Bug 1657665
Summary: | Error accessing files on samba share randomly | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Niranjan Mallapadi Raghavender <mniranja> | |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | |
Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> | |
Severity: | medium | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
Priority: | unspecified | |||
Version: | 8.0 | CC: | asn, gdeschner, grajaiya, igkioka, jarrpa, jhrozek, jstephen, lmanasko, lslebodn, mniranja, mzidek, pasik, pbrezina, sbose, sgoveas, tscherf | |
Target Milestone: | rc | |||
Target Release: | 8.0 | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | sssd-2.2.0-1.el8 | Doc Type: | Bug Fix | |
Doc Text: |
.Samba no longer denies access when using the `sss` ID mapping plug-in
Previously, when you ran Samba on the domain member with this configuration and added a configuration that used the `sss` ID mapping back end to the `/etc/samba/smb.conf` file to share directories, changes in the ID mapping back end caused errors. Consequently, Samba denied access to files in certain cases, even if the user or group existed and it was known by SSSD. The problem has been fixed. As a result, Samba no longer denies access when using the `sss` plug-in.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1707759 (view as bug list) | Environment: | ||
Last Closed: | 2019-11-05 22:33:53 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1707759 | |||
Attachments: |
Description
Niranjan Mallapadi Raghavender
2018-12-10 09:03:37 UTC
Below is the output where the user foobar2 is successfull in accessing pgroup2 share but doing the same operation fails. echo "Secret123" | kinit foobar1 mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //IBM-X3650M4-01/share1 /abc ls -l /abc/pgroup1 umount /abc kdestroy -A echo "Secret123" | kinit foobar2 mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //IBM-X3650M4-01/share1 /abc ls -l /abc/pgroup2 umount /abc kdestroy -A [root@ibm-x3650m4-01 ~]# sh -x a.sh + echo Secret123 + kinit foobar1 Password for foobar1: + mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //IBM-X3650M4-01/share1 /abc + ls -l /abc/pgroup1 total 0 + umount /abc + kdestroy -A + kinit foobar2 + echo Secret123 Password for foobar2: + mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //IBM-X3650M4-01/share1 /abc + ls -l /abc/pgroup2 ls: reading directory '/abc/pgroup2': Permission denied total 0 + umount /abc + kdestroy -A Created attachment 1512967 [details]
samba logs when pgroup1 is accessed by foobar1 user
Created attachment 1512970 [details]
samba logs when pgroup2 is accessed by foobar2 user
Going through the samba logs i see that when it's trying to access pgroup2 share and it fails, it adds * to the directory <snip> change_to_user_internal: Skipping user change - already user [2018/12/10 02:42:34.466021, 3, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/trans2.c:2667(call_trans2findfirst) call_trans2findfirst: dirtype = 17, maxentries = 150, close_after_first=0, close_if_end = 1 requires_resume_key = 1 backup_priv = 0 level = 0x202, max_data_bytes = 16384 [2018/12/10 02:42:34.466077, 5, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/filename.c:461(unix_convert) unix_convert called on file "pgroup2/*" [2018/12/10 02:42:34.466105, 5, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/filename.c:662(unix_convert) unix_convert begin: name = pgroup2/*, dirpath = , start = pgroup2/* [2018/12/10 02:42:34.466141, 5, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/statcache.c:144(stat_cache_add) stat_cache_add: Added entry (56049a678630:size 7) pgroup2 -> pgroup2 [2018/12/10 02:42:34.466179, 4, pid=7131, effective(842004661, 842000513), real(842004661, 0), class=vfs] ../source3/smbd/vfs.c:805(vfs_ChDir) vfs_ChDir to pgroup2 [2018/12/10 02:42:34.466204, 3, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/filename.c:1382(get_real_filename_full_scan) scan dir didn't open dir [pgroup2] [2018/12/10 02:42:34.466225, 10, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/filename.c:1209(unix_convert) dirpath = [pgroup2] start = [*] [2018/12/10 02:42:34.466254, 10, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/filename.c:1629(filename_convert_internal) filename_convert_internal: unix_convert failed for name pgroup2/* with NT_STATUS_ACCESS_DENIED [2018/12/10 02:42:34.466278, 3, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/trans2.c(2750) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED [2018/12/10 02:42:34.466300, 5, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/lib/util.c:184(show_msg) [2018/12/10 02:42:34.466315, 5, pid=7131, effective(842004661, 842000513), real(842004661, 0)] ../source3/lib/util.c:194(show_msg) </snip> Whereas when the user foobar1 tries to access pgroup directory, samba doesn't add * the path. <snip> conversion of base_name finished pgroup1 -> pgroup1 [2018/12/10 02:36:14.858905, 10, pid=6583, effective(842004482, 842000513), real(842004482, 0), class=vfs] ../source3/smbd/vfs.c:1196(check_reduced_name) check_reduced_name: check_reduced_name [pgroup1] [/mnt/samba/share1] [2018/12/10 02:36:14.858947, 10, pid=6583, effective(842004482, 842000513), real(842004482, 0), class=vfs] ../source3/smbd/vfs.c:1260(check_reduced_name) check_reduced_name realpath [pgroup1] -> [/mnt/samba/share1/pgroup1] [2018/12/10 02:36:14.858972, 5, pid=6583, effective(842004482, 842000513), real(842004482, 0), class=vfs] ../source3/smbd/vfs.c:1371(check_reduced_name) check_reduced_name: pgroup1 reduced to /mnt/samba/share1/pgroup1 [2018/12/10 02:36:14.859002, 10, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/files.c:754(file_name_hash) file_name_hash: /mnt/samba/share1/pgroup1 hash 0x3c280b28 [2018/12/10 02:36:14.859031, 3, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/trans2.c:5972(call_trans2qfilepathinfo) call_trans2qfilepathinfo pgroup1 (fnum [fsp is NULL]) level=516 call=5 total_data=0 [2018/12/10 02:36:14.859109, 5, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/trans2.c:4877(smbd_do_qfilepathinfo) smbd_do_qfilepathinfo: pgroup1 (fnum [fsp is NULL]) level=516 max_data=4000 [2018/12/10 02:36:14.859139, 8, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/dosmode.c:667(dos_mode) dos_mode: pgroup1 [2018/12/10 02:36:14.859169, 5, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/dosmode.c:323(get_ea_dos_attribute) get_ea_dos_attribute: Cannot get attribute from EA on file pgroup1: Error = No data available [2018/12/10 02:36:14.859200, 5, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/dosmode.c:70(dos_mode_debug_print) dos_mode_debug_print: dos_mode returning (0x10): "d" [2018/12/10 02:36:14.859265, 9, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/trans2.c:1148(send_trans2_replies) t2_rep: params_sent_thistime = 2, data_sent_thistime = 36, useable_space = 16406 [2018/12/10 02:36:14.859292, 9, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/smbd/trans2.c:1150(send_trans2_replies) t2_rep: params_to_send = 2, data_to_send = 36, paramsize = 2, datasize = 36 [2018/12/10 02:36:14.859317, 5, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/lib/util.c:184(show_msg) [2018/12/10 02:36:14.859334, 5, pid=6583, effective(842004482, 842000513), real(842004482, 0)] ../source3/lib/util.c:194(show_msg) </snip> I have tried the order of starting the services with not much difference , with sssd as the first service to start (due to realm join) and interchanging the order between smb and winbind doesn't change the outcome. Forgot to add the version of Samba used in the initial Comment. Below is the samba version. samba-common-tools-4.9.1-5.el8.x86_64 samba-winbind-clients-4.9.1-5.el8.x86_64 samba-client-libs-4.9.1-5.el8.x86_64 samba-common-libs-4.9.1-5.el8.x86_64 samba-winbind-modules-4.9.1-5.el8.x86_64 samba-client-4.9.1-5.el8.x86_64 samba-4.9.1-5.el8.x86_64 samba-common-4.9.1-5.el8.noarch samba-libs-4.9.1-5.el8.x86_64 samba-winbind-4.9.1-5.el8.x86_64 The issue is reproducible (Randomly) even with smbclient [root@ibm-x3650m4-01 ~]# sh -x a.sh ### Login as foobar1 User and access /abc/pgroup1 to which foobar1 user has permissions + echo Secret123 + kinit foobar1 Password for foobar1: + mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //IBM-X3650M4-01/share1 /abc + ls -l /abc/pgroup1 total 0 <===============================Success + umount /abc + kdestroy -A # Login as foobar2 user and access /abc/pgroup2 to which foobar2 has permissions to write + kinit foobar2 + echo Secret123 Password for foobar2: + mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //IBM-X3650M4-01/share1 /abc + ls -l /abc/pgroup2 ls: reading directory '/abc/pgroup2': Permission denied <===============Failure total 0 + umount /abc + kdestroy -A # Login as foobar2 user and access pgroup2 directory using smbclient [root@ibm-x3650m4-01 ~]# kinit foobar2 Password for foobar2: (reverse-i-search)`': ^C [root@ibm-x3650m4-01 ~]# smbclient -k //IBM-X3650M4-01/share1 Try "help" to get a list of possible commands. smb: \> cd pgroup2 smb: \pgroup2\> ls NT_STATUS_ACCESS_DENIED listing \pgroup2\* smb: \pgroup2\> ls NT_STATUS_ACCESS_DENIED listing \pgroup2\* smb: \pgroup2\> ls NT_STATUS_ACCESS_DENIED listing \pgroup2\* smb: \pgroup2\> Created attachment 1513277 [details]
samba logs when foobar2 access pgroup2 directory using smbclient
Cannot reproduce the issue with winbind setup . Below are the steps: 1. Join the system using winbind [root@vm-idm-033 ~]# realm join --client-software=winbind JUNO.TEST -v * Resolving: _ldap._tcp.juno.test * Performing LDAP DSE lookup on: 10.65.223.136 * Successfully discovered: juno.test * Required files: /usr/libexec/oddjob/mkhomedir, /usr/sbin/oddjobd, /usr/bin/wbinfo, /usr/sbin/winbindd, /usr/bin/net * LANG=C LOGNAME=root KRB5CCNAME=/var/cache/realmd/realm-ad-kerberos-U9AEUZ /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.WYAEUZ -k ads join juno.test Failed to join domain: Failed to set account flags for machine account (NT_STATUS_ACCESS_DENIED) ! Insufficient permissions to join the domain juno.test Password for Administrator: * Required files: /usr/libexec/oddjob/mkhomedir, /usr/sbin/oddjobd, /usr/bin/wbinfo, /usr/sbin/winbindd, /usr/bin/net * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.BOQ9TZ -U Administrator ads join juno.test Enter Administrator's password:DNS update failed: NT_STATUS_UNSUCCESSFUL Using short domain name -- JUNO Joined 'VM-IDM-033' to dns domain 'juno.test' DNS Update for vm-idm-033.lab.eng.pnq.redhat.com failed: ERROR_DNS_GSS_ERROR * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.BOQ9TZ -U Administrator ads keytab create Enter Administrator's password: * /usr/bin/systemctl enable winbind.service Created symlink /etc/systemd/system/multi-user.target.wants/winbind.service → /usr/lib/systemd/system/winbind.service. * /usr/bin/systemctl restart winbind.service * /usr/bin/sh -c /usr/bin/authselect select winbind with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service Backup stored at /var/lib/authselect/backups/2018-12-12-13-02-53.5m7IaQ Profile "winbind" was selected. The following nsswitch maps are overwritten by the profile: - passwd - group Make sure that winbind service is configured and enabled. See winbind documentation for more information. - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled - systemctl enable oddjobd.service - systemctl start oddjobd.service * Successfully enrolled machine in realm 2. Verify winbind is used in user and group lookup [root@vm-idm-033 ~]# cat /etc/nsswitch.conf | grep winbind passwd: files winbind systemd group: files winbind systemd [root@vm-idm-033 samba]# getent passwd JUNO\\Administrator JUNO\administrator:*:2000500:2000513::/home/administrator@JUNO:/bin/bash [root@vm-idm-033 samba]# getent passwd JUNO\\foobar1 JUNO\foobar1:*:2004482:2000513::/home/foobar1@JUNO:/bin/bash [root@vm-idm-033 samba]# getent passwd JUNO\\foobar2 JUNO\foobar2:*:2004661:2000513::/home/foobar2@JUNO:/bin/bash [root@vm-idm-033 samba]# getent group JUNO\\"Domain Users" JUNO\domain users:x:2000513: [root@vm-idm-033 samba]# getent group JUNO\\"foobargroup1" JUNO\foobargroup1:x:2013563: [root@vm-idm-033 samba]# getent group JUNO\\"foobargroup2" JUNO\foobargroup2:x:2013564: 3. List all Domains [root@vm-idm-033 ~]# wbinfo --all-domains BUILTIN VM-IDM-033 JUNO JUPITER 4. Create a samba share1 [root@vm-idm-033 ~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[share1]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] kerberos method = system keytab realm = JUNO.TEST security = ADS template homedir = /home/%U@%D template shell = /bin/bash winbind offline logon = Yes winbind refresh tickets = Yes workgroup = JUNO idmap config * : range = 10000-999999 idmap config juno : schema_mode = rfc2307 idmap config juno : backend = ad idmap config juno : range = 2000000-2999999 idmap config * : backend = tdb [share1] comment = test share1 path = /mnt/samba/share1 read only = No 5. Do kinit as foobar1 user and verify can access share1 using smbclient [root@vm-idm-033 ~]# smbclient -k -L //VM-IDM-033 Sharename Type Comment --------- ---- ------- share1 Disk test share1 IPC$ IPC IPC Service (Samba 4.9.1) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- [root@vm-idm-033 ~]# klist Ticket cache: KCM:0 Default principal: foobar1 Valid starting Expires Service principal 12/12/2018 18:46:37 12/13/2018 04:46:37 krbtgt/JUNO.TEST renew until 12/19/2018 18:46:37 12/12/2018 18:51:29 12/13/2018 04:46:37 cifs/VM-IDM-033 renew until 12/19/2018 18:46:37 [root@vm-idm-033 ~]# [root@vm-idm-033 ~]# smbclient -k //VM-IDM-033/share1 Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Dec 12 18:00:47 2018 .. D 0 Wed Dec 12 18:00:08 2018 pgroup1 D 0 Wed Dec 12 18:00:44 2018 pgroup2 D 0 Wed Dec 12 18:00:47 2018 38700584 blocks of size 1024. 36448588 blocks available smb: \> cd pgroup1 smb: \pgroup1\> ls . D 0 Wed Dec 12 18:00:44 2018 .. D 0 Wed Dec 12 18:00:47 2018 38700584 blocks of size 1024. 36448588 blocks available 6. Do kinit as foobar2 user and verify can access share1 using smbclient [root@vm-idm-033 ~]# echo "Secret123" | kinit foobar2 Password for foobar2: [root@vm-idm-033 ~]# klist Ticket cache: KCM:0 Default principal: foobar2 Valid starting Expires Service principal 12/12/2018 18:53:08 12/13/2018 04:53:08 krbtgt/JUNO.TEST renew until 12/19/2018 18:53:08 [root@vm-idm-033 ~]# smbclient -k //VM-IDM-033/share1 Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Dec 12 18:00:47 2018 .. D 0 Wed Dec 12 18:00:08 2018 pgroup1 D 0 Wed Dec 12 18:00:44 2018 pgroup2 D 0 Wed Dec 12 18:00:47 2018 38700584 blocks of size 1024. 36448580 blocks available smb: \> cd pgroup2 smb: \pgroup2\> ls . D 0 Wed Dec 12 18:00:47 2018 .. D 0 Wed Dec 12 18:00:47 2018 38700584 blocks of size 1024. 36448580 blocks available Access pgroup1 and pgroup2 folder using cifs from share1 using foobar1 and foobar2 [root@vm-idm-033 ~]# sh -x a.sh + echo Secret123 + kinit foobar1 Password for foobar1: + mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //VM-IDM-033/share1 /abc + ls -l /abc/pgroup1 total 0 + umount /abc + kdestroy -A + kinit foobar2 + echo Secret123 Password for foobar2: + mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //VM-IDM-033/share1 /abc + ls -l /abc/pgroup2 total 0 + umount /abc + kdestroy -A [root@vm-idm-033 ~]# sh -x a.sh + kinit foobar1 + echo Secret123 Password for foobar1: + mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //VM-IDM-033/share1 /abc + ls -l /abc/pgroup1 total 0 + umount /abc + kdestroy -A + echo Secret123 + kinit foobar2 Password for foobar2: + mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //VM-IDM-033/share1 /abc + ls -l /abc/pgroup2 total 0 + umount /abc + kdestroy -A Any update on this bz. Any timeline on when the bug will be fixed. Upstream ticket: https://pagure.io/SSSD/sssd/issue/4005 master: 30734e5 sssd-1-16: e673478 Version: ========= samba-client-libs-4.10.4-1.el8.x86_64 samba-common-tools-4.10.4-1.el8.x86_64 samba-winbind-4.10.4-1.el8.x86_64 samba-common-4.10.4-1.el8.noarch samba-common-libs-4.10.4-1.el8.x86_64 samba-libs-4.10.4-1.el8.x86_64 samba-client-4.10.4-1.el8.x86_64 samba-winbind-modules-4.10.4-1.el8.x86_64 samba-4.10.4-1.el8.x86_64 samba-winbind-clients-4.10.4-1.el8.x86_64 sssd-libwbclient-2.2.0-5.el8.x86_64 sssd-common-2.2.0-5.el8.x86_64 sssd-ad-2.2.0-5.el8.x86_64 sssd-client-2.2.0-5.el8.x86_64 sssd-winbind-idmap-2.2.0-5.el8.x86_64 sssd-krb5-common-2.2.0-5.el8.x86_64 sssd-dbus-2.2.0-5.el8.x86_64 sssd-ipa-2.2.0-5.el8.x86_64 sssd-ldap-2.2.0-5.el8.x86_64 sssd-proxy-2.2.0-5.el8.x86_64 sssd-tools-2.2.0-5.el8.x86_64 sssd-kcm-2.2.0-5.el8.x86_64 sssd-nfs-idmap-2.2.0-5.el8.x86_64 sssd-common-pac-2.2.0-5.el8.x86_64 sssd-krb5-2.2.0-5.el8.x86_64 sssd-2.2.0-5.el8.x86_64 python3-sssdconfig-2.2.0-5.el8.noarch 1. Join Host to Windows AD using realm using samba as membership software echo "Secret123" | realm join -v CYGNUS.TEST --membership-software=samba 2. Configure smb.conf as shown below: [global] security = ads workgroup = CYGNUS realm = CYGNUS.TEST kerberos method = system keytab client use spnego = yes netbios name = ci-vm-10-0-145- log file = /var/log/samba/log.%m max log size = 500 log level = 10 idmap config CYGNUS : backend = sss idmap config CYGNUS : range = 200000-2147483647 idmap config * : backend = tdb idmap config * : range = 100000-199999 [share1] path = /mnt/samba/share1 comment = test share1 writable = yes printable = no 3. Create 2 directories under /mnt/samba/share1 , pgroup1 and pgroup2 4. create 2 groups foobargroup1 and foobargroup2 in Windows AD 5. Create 2 users foobar1 and foobar2 and make them member of foobargroup1 and foobargroup2 respectively 6. Set permissions of pgroup1(/mnt/samba/share1/pgroup1)so that only members of foobargroup1 can access 7. Set permissions of pgroup2 (/mnt/samba/share1/pgroup2) so that only members of foobargroup2 can access [root@ci-vm-10-0-145-198 ~]# ls -ldZ /mnt/samba/share1 drwxrws---. 4 root domain users unconfined_u:object_r:samba_share_t:s0 36 Aug 5 02:43 /mnt/samba/share1 [root@ci-vm-10-0-145-198 ~]# ls -lZ /mnt/samba/share1 total 0 drwxrwx---. 2 root foobargroup1 unconfined_u:object_r:samba_share_t:s0 6 Aug 5 02:43 pgroup1 drwxrwx---. 2 root foobargroup2 unconfined_u:object_r:samba_share_t:s0 6 Aug 5 02:43 pgroup2 8. create a script as shown below which login as user foobar1 and foobar2 and accesses the share , [root@ci-vm-10-0-145-198 ~]# cat smbtest.sh echo "Secret123" | kinit foobar1 mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //ci-vm-10-0-145-/share1 /abc ls -l /abc/pgroup1 umount /abc kdestroy -A echo "Secret123" | kinit foobar2 mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //ci-vm-10-0-145-/share1 /abc ls -l /abc/pgroup2 umount /abc kdestroy -A 9. Run the above script and should notice no permission denied when trying to access the shares [root@ci-vm-10-0-145-198 ~]# sh -x ./smbtest.sh + echo Secret123 + kinit foobar1 Password for foobar1: + mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar1 //ci-vm-10-0-145-/share1 /abc + ls -l /abc/pgroup1 total 0 + umount /abc + kdestroy -A + kinit foobar2 + echo Secret123 Password for foobar2: + mount -t cifs -o cifsacl -o vers=1.0 -o sec=krb5 -o username=foobar2 //ci-vm-10-0-145-/share1 /abc + ls -l /abc/pgroup2 total 0 + umount /abc + kdestroy -A 10. Run the script multiple times and no permission denied errors were noticed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:3651 |