jeff
Yes. That was it. The server got the uid from idmap.ldb and the client 
from AD. Or maybe the other way around. Anyway,I tried to force this with:
idmap_ldb use:rfc2307 = Yes
but that's the wrong syntax; but not identified by testparm:(

So, for the record, to pull uid:gid from AD and _not_ idmap:
[global] in smb.conf needs this syntax:
idmap_ldb:use rfc2307 = Yes

Personally, I think that all uid:gid should come from AD by default.

Thanks for your time,
Steve

--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html