[linux-cifs-client] Can't mount domain share any more -> "mount error(112): Host is down" ; smbclient works with '-m SMB3'

Robert Euhus euhus-liste1 at rrzn.uni-hannover.de
Wed Jun 10 06:28:15 MDT 2015 

Hello,

I have a strange problem: Suddenly I can not mount our domain shares any
more, but browsing with smbclient works, if I specify '-m SMB3'.

After an update to out domain controller (Windosw Server 2012) which
also serves the shares, I can not mount the shares anymore. I am usually
using Kerberos-Tickets to mount the shares.

If I do not use Kerberos-Authentification I was able to mount the shares
explicitly specifying 'vers=2.0'.

I also had problems authenticating against the AD with Winbind, which
went away when I specified the following in /etc/samba/smb.conf:

> client max protocol = smb3_00

Even though from the man page this should be the default anyway.


Here is an overview over what works and what does not:

This does not work:

> mount.cifs //mydom-dc1.mydom.intern/groups /mnt/groups -o sec=krb5i,multiuser
> mount error(112): Host is down

The same result without the 'multiuser' option.

> mount.cifs //mydom-dc1.mydom.intern/groups /mnt/groups -o username=myuser
> Password for myuser@//mydom-dc1.mydom.intern/groups:  ***********
> mount error(112): Host is down

But this works:

> mount.cifs //mydom-dc1.mydom.intern/groups /mnt/groups -o username=myuser,vers=2.0
> Password for myuser@//mydom-dc1.mydom.intern/groups:  ***********

In short: mounting with Kerberos is completely broken, without Kerberos
it can be made to work again. I really need the Kerberos multiuser mount.


The same pattern with smbclient: if no max-protocol is specified, then
the command fails:

> smbclient -U myuser //mydom-dc1.mydom.intern/groups 
> Enter myuser's password: 
> protocol negotiation failed: NT_STATUS_CONNECTION_RESET

But this works:

> smbclient -U myuser //mydom-dc1.mydom.intern/groups -m SMB3
> Enter myuser's password: 
> Domain=[MYDOM] OS=[] Server=[]
> smb: \> 

The smbclient command works as well, if 'client max protocol = smb3' is
specified in /etc/samba/smb.conf.

Strangely specifying the '-m SMB3' before the share, as listed in the
man page does not work:

> smbclient -m SMB3 -U myuser //mydom-dc1.mydom.intern/groups
> Enter myuser's password: 
> session setup failed: NT_STATUS_LOGON_FAILURE

We also had a problem with one OSX-client, which had explicitly
specified to use SMB1 only, but this problem went away, after removing
this non-default option.

The problems mentioned above were occurred on a Debian Jessie and an
Ubuntu 14.04 install. On a Debian-Squeeze I could not get Winbind to
work again by specifying a 'client max protocol'.


I would be grateful for any hint on what to look for, since I am
completely out of ideas.

Thanks a lot,
Robert Euhus

More information about the linux-cifs-client mailing list