From euhus-liste1 at rrzn.uni-hannover.de Wed Jun 10 06:28:15 2015 From: euhus-liste1 at rrzn.uni-hannover.de (Robert Euhus) Date: Wed, 10 Jun 2015 14:28:15 +0200 Subject: [linux-cifs-client] Can't mount domain share any more -> "mount error(112): Host is down" ; smbclient works with '-m SMB3' Message-ID: <55782D5F.5030906@rrzn.uni-hannover.de> Hello, I have a strange problem: Suddenly I can not mount our domain shares any more, but browsing with smbclient works, if I specify '-m SMB3'. After an update to out domain controller (Windosw Server 2012) which also serves the shares, I can not mount the shares anymore. I am usually using Kerberos-Tickets to mount the shares. If I do not use Kerberos-Authentification I was able to mount the shares explicitly specifying 'vers=2.0'. I also had problems authenticating against the AD with Winbind, which went away when I specified the following in /etc/samba/smb.conf: > client max protocol = smb3_00 Even though from the man page this should be the default anyway. Here is an overview over what works and what does not: This does not work: > mount.cifs //mydom-dc1.mydom.intern/groups /mnt/groups -o sec=krb5i,multiuser > mount error(112): Host is down The same result without the 'multiuser' option. > mount.cifs //mydom-dc1.mydom.intern/groups /mnt/groups -o username=myuser > Password for myuser@//mydom-dc1.mydom.intern/groups: *********** > mount error(112): Host is down But this works: > mount.cifs //mydom-dc1.mydom.intern/groups /mnt/groups -o username=myuser,vers=2.0 > Password for myuser@//mydom-dc1.mydom.intern/groups: *********** In short: mounting with Kerberos is completely broken, without Kerberos it can be made to work again. I really need the Kerberos multiuser mount. The same pattern with smbclient: if no max-protocol is specified, then the command fails: > smbclient -U myuser //mydom-dc1.mydom.intern/groups > Enter myuser's password: > protocol negotiation failed: NT_STATUS_CONNECTION_RESET But this works: > smbclient -U myuser //mydom-dc1.mydom.intern/groups -m SMB3 > Enter myuser's password: > Domain=[MYDOM] OS=[] Server=[] > smb: \> The smbclient command works as well, if 'client max protocol = smb3' is specified in /etc/samba/smb.conf. Strangely specifying the '-m SMB3' before the share, as listed in the man page does not work: > smbclient -m SMB3 -U myuser //mydom-dc1.mydom.intern/groups > Enter myuser's password: > session setup failed: NT_STATUS_LOGON_FAILURE We also had a problem with one OSX-client, which had explicitly specified to use SMB1 only, but this problem went away, after removing this non-default option. The problems mentioned above were occurred on a Debian Jessie and an Ubuntu 14.04 install. On a Debian-Squeeze I could not get Winbind to work again by specifying a 'client max protocol'. I would be grateful for any hint on what to look for, since I am completely out of ideas. Thanks a lot, Robert Euhus