[Samba] SMB Signing issues... smbclient works, mount does not...

Shirish Pargaonkar shirishpargaonkar at gmail.com
Fri Oct 7 07:20:29 MDT 2011


On Fri, Oct 7, 2011 at 12:20 AM, Vini <vini at fugspbr.org> wrote:
> On 7/10/2011 1:18 PM, Shirish Pargaonkar wrote:
>> On Thu, Oct 6, 2011 at 10:10 PM, Vini <vini at fugspbr.org> wrote:
>>> Hi All,
>>>
>>> I seem to have exactly the same problem which was described in this thread a
>>> while ago. I have gone through every piece of information I was able to find
>>> on mailing list archives but all I found was people reporting similar
>>> problems and not a solution to it.
>>>
>>> As in the original discussion if I use smbclient it works fine but if I use
>>> mount.cifs it does not work at all. To make smbclient work I have had to add
>>> "client ntlmv2 auth = yes" to the sbm.conf file.
>>>
>>> The server I am connecting to is a Windows 2008 R2 and the security policy
>>> only allows NTLMv2.
>>>
>>> I am trying to connect from a Centos 5.5
>>>
>>> 2.6.18-274.3.1.el5 #1 SMP Tue Sep 6 20:14:03 EDT 2011 i686 i686 i386
>>> GNU/Linux
>>>
>>> libsmbclient-3.5.4-68.2
>>> samba-3.5.4-68.2
>>> samba-common-3.5.4-68.2
>>> samba-client-3.5.4-68.2
>>> samba-winbind-clients-3.5.4-68.2
>>> cifs-utils-4.4-5.2
>>>
>>> ls /proc/fs/cifs/
>>> cifsFYI
>>> DebugData
>>> Experimental
>>> LinuxExtensionsEnabled
>>> LookupCacheEnabled
>>> MultiuserMount
>>> OplockEnabled
>>> SecurityFlags
>>> Stats
>>> traceSMB
>>>
>>> modinfo cifs
>>> filename:       /lib/modules/2.6.18-274.3.1.el5/kernel/fs/cifs/cifs.ko
>>> version:        1.60RH
>>> description:    VFS to access servers complying with the SNIA CIFS
>>> Specification e.g. Samba and Windows
>>> license:        GPL
>>> author:         Steve French <sfrench at us.ibm.com>
>>> srcversion:     4A9C63C35E60B4C015318F5
>>> depends:
>>> vermagic:       2.6.18-274.3.1.el5 SMP mod_unload 686 REGPARM 4KSTACKS
>>> gcc-4.1
>>> parm:           CIFSMaxBufSize:Network buffer size (not including header).
>>> Default: 16384 Range: 8192 to 130048 (int)
>>> parm:           cifs_min_rcv:Network buffers in pool. Default: 4 Range: 1 to
>>> 64 (int)
>>> parm:           cifs_min_small:Small network buffers in pool. Default: 30
>>> Range: 2 to 256 (int)
>>> parm:           cifs_max_pending:Simultaneous requests to server. Default:
>>> 50 Range: 2 to 256 (int)
>>> module_sig:
>>> 883f3504e66bf24104f42edc2b0f945112c79009d1e1918c363e6545d5644af26235486a0faee309e3e516f3731905cd551976d305e8c32b5f117ae9b
>>>
>>>
>>> This works without issues:
>>>
>>> smbclient -U username //192.168.20.129/share
>>>
>>> But this does not work at all:
>>>
>>> mount.cifs //192.168.20.129/share /mnt/ -o
>>> user=username,password=XXXXXXX,sec=ntlmv2
>>>
>>> For the record I have tried sec=ntlmv2i, ntlmssp, krb5i, krb5.
>>>
>>> Here is what I get when I try:
>>>
>>>
>>>
>>> With sec=ntlmv2i
>>>
>>> mount error(22): Invalid argument
>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>>
>>> and dmesg gives:
>>>
>>>  CIFS VFS: Unexpected SMB signature
>>> Status code returned 0xc000000d NT_STATUS_INVALID_PARAMETER
>>>  CIFS VFS: Send error in SessSetup = -22
>>>  CIFS VFS: cifs_mount failed w/return code = -22
>>>
>>>
>>>
>>> With sec=ntlmv2
>>>
>>> mount error(95): Operation not supported
>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>>
>>> and dmesg gives:
>>>
>>>  CIFS VFS: Server requires packet signing to be enabled in
>>> /proc/fs/cifs/SecurityFlags.
>>>  CIFS VFS: cifs_mount failed w/return code = -95
>>>
>>>
>>>
>>> With sec=ntlmssp
>>>
>>> mount error(95): Operation not supported
>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>>
>>> and dmesg gives:
>>>
>>>  CIFS VFS: Server requires packet signing to be enabled in
>>> /proc/fs/cifs/SecurityFlags.
>>>  CIFS VFS: cifs_mount failed w/return code = -95
>>>
>>>
>>> I have tried changing the values /proc/fs/cifs/SecurityFlags but no
>>> difference at all.
>>>
>>> may use packet signing                          0x00001
>>> must use packet signing                         0x01001
>>> may use NTLM (most common password hash)        0x00002
>>> must use NTLM                                   0x02002
>>> may use NTLMv2                                  0x00004
>>> must use NTLMv2                                 0x04004
>>> may use Kerberos security                       0x00008
>>> must use Kerberos                               0x08008
>>> may use lanman (weak) password hash             0x00010
>>> must use lanman password hash                   0x10010
>>> may use plaintext passwords                     0x00020
>>> must use plaintext passwords                    0x20020
>>>
>>> Reference on line 588
>>> http://www.disy.cse.unsw.edu.au/lxr/source/fs/cifs/?v=linux-2.6.32
>>>
>>> One funny thing is that there should be a pseudo-file called
>>> /proc/fs/cifs/PacketSigningEnabled but it does not exist, even on much newer
>>> kernels it does not exist.
>>>
>>>
>>> Has anyone been able to overcome this problem?
>>>
>>> Thanks
>>> Vini
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>> You probably need this patch installed on the Windows 2008 server
>>  http://support.microsoft.com/kb/957441/en-us
>
> I have tried this and it did not work either, once I apply it the login
> fails with "NT_STATUS_LOGON_FAILURE"
>

A wireshark trace would be useful.  But if you can use latest cifs code
from 3.1 kernel on the mainline, that has a NTLMv2 fix, which might
fix this problem.
You can try either sec=ntlmssp or sec=ntlmsspi (If signing is enabled
on the server) mount option and see that helps.

Regards,

Shirish


More information about the samba mailing list