[Samba] Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
Mario Pio Russo
mariopiorusso at ie.ibm.com
Tue Jul 14 18:27:39 UTC 2015
well, I have configured the kdc client on the file server, joined the
domain using net ads join and it worked fine, again getnet group , getnet
passwd , wbinfo -u they all works perfectlly fine
I am also able to browse the shares from any windows machine joined to the
CCDC domain, but I am still not able to do ANY mount.cifs, not even form
linux boxes joined to the domain :-/
I have no idea what's happening.
P.S. another thing I have noticed is that from windows machines, when I try
to do a network map to a share on the samba4, it gives "Authentication
Failure", while it was working correctly before the migration.
I'm running short of ideas now, any help more than welcome!
___________________________________________________________________________________________
Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
(Embedded image moved to file: pic07535.gif)
From: Rowland Penny <rowlandpenny241155 at gmail.com>
To: samba at lists.samba.org
Date: 14/07/2015 19:07
Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box uisng
cifs command , error "CIFS VFS: cifs_mount failed w/return code
= -13"
Sent by: "samba" <samba-bounces at lists.samba.org>
On 14/07/15 18:19, Mario Pio Russo wrote:
> Thanks Rowland!
>
> few answers to your question:
>
> 1) I used the samba-tool domain classicupgrade to "migrate" the domain
for
> the pdc to a new Ubuntu server with sernet-samba-4.2.2
>
> 2) on the DC, I have configured the service to use the old winbind, as
> that's just enaugh for our domain and it looked more stable during the
test
> phasethe smb.conf of the DC is the following:
>
> [global]
> workgroup = CCDC
> realm = CCDC.LAN
> netbios name = CCDC-SAMBA4-DC1
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
>
> server services = -winbindd +winbind
Remove these lines, they are not doing anything!
> dns forwarder = 9.0.138.50
> #server services = -winbindd +winbind
> idmap config CCDC:backend = ad
> idmap config CCDC:schema_mode = rfc2307
> idmap config CCDC:range = 10000-40000
>
>
> # Store UIDs/GIDs for all other domains (including local
> # accounts/groups of this server) in a tdb file
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # Use home directory and shell information from AD
> winbind nss info = rfc2307
Ok, from here on no problems.
> tls enabled = yes
> tls keyfile = tls/myKey.pem
> tls certfile = tls/myCert.pem
> tls cafile =
>
> [netlogon]
> path = /var/lib/samba/sysvol/ccdc.lan/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> 3) I will remove the password server as you suggested , thanks
>
> 4) the server is present in the domain, and getent group and getent
passwd
> works correctlly, however it was NOT joined with net ads join, but with
net
> rpc join, could this make the difference? as I am currentlly thinking of
> removing the server from the domain, configure kerberos-workstation and
try
> the net ads join, what do you think?
If getent is working, then there should be no reason to leave & rejoin
the domain, but then again, there is no reason not to try it :-)
Rowland
> again thanks for the help
>
>
>
>
___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with
number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
4
>
> (Embedded image moved to file: pic40897.gif)
>
>
>
> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> To: samba at lists.samba.org
> Date: 14/07/2015 17:50
> Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box
uisng
> cifs command , error "CIFS VFS: cifs_mount failed w/return
code
> = -13"
> Sent by: "samba" <samba-bounces at lists.samba.org>
>
>
>
> On 14/07/15 16:49, Mario Pio Russo wrote:
>> Good Day All
>>
>> I have a problem for our main fileserver base don samba 3.5.6
>>
>> Let's give a bit of pregress first. We had a samba 3.5.6 installation
> which
>> was acting as a PDC for our internal domian called CCDC. On a sapearate
>> machine, we had another installation of samba 3.5.6 to act just as file
>> share server.
>>
>> All was working ok, till I upgraded the PDC form samba 3.5.6 to samba
>> 4.2.2 , using the classicupgrade.
> Do you mean you upgraded an NT4 PDC via 'samba-tool domain
> classicupgrade' to an AD DC ?
>
>> Now I am able to access the shares from the windows boxes added to the
> CCDC
>> domain, but when I try to mount a cifs share form a linux box, then I
get
>> the following error:
>>
>>
>> mount.cifs -o
>>
>
username=mariopio,domain=CCDC //seadog.mul.ie.ibm.com/scrap/4mario /media/
>> Password:
>> mount error(13): Permission denied
>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>
>> form dmesg I can see the following error:
>>
>> CIFS VFS: cifs_mount failed w/return code = -13
>>
> Your user is not known.
>
>> the smb.conf of the file server is the following:
>>
>>
>> root at seadog:/etc/samba# cat smb.conf
>> [global]
>>
>> write cache size = 131072
>>
>> vfs objects = full_audit
>> full_audit:prefix = %u,%I,%m,%S
>> # removed this, so we only log failures.
>> # however will keep it here commented it out for future
reference
>>
>> #full_audit:success = mkdir rename unlink rmdir open chown chmod
>> connect readlink
>> full_audit:failure = mkdir rename unlink rmdir open chown chmod
>> connect readlink
>> full_audit:facility = local7
>> full_audit:priority = NOTICE
>>
>>
>> server string = CSI Samba Server
>> workgroup = CCDC
>> netbios name = SEADOG
>> realm = CCDC.LAN
>> security = ads
>> #security = domain
>> wins server = 9.161.96.220
>> server signing = mandatory
>> password server = 9.161.96.220
> password server shouldn't be set, let samba find it itself.
>
>> map untrusted to domain = yes
>>
>> wins support = no
>> wins proxy = no
>> dns proxy = no
>> name resolve order = wins host bcast
>>
>> winbind use default domain = yes
>>
>> winbind uid = 10000-20000
>> winbind gid = 10000-20000
>> winbind cache time = 15
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>> # This is needed, a fake home folder so that users are able to
ftp
>> # this folder is empty but exists, do a getent passwd to see
what
> I
>> mean
>> template homedir = /home/winbind
>>
>> local master = no
>> domain master = no
>>
>> # To o with ACL mapping to windows
>> #
>> dos filemode = Yes
>> acl group control = Yes
>> acl map full control = Yes
>> map acl inherit = Yes
>>
>> guest account = nobody
>> invalid users = root daemon bin sys sync games man lp mail news
> uucp
>> proxy www-data backup list irc gnats Debian-exim sshd ntpd
>>
>> log file = /var/log/samba/log.%m
>> log level = 3
>>
>> max log size = 2000
>> syslog = 0
>>
>> # using these options copied from clearcase.
>> # back in the day we did research these to death
>> #
>> # socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
>> IPTOS_LOWDELAY TCP_NODELAY
>> socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
>> IPTOS_LOWDELAY TCP_NODELAY
>>
>> # This disables print options
>> # we are not a print server
>> #
>> load printers = No
>> disable spoolss = Yes
>>
>> smb ports = 139
>>
>> # every mount from the SAN has a lost+found folder
>> # to avoid user confusion, have set this to hidden
>> #
>> hide files = /lost+found/
>>
>> aio read size = 1
>> aio write size = 1
>> follow symlinks = no
>>
>>
>>
>> [scrap]
>> comment = ICS - CSI general scrap Area
>> path = /export/ICS/CSI/scrap
>> valid users = @"Domain Users"
>> force create mode = 750
>> force directory mode = 740
>> writeable = Yes
>> browseable = Yes
>>
>>
>>
>>
>> note that on this fileserver nothing was touched during the
> classiupgrade,
>> a part the following parameters of the smb.conf
> Well, it probably should have been :-)
>
>> realm = CCDC.LAN
>> security = ads
>> wins server = 9.161.96.220
>>
>> password server = 9.161.96.220
>>
>>
>>
>> I have tried already different Linux machine with different distribution
>> and I always get the same error, I have also tried to add the parameter
>> "sec=ntlm or ntlmi " but hasn't changed much.
>>
>> Note that for some historical reason, this file server has NOT a kerbero
>> workstation installation and was joined to the CCDC domain using net rpc
>> join instead of net ads join, could this be a problem?
> It would seem the domain has been upgraded to AD and your fileserver may
> require joining to the new domain, but it is more likely to be something
> to do with the winbindd changes that came in with 4.2.0, see here:
>
> https://www.samba.org/samba/history/samba-4.2.0.html
>
> Rowland
>
>> any help is much appreciated!!!!
>>
>>
>> thanks
>>
>
___________________________________________________________________________________________
>
>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
1
>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>> IBM Ireland Product Distribution Limited registered in Ireland with
> number
>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
Dublin
> 4
>> (Embedded image moved to file: pic44465.gif)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list