[Samba] cifs-utils change between Debian Bullseye (6.11) and Debian Bookwork (7.0)

James Zuelow james.zuelow at juneau.gov
Tue Jun 27 21:55:53 UTC 2023 

I have several Linux machines that mount a share on a Windows Server 2012 R2 (I know, it's old, its on the list!) server for backup purposes using mount.cifs and fstab.

The fstab definition looks like this:

//server.domain.local/linux/             /root/backup   cifs    acl,rw,user,noauto,credentials=/home/bu/.nt/creds,vers=3.0  0    0



And the creds file looks like this:



username=L_Backup

password=PASSWORD

domain=NETBIOS

Additionally the L_Backup user has the userWorkstations attribute set in Active Directory, with the IP addresses (not NetBIOS names) of the machines it should be connecting from.



This works perfectly for Bullseye machines.  Any Linux machine with an IP address listed in userWorkstations connects and disconnects to the network share without trouble.

(ii  cifs-utils     2:6.11-3.1+deb11u1 amd64        Common Internet File System utilities)



This does not work for Bookworm machines.  No Bookworm machine can connect to the share.

(ii  cifs-utils     2:7.0-2      amd64        Common Internet File System utilities)



With Bookworm machines, I get an error -13 invalid workstation error in dmesg/syslog.  That led me to the the SMBServer security log on the file server in question, which generates an event 551 SMB Session Authentication Failure

That error looks like this:

Client Name: \\192.168.22.166<file://192.168.22.166>

Client Address:  192.168.22.166:34230

User Name:

Session ID: 0x883BC000305

Status: The user account is restricted such that it may not be used to log on from the source workstation. (0xC0000070)



(I noticed the user name field was blank, but see below.)



Because the error refers to user restrictions, and the userWorkstations field is active for the L_Backup account, I tried explicitly setting the NetBIOS name in fstab and ensuring that the same name was in the userWorkstations field, but that didn't work.  The fstab definition changed to:


//server.domain.local/linux/             /root/backup   cifs    acl,rw,user,noauto,netbiosname=linux_server,credentials=/home/bu/.nt/creds,vers=3.0     0    0    0



Specifying netbiosname not work.  (The NetBIOS name was already set in smb.conf anyway, but I'm not sure whether that would affect the mount at all.)  I rolled that change back.  I then tried specifying SMB3 instead of CIFS:



//server.domain.local/linux/             /root/backup   smb3    acl,rw,user,noauto,credentials=/home/bu/.nt/creds,vers=3.0  0    0


Specifying SMB3 instead of CIFS had no effect I could see.



The only effective solution I found is to clear the userWorkstations attribute for the service account in Active Directory.  So even though the event 551 is logging a blank user name, changing that attribute for the L_Backup account DOES resolve the issue - I assume the blank field is just a Microsoft logging issue as the server certainly knows which account is being used to access the share.  However, clearing the userWorkstations field leaves the service account with the ability to log onto arbitrary workstations, which I would like to avoid.

I've been so far unable to find a changelog or documentation describing any change in how mount.cifs may have changed how it reports workstations.  Even though the Microsoft documentation says that the userWorkstations attribute should be a list of NetBIOS names, I've used IP addresses successfully for years - and the Bullseye machines can still connect with IP addresses in the userWorkstations field.

I assume I'm missing an important piece of documentation somewhere, possibly in the main Samba documentation and not specifically in mount.cifs docs.  Can you point me in the right direction for a proper fix?

Thanks!



James Zuelow
Systems Operations Manager
City and Borough of Juneau Information Technology
(907) 586-5295 x4212

More information about the samba mailing list