[Samba] Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"

Rowland Penny rowlandpenny241155 at gmail.com
Tue Jul 14 18:53:44 UTC 2015


On 14/07/15 19:27, Mario Pio Russo wrote:
> well, I have configured the kdc client on the file server, joined the
> domain using net ads join and it worked fine, again getnet group , getnet
> passwd , wbinfo -u they all works perfectlly fine

Well, this sounds like samba is working correctly.

>
> I am also able to browse the shares from any windows machine joined to the
> CCDC domain, but I am still not able to do ANY mount.cifs, not even form
> linux boxes joined to the domain :-/

Any error messages anywhere ?
Also when you say 'browse', can you give a bit more info, how are you 
'browsing' and where are the shares, on the DC or somewhere else?

>
> I have no idea what's happening.
>
> P.S. another thing I have noticed is that from windows machines, when I try
> to do a network map to a share on the samba4, it gives "Authentication
> Failure", while it was working correctly before the migration.

Well, that probably means what it says, for some reason, samba is not 
recognising either your users or their passwords,

Rowland

>
> I'm running short of ideas now, any help more than welcome!
> ___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
>
> (Embedded image moved to file: pic10279.gif)
>
>
>
> From:	Rowland Penny <rowlandpenny241155 at gmail.com>
> To:	samba at lists.samba.org
> Date:	14/07/2015 19:07
> Subject:	Re: [Samba] Samba3 shares cannot be mounted on linux box uisng
>              cifs command , error "CIFS VFS: cifs_mount failed w/return code
>              = -13"
> Sent by:	"samba" <samba-bounces at lists.samba.org>
>
>
>
> On 14/07/15 18:19, Mario Pio Russo wrote:
>> Thanks Rowland!
>>
>> few answers to your question:
>>
>> 1) I  used the samba-tool domain classicupgrade to "migrate" the domain
> for
>> the pdc to a new Ubuntu server with sernet-samba-4.2.2
>>
>> 2) on the DC, I have configured the service to use the old winbind, as
>> that's just enaugh for our domain and it looked more stable during the
> test
>> phasethe smb.conf of the DC is the following:
>>
>> [global]
>>           workgroup = CCDC
>>           realm = CCDC.LAN
>>           netbios name = CCDC-SAMBA4-DC1
>>           server role = active directory domain controller
>>           idmap_ldb:use rfc2307 = yes
>>
>>           server services = -winbindd +winbind
> Remove these lines, they are not doing anything!
>>           dns forwarder = 9.0.138.50
>>           #server services = -winbindd +winbind
>>           idmap config CCDC:backend = ad
>>           idmap config CCDC:schema_mode = rfc2307
>>           idmap config CCDC:range = 10000-40000
>>
>>
>>           # Store UIDs/GIDs for all other domains (including local
>>           # accounts/groups of this server) in a tdb file
>>           idmap config *:backend = tdb
>>           idmap config *:range = 2000-9999
>>
>>           # Use home directory and shell information from AD
>>           winbind nss info = rfc2307
> Ok, from here on no problems.
>>           tls enabled  = yes
>>           tls keyfile  = tls/myKey.pem
>>           tls certfile = tls/myCert.pem
>>           tls cafile   =
>>
>> [netlogon]
>>           path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>           read only = No
>>
>> [sysvol]
>>           path = /var/lib/samba/sysvol
>>           read only = No
>>
>> 3) I will remove the password server as you suggested , thanks
>>
>> 4) the server is present in the domain, and getent group and getent
> passwd
>> works correctlly, however it was NOT joined with net ads join, but with
> net
>> rpc join, could this make the difference? as I am currentlly thinking of
>> removing the server from the domain, configure kerberos-workstation and
> try
>> the net ads join, what do you think?
> If getent is working, then there should be no reason to leave & rejoin
> the domain, but then again, there is no reason not to try it :-)
>
> Rowland
>
>> again thanks for the help
>>
>>
>>
>>
> ___________________________________________________________________________________________
>
>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>> IBM Ireland Product Distribution Limited registered in Ireland with
> number
>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
> 4
>> (Embedded image moved to file: pic40897.gif)
>>
>>
>>
>> From:		 Rowland Penny <rowlandpenny241155 at gmail.com>
>> To:		 samba at lists.samba.org
>> Date:		 14/07/2015 17:50
>> Subject:		 Re: [Samba] Samba3 shares cannot be mounted on linux box
> uisng
>>               cifs command , error "CIFS VFS: cifs_mount failed w/return
> code
>>               = -13"
>> Sent by:		 "samba" <samba-bounces at lists.samba.org>
>>
>>
>>
>> On 14/07/15 16:49, Mario Pio Russo wrote:
>>> Good Day All
>>>
>>> I have a problem for our main fileserver base don samba 3.5.6
>>>
>>> Let's give a bit of pregress first. We had a samba 3.5.6 installation
>> which
>>> was acting as a PDC for our internal domian called CCDC. On a sapearate
>>> machine, we had another installation of samba 3.5.6 to act just as file
>>> share server.
>>>
>>> All was working ok, till I upgraded the PDC form samba 3.5.6 to samba
>>> 4.2.2 , using the classicupgrade.
>> Do you mean you upgraded an NT4 PDC via 'samba-tool domain
>> classicupgrade' to an AD DC ?
>>
>>> Now I am able to access the shares from the windows boxes added to the
>> CCDC
>>> domain, but when I try to mount a cifs share form a linux box, then I
> get
>>> the following error:
>>>
>>>
>>> mount.cifs -o
>>>
> username=mariopio,domain=CCDC  //seadog.mul.ie.ibm.com/scrap/4mario /media/
>>> Password:
>>> mount error(13): Permission denied
>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>>
>>> form dmesg I can see the following error:
>>>
>>> CIFS VFS: cifs_mount failed w/return code = -13
>>>
>> Your user is not known.
>>
>>> the smb.conf of the file server is the following:
>>>
>>>
>>> root at seadog:/etc/samba# cat smb.conf
>>> [global]
>>>
>>>            write cache size = 131072
>>>
>>>          vfs objects = full_audit
>>>          full_audit:prefix = %u,%I,%m,%S
>>>          # removed this, so we only log failures.
>>>          # however will keep it here commented it out for future
> reference
>>>          #full_audit:success = mkdir rename unlink rmdir open chown chmod
>>> connect readlink
>>>          full_audit:failure = mkdir rename unlink rmdir open chown chmod
>>> connect readlink
>>>          full_audit:facility = local7
>>>          full_audit:priority = NOTICE
>>>
>>>
>>>          server string = CSI Samba Server
>>>          workgroup = CCDC
>>>          netbios name = SEADOG
>>>          realm = CCDC.LAN
>>>          security = ads
>>>          #security = domain
>>>          wins server = 9.161.96.220
>>>          server signing = mandatory
>>>          password server = 9.161.96.220
>> password server shouldn't be set, let samba find it itself.
>>
>>>         map untrusted to domain = yes
>>>
>>>          wins support = no
>>>          wins proxy = no
>>>          dns proxy = no
>>>          name resolve order = wins host bcast
>>>
>>>          winbind use default domain = yes
>>>
>>>          winbind uid = 10000-20000
>>>          winbind gid = 10000-20000
>>>          winbind cache time = 15
>>>          winbind enum users = yes
>>>          winbind enum groups = yes
>>>
>>>          # This is needed, a fake home folder so that users are able to
> ftp
>>>          # this folder is empty but exists, do a getent passwd to see
> what
>> I
>>> mean
>>>          template homedir = /home/winbind
>>>
>>>          local master = no
>>>          domain master = no
>>>
>>>          # To o with ACL mapping to windows
>>>          #
>>>          dos filemode = Yes
>>>          acl group control = Yes
>>>          acl map full control = Yes
>>>           map acl inherit = Yes
>>>
>>>          guest account = nobody
>>>          invalid users = root daemon bin sys sync games man lp mail news
>> uucp
>>> proxy www-data backup list irc gnats Debian-exim sshd ntpd
>>>
>>>          log file = /var/log/samba/log.%m
>>>          log level = 3
>>>
>>>          max log size = 2000
>>>          syslog = 0
>>>
>>>          # using these options copied from clearcase.
>>>          # back in the day we did research these to death
>>>          #
>>> #      socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
>>> IPTOS_LOWDELAY TCP_NODELAY
>>>          socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
>>> IPTOS_LOWDELAY TCP_NODELAY
>>>
>>>          # This disables print options
>>>          # we are not a print server
>>>          #
>>>          load printers = No
>>>          disable spoolss = Yes
>>>
>>>          smb ports = 139
>>>
>>>          # every mount from the SAN has a lost+found folder
>>>          # to avoid user confusion, have set this to hidden
>>>          #
>>>          hide files = /lost+found/
>>>
>>>          aio read size = 1
>>>          aio write size = 1
>>>          follow symlinks          = no
>>>
>>>
>>>
>>> [scrap]
>>>          comment              = ICS - CSI general scrap Area
>>>          path                 = /export/ICS/CSI/scrap
>>>          valid users          = @"Domain Users"
>>>          force create mode    = 750
>>>          force directory mode = 740
>>>          writeable            = Yes
>>>          browseable           = Yes
>>>
>>>
>>>
>>>
>>> note that on this fileserver nothing was touched during the
>> classiupgrade,
>>> a part the following parameters of the smb.conf
>> Well, it probably should have been :-)
>>
>>>          realm = CCDC.LAN
>>>          security = ads
>>>          wins server = 9.161.96.220
>>>
>>>          password server = 9.161.96.220
>>>
>>>
>>>
>>> I have tried already different Linux machine with different distribution
>>> and I always get the same error, I have also tried to add the parameter
>>> "sec=ntlm or ntlmi " but hasn't changed much.
>>>
>>> Note that for some historical reason, this file server has NOT a kerbero
>>> workstation installation and was joined to the CCDC domain using net rpc
>>> join instead of net ads join, could this be a problem?
>> It would seem the domain has been upgraded to AD and your fileserver may
>> require joining to the new domain, but it is more likely to be something
>> to do with the winbindd changes that came in with 4.2.0, see here:
>>
>> https://www.samba.org/samba/history/samba-4.2.0.html
>>
>> Rowland
>>
>>> any help is much appreciated!!!!
>>>
>>>
>>> thanks
>>>
> ___________________________________________________________________________________________
>
>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
> 1
>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>> IBM Ireland Product Distribution Limited registered in Ireland with
>> number
>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
> Dublin
>> 4
>>> (Embedded image moved to file: pic44465.gif)
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>




More information about the samba mailing list