SMBmount conspiracy

Kozakoff,Stephen J kozaksj at ufl.edu
Wed Jul 25 13:20:41 UTC 2007 

I have the same setup - win2k3/RHEL ES4

My local security policy settings are like this:

In Local Security Settings navigate to:
Local Policies >> Local Policies >> Security Options

Microsoft network client - digitally sign communications (always) -
DISABLED
Microsoft network client - digitally sign communications (if server
agrees) - ENABLED
Microsoft network server - digitally sign communications (always) -
DISABLED
Microsoft network server - digitally sign communications (if server
agrees) - DISABLED 

Also, check the permissions for the user you are using to logon. Make
sure the user is not directly or indirectly (through group membership)
being "denied" read access to the files. Deny permissions take precedent
over all other permissions in Windows.

Turn on Auditing:
In Local Security Settings navigate to:
Local Policies >> Audit Policy
Set Audit Object Access == Failure

Next turn on auditing of Read events on the folder you are accessing.

Now you can check the Security event log to see if you can gleen why
access is being denied.

HTH.

-Steve

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Darrel Barton
Sent: Wednesday, July 25, 2007 12:11 AM
To: redhat-list at redhat.com
Subject: SMBmount conspiracy

I have aquariums, both freshwater and marine, so I do a lot of water 
tests.  These are the tests where you fill a vial of the water, put in
some 
drops and wait for the solution to turn a certain color ... then you
match 
the color against a chart.   Part of our hobby is the running complaint 
that we get these BEAUTIFUL colors in the vial .... perfect in EVERY way

..... except they bear no relation or resemblance to the colors on the 
chart.  I personally know 15 people that have ALL noticed the same
thing, 
with the same kit ... yet somehow the manufacturer claims that they've 
never, ever, EVER heard of this before.

So it' not just computers.

I have Red Hat Enterprise Linux ES release 4 (Nahant) Kernel
2.6.9-5.ELsmp 
on an i686    And I'm trying to connect to a Windows 2003 Server (not 
domain controller) as a shared file using EITHER ONE of the following 
command lines:

#smbmount //img1/docs /home/documents -o 
dmask=777,fmask=0444,gid=100,uid=501,username=documents,password=passd 

  -or- 

#mount -t cifs //img1/docs /home/documents -o 
dir_mode=0777,file_mode=0444,gid=100,uid=501,username=documents,password
=passd 


In EITHER case the mount succeeds and I can CD to the directory and all
the 
subdirectories underneath and LS each and every file with no 
problem.  Until I try to read, copy or move the file itself ... in which

case I get

cp: 10000099.TIF: read error: Permission denied

But I can actually log into the Win2003 system as that user and all my 
permissions on the directories are fine.

So I hit the net and the docs and the forums and everyone says that
Windows 
2003 has a problem with digital signing.  Even Red Hat has an errata on
it, 
saying
Local Policies - Security Options - Microsoft network client - digitally

sign communications (always) - DISABLED
Local Policies - Security Options - Microsoft network client - digitally

sign communications (if server agrees) - DISABLED
Local Policies - Security Options - Microsoft network server - digitally

sign communications (always) - DISABLED
Local Policies - Security Options - Microsoft network server - digitally

sign communications (if server agrees) - DISABLED

Well ... two problems
1) That Eratta talks about CONNECTION failing ... not read errors.
-and-
2) There AIN'T NO SUCH entry on my Windows 2003!!

Under administrative tools  -> local security policy --> Security
settings 
->local policies -> security
I have "digitally sign client communications (always)" and the same with

(when possible) and then two more for "server" communications.

Close enough, right?

So I change those & reboot
No difference
So I run regedit & search & change EVERY similar setting & reboot
No difference.

Since the mount works (either one) and all the directory traversals work

just fine ... it will probably comes as no surprise to you that (A) no
log 
file anywhere contains any relevant messages and (B) the DEBUG functions

don't work because they MOUNT worked just fine.

Oh yeah ... and  smbclient  works JUST FINE until I find a file and
attempt 
to GET that file ... then I get NT_STATUS_ACCESS_DENIED


I'm sure it's a Windows problem (it usually is) ... but I'm wondering if

anyone has seen THIS PARTICULAR color (error) before?

More information about the redhat-list mailing list