Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Join domain to use SMB filesystem?

  1. #1
    Join Date
    Jan 2008
    Beans
    11

    Join domain to use SMB filesystem?

    I have an Ubuntu 22.04.4 LTS system that I want to use an SMB filesystem on. I do not currently know for sure what OS the SMB server runs, or its version. nmap -sS -O thinks it's probably Windows Server 2016 or 2012.

    The SMB filesystem has many directories, but from what I've seen, they all have permissions of 755 or 711.

    The directories that have mode 755 all allow me to cd into them.

    The directories that are mode 711 do not allow me to cd into them. Depending on whether I try to cd to these as root or myself, I get "bash: cd: /mymount/somewhere/a: Operation not supported" or "bash: cd: /mymount/somewhere/a: Permission denied", respectively.

    This is inconsistent with what I would expect from an ext4 or other Linux-native filesystem, but that's not what this question is about.

    One of my autofs entries for the filesystem currently looks like:
    corp-Teams -fstype=cifs,rw,credentials=/etc/creds-corp ://example.com/somewhere
    I've tried other permutations of the options allowed - so many that it's impractical to list them all here. The above is the simplest one.

    Please note that I've obfuscated the hostname and paths for security.

    I'm wondering if I need to get my Linux system into the Windows domain to cd to /mymount/somewhere/a, where "a" is a mode 711 directory, or if there is a nicer (more Linux-native and/or simpler) way.

    For completeness, I'll mention that my /etc/creds-corp has two lines and looks like:
    username=me
    password=pw
    There's nothing about the domain in it, and I don't know whether there should be or not.

    Thanks!
    Last edited by dstromberg; July 23rd, 2024 at 12:42 AM.

  2. #2
    currentshaft is offline Oops! My Coffee Cup is empty.
    Join Date
    May 2024
    Beans
    Hidden!

    Re: Join domain to use SMB filesystem?

    Can you chmod those directories to 0755 to see if they work then? Or do you not have remote access to the SMB system?
    Last edited by currentshaft; July 23rd, 2024 at 01:36 AM.

  3. #3
    Join Date
    Jan 2008
    Beans
    11

    Re: Join domain to use SMB filesystem?

    I do not have login access to the SMB server.
    Last edited by dstromberg; July 24th, 2024 at 09:18 PM.

  4. #4
    currentshaft is offline Oops! My Coffee Cup is empty.
    Join Date
    May 2024
    Beans
    Hidden!

    Re: Join domain to use SMB filesystem?

    What happens if you just try to "ls" or "find" those directories instead of "cd"?

  5. #5
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Join domain to use SMB filesystem?

    Quote Originally Posted by currentshaft View Post
    Can you chmod those directories to 0755 to see if they work then? Or do you not have remote access to the SMB system?
    chmod doesn't work on CIFS.

    The directories that are mode 711 do not allow me to cd into them. Depending on whether I try to cd to these as root or myself, I get "bash: cd: /mymount/somewhere/a: Operation not supported" or "bash: cd: /mymount/somewhere/a: Permission denied", respectively.

    This is inconsistent with what I would expect from an ext4 or other Linux-native filesystem, but that's not what this question is about.
    711 means that only the owner of the directory can 'chdir' into it. That's how UNIX file permissions work. The cd command requires both execute AND read permissions, not just execute. Now, if you know the exact name of a file inside a directory that your user/group only has execute permissions on, you can access that file, assuming it's permissions allow read, or run a compiled program (not a script), if read access to the file isn't not allowed.

    In short, it is working as designed. That's how Unix permissions are supposed to work. Local root usually gets translated to "nobody" on remote systems. It's a security thing. With NFS, you can enable/disable that mode. Allowing a remote root user root access for storage they don't own is terrible for security.

    Whether the CIFS manager requires AD credential or not is something only they can answer. In most corporate Windows environments, they would expect each system to be a member of their AD setup, which you cannot do. Only a Domain Admin can do that for your computer. I know this because I would remove my computer from AD while working at home, then have to call the help desk every week to get it re-added. The 2nd time this happened, they told me to stop doing it, which caused issues within my network. My workaround was pretty ugly. It was their computer and their job to manage it. I just preferred working from home (saving 90min in a car daily), so causing too many problems wasn't in my best interest.

  6. #6
    Join Date
    Dec 2009
    Beans
    6,795

    Re: Join domain to use SMB filesystem?

    Quote Originally Posted by dstromberg View Post
    I have an Ubuntu 22.04.4 LTS system that I want to use an SMB filesystem on. I do not currently know for sure what OS the SMB server runs, or its version. nmap -sS -O thinks it's probably Windows Server 2016 or 2012.

    The SMB filesystem has many directories, but from what I've seen, they all have permissions of 755 or 711.

    The directories that have mode 755 all allow me to cd into them.

    The directories that are mode 711 do not allow me to cd into them. Depending on whether I try to cd to these as root or myself, I get "bash: cd: /mymount/somewhere/a: Operation not supported" or "bash: cd: /mymount/somewhere/a: Permission denied", respectively.
    It's been a while since I've used autofs directly but cifs should sill operate operate normally and that is a curious set of symptoms.

    mount.cifs creates a virtual filesystem on the client machine and can have any permissions you want it to have - on the client.
    I've tried other permutations of the options allowed - so many that it's impractical to list them all here. The above is the simplest one.
    Have you tied this combination:

    Code:
    corp-Teams -fstype=cifs,uid=1000,dir_mode=0755,file_mode=0644,nounix,nodfs,rw,credentials=/etc/creds-corp ://example.com/somewhere
    The domain access question depends of the server setup and is a bit above my pay grade but if you can access the shares that have 755 permissions this may not be the impediment.

  7. #7
    currentshaft is offline Oops! My Coffee Cup is empty.
    Join Date
    May 2024
    Beans
    Hidden!

    Re: Join domain to use SMB filesystem?

    Quote Originally Posted by TheFu View Post
    711 means that only the owner of the directory can 'chdir' into it. That's how UNIX file permissions work.
    I don't think so. You should check your work before committing to something so confidently incorrect. Being a self-proclaimed Unix expert of many decades, I expect more out of you.

    A chmod of 711 means the owner can do anything, while group and other can execute. Here, I will demonstrate:

    mkdir foo
    chmod 0711 foo
    sudo chown root:root foo
    stat foo | grep Access
    Access: (0711/drwx--x--x) Uid: ( 0/ root) Gid: ( 0/ root)

    And guess what? You can cd into the directory.

    What you can't do is list it, because that would require the read permission.

  8. #8
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: Join domain to use SMB filesystem?

    Quote Originally Posted by currentshaft View Post
    I don't think so. You should check your work before committing to something so confidently incorrect. Being a self-proclaimed Unix expert of many decades, I expect more out of you.

    A chmod of 711 means the owner can do anything, while group and other can execute. Here, I will demonstrate:

    mkdir foo
    chmod 0711 foo
    sudo chown root:root foo
    stat foo | grep Access
    Access: (0711/drwx--x--x) Uid: ( 0/ root) Gid: ( 0/ root)

    And guess what? You can cd into the directory.

    What you can't do is list it, because that would require the read permission.
    You are technically correct. Thanks for pointing that out. Sometimes we simplify answers for the audience. I must admit, I was assuming a GUI user using a browser to point-n-click into a directory. Yes, the OP said he was using cd - I saw that, but my brain ignored it completely. However, if you don't test using CIFS only, network-only access, not being local to the file system, then root doesn't matter, unless the network share team allows it. God I hope they don't.

    What's the use in a chdir if you can't see anything inside the directory?

    Now, Morbius1 probably knows more about CIFS (MSFT version) than anyone else here. I use autofs, constantly. autofs supports all the options that a normal 'mount' would support. file_mode=0664,dir_mode=0775 are definitely supported. In home setups, the mapping of Windows to Unix usernames/groupnames is controlled by the uid=,gid= and credentials= options. The uid/gid options support either Unix uid/gid or usernames/groupnames, which is convenient.

    In one of my autofs config files, I have this:
    Code:
    winult  -fstype=cifs,iocharset=utf8,rw,vers=2.1,uid=tf,gid=tf,file_mode=0664,dir_mode=0775,credentials=/etc/samba/winlap-D.credentials  ://172.22.22.8/Data
    That mounts the "Data" share from a Windows computer into "/D/winult". But my home Windows system doesn't use or have AD. The "/D/winult" is determined from 2 different autofs files. The "winult" is from the beginning of the line above. The "/D/" part is in the auto.master that refers to the auto.Data file containing the line above. This method is one of the confusing things in Unix that isn't expected, but has been that way for 20+ yrs.

    Anyway, hope a concrete example helps. There are others in these forums.

    BTW, I used to use the DNS name for the CIFS server, but MSFT broke that at some point and I got tired of fighting it, hence the IP address is used. Also, vers 2.1 is the highest level supported by my box. We all know what that means, but if the OP's share is from 2012, he will likely need to use a specific version as well. Let me look up the nmap command to probe for the exact CIFS version supported.
    Code:
    $ sudo nmap --script smb-protocols 172.22.22.8
    Very handy. You'll see after running it.

  9. #9
    Join Date
    Jan 2008
    Beans
    11

    Re: Join domain to use SMB filesystem?

    I've tried ls, find and tree.

    ls reports:
    This one depends on the day, but a reboot may have helped it. Anyway today, I get:
    For a 711 directory:
    ls: cannot open directory 'MDT_Backup': Permission denied
    For a 755 directory:
    A proper ls

    find reports:
    $ find directory -maxdepth 1 -ls
    below cmd output started 2024 Thu Jul 25 03:20:49 PM PDT
    5383 0 drwx--x--x 2 root root 0 Jul 25 15:20 directory
    find: 'directory': Permission denied
    above cmd output done 2024 Thu Jul 25 03:20:50 PM PDT

    tree reports:
    either a directory, or "error opening dir"

    All report errors with the 711 directories, and not the 755 directories.

    Based on that, it is sounding to me like I'm being mapped to some user other than me.

  10. #10
    Join Date
    Jan 2008
    Beans
    11

    Re: Join domain to use SMB filesystem?

    > What's the use in a chdir if you can't see anything inside the directory?

    Some people will create a 755 directory inside a 711 directory, to avoid people being able to discover the presence of the 755 one.

    One relatively common such use is on an anonymous ftp server.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •