[linux-cifs-client] Mounting CIFS gives me permission denied
Steven French
sfrench at us.ibm.com
Tue Oct 12 22:08:58 GMT 2004
Some explanations as to what is going on.
1) smbclient -L (without specifying the domain) works because smbclient
supports signing as well as both kerberos and ntlmv2 and the default
domain is good enough
2) "smbclient -L 192.168.1.2 -U na/HOMEXCORP" fails (probably) because
your domain name and user name are backwards in the -U
3) smbmount (smbfs) fails because it doesn't implement signing (which is
one of the reasons that I wrote cifs vfs in the first place, to add to the
kernel, enough code to do security functions such as signing, rather than
relying on userspace smb client libraries which are awkward to get at when
processing every frame)
4) mount -t cifs probably fails because the server is configured so that
either
a) Kerberos is required (CIFS SPNEGO implementation is not
complete so can not handle
kerberized session setup - yet)
or
b) NTLMv2 is required (CIFS support for NTLMv2 is turned off by
default in /proc/fs/cifs/
because AFAIK it is not well tested)
or
c) plaintext paswords or old lanman password hashes are required
(these are too insecure - and
the cifs vfs will refuse to negotiate them)
or
d) your client's hostname (but not the ip address) is explicitly
allowed in the workstations
allowed list on the server but the cifs vfs does not send the
client's netbios name unless
you connect via the older netbios-over-tcp port 139 (and
"netbiosname=workstation_name"
was not passed over -o on the client mount).
or
e) that share can only be mounted by administrators not by the
user that you tried
We might be able to rule out 4b (NTLMv2 required) if extended security
were enabled in /proc but this will only work to WindowsXP and 2000
clients - or servers not in a domain - since they will then negotiate "raw
ntlmssp" which cifs does support rather than spnego which it does not).
In any case tracing on port 445 and 139 is quite similar and it does not
much matter which end you trace on there are similar tools available on
each.
Also note that if this is a windows server they have an audit or security
event log (I forget what it is called) which may tell you what is going on
- see System Tools -> Event Viewer -> Security on the server if it is a
windows server - obviously with Samba you have more detailed info you can
get by looking at log.smbd
Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at-sign us dot ibm dot com
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the linux-cifs-client
mailing list