[linux-cifs-client] Mounting CIFS gives me permission denied

Neil Aggarwal neil at JAMMConsulting.com
Wed Oct 13 21:42:40 GMT 2004


Steve:

Thank you for your help so far.

Regarding 2), I switched the -U to HOMEXCORP/na and it worked fine.

Regarding 4), I took a look at the event log on the windows server, and 
here is what I am seeing when I get a login failure:
  Logon Failure:
	Reason:    		Unknown user name or bad password
	User Name: 		na
     	Domain:   		HOMEXCORP
	Logon Type:		3
	Logon Process:	NtLmSsp
	Authentication Package:	NTLM
	Workstation Name:	\\192.168.1.1

It looks like the windows server is getting the correct user
name and domain name, but the workstation name is the IP
address of the Linux box.  I wonder if that is the problem.

When I tried the mount with this:
	mount.cifs //192.168.1.2/GDrive /mnt/GDrive 
		-o "user=na,domain=HOMEXCORP,netbios name=linux"

I still get the Workstation Name as \\192.168.1.1 which is
not a computer in the active directory.  I think this may be
the problem.  How do I get the computer to use linux as the
workstation name?

Also, when I did:
	echo 1 > ExtendedSecurity 
in the /proc/fs/cifs directory, I get a segmentation fault when
I try the mount.cifs command.  Is that a problem?

Thanks,
	Neil

--
Neil Aggarwal, JAMM Consulting, (972)612-6056, www.JAMMConsulting.com
FREE! Valuable info on how your business can reduce operating costs by
17% or more in 6 months or less! http://newsletter.JAMMConsulting.com

-----Original Message-----
From: linux-cifs-client-bounces+neil=jammconsulting.com at lists.samba.org
[mailto:linux-cifs-client-bounces+neil=jammconsulting.com at lists.samba.org]
On Behalf Of Steven French
Sent: Tuesday, October 12, 2004 5:09 PM
To: Neil Aggarwal
Cc: linux-cifs-client at lists.samba.org
Subject: RE: [linux-cifs-client] Mounting CIFS gives me permission denied



Some explanations as to what is going on. 

1) smbclient -L (without specifying the domain) works because smbclient
supports signing as well as both kerberos and ntlmv2 and the default domain
is good enough 
2) "smbclient -L 192.168.1.2 -U na/HOMEXCORP" fails (probably) because your
domain name and user name are backwards in the -U 
3) smbmount (smbfs) fails because it doesn't implement signing (which is one
of the reasons that I wrote cifs vfs in the first place, to add to the
kernel, enough code to do security functions such as signing, rather than
relying on userspace smb client libraries which are awkward to get at when
processing every frame) 
4) mount -t cifs probably fails because the server is configured so that
either 
        a) Kerberos is required (CIFS SPNEGO implementation is not complete
so can not handle 
        kerberized session setup - yet) 
                or 
        b) NTLMv2 is required (CIFS support for NTLMv2 is turned off by
default in /proc/fs/cifs/ 
        because AFAIK it is not well tested) 
                or 
        c) plaintext paswords or old lanman password hashes are required
(these are too insecure - and 
        the cifs vfs will refuse to negotiate them) 
                or 
        d) your client's hostname (but not the ip address) is explicitly
allowed in the workstations 
        allowed list on the server but the cifs vfs does not send the
client's netbios name unless 
        you connect via the older netbios-over-tcp port 139  (and
"netbiosname=workstation_name" 
        was not passed over -o on the client mount). 
                or 
        e) that share can only be mounted by administrators not by the user
that you tried 

We might be able to rule out 4b (NTLMv2 required) if extended security were
enabled in /proc but this will only work to WindowsXP and 2000 clients - or
servers not in a domain - since they will then negotiate "raw ntlmssp" which
cifs does support rather than spnego which it does not). 

In any case tracing on port 445 and 139 is quite similar and it does not
much matter which end you trace on there are similar tools available on
each. 

Also note that if this is a windows server they have an audit or security
event log (I forget what it is called) which may tell you what is going on -
see System Tools -> Event Viewer -> Security on the server if it is a
windows server - obviously with Samba you have more detailed info you can
get by looking at log.smbd

Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at-sign us dot ibm dot com



More information about the linux-cifs-client mailing list