[Samba] Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"

Mario Pio Russo mariopiorusso at ie.ibm.com
Wed Jul 15 14:10:38 UTC 2015


OR

is there any way, or magical hidden parmeter in the smb.conf that allows to
enumerate the users in the Domain Users? tbh this has a huge impact on the
file share server as many directorys have "domain users" as group
___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic57028.gif)



From:	Mario Pio Russo/Ireland/IBM at IBMIE
To:	Rowland Penny <rowlandpenny241155 at gmail.com>
Cc:	samba at lists.samba.org, samba <samba-bounces at lists.samba.org>
Date:	15/07/2015 13:48
Subject:	Re: [Samba] Samba3 shares cannot be mounted on linux box uisng
            cifs command , error "CIFS VFS: cifs_mount failed w/return code
            = -13"
Sent by:	"samba" <samba-bounces at lists.samba.org>



ok, what do you suggest then? maybe changing the authentication to another
group like "domainusers" ?
___________________________________________________________________________________________


Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic05703.gif)



From:		 Rowland Penny <rowlandpenny241155 at gmail.com>
To:		 samba at lists.samba.org
Date:		 15/07/2015 12:49
Subject:		 Re: [Samba] Samba3 shares cannot be mounted on linux box
uisng
            cifs command , error "CIFS VFS: cifs_mount failed w/return code
            = -13"
Sent by:		 "samba" <samba-bounces at lists.samba.org>



On 15/07/15 11:06, Mario Pio Russo wrote:
> I have some more findings about this
>
> it looks like getent does not get the right information from the Domain
> Controller, in fact the domain user groups shows with NO member users:
>
> getent group | grep "domain users"
> domain users:x:10000:
> root at seadog:~#
>
>
> Now funny thing is that other folders for wwhich getent retrieves the
users
> correctlly are mounted fine . any idea why I don t see the users in
getent?

Yes :-D

Oh, you want to know why :-)

Every user is a member of Domain Users and as such they are not shown as
being members in the AD object, this is why getent doesn't show them.

Rowland

>
> for example:
> root at seadog:~# getent group | grep "domain admins"
> domain admins:x:10001:ieu94629,ieu94243,ftp3-admin,administrator
>
> any idea?
>
>
___________________________________________________________________________________________


>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with
number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
4
>
> (Embedded image moved to file: pic03233.gif)
>
>
>
> From:		 		  Rowland Penny
<rowlandpenny241155 at gmail.com>
> To:		 		  samba at lists.samba.org
> Date:		 		  14/07/2015 20:00
> Subject:		 		  Re: [Samba] Samba3 shares cannot be mounted
on linux box
uisng
>              cifs command , error "CIFS VFS: cifs_mount failed w/return
code
>              = -13"
> Sent by:		 		  "samba" <samba-bounces at lists.samba.org>
>
>
>
> On 14/07/15 19:27, Mario Pio Russo wrote:
>> well, I have configured the kdc client on the file server, joined the
>> domain using net ads join and it worked fine, again getnet group ,
getnet
>> passwd , wbinfo -u they all works perfectlly fine
> Well, this sounds like samba is working correctly.
>
>> I am also able to browse the shares from any windows machine joined to
> the
>> CCDC domain, but I am still not able to do ANY mount.cifs, not even form
>> linux boxes joined to the domain :-/
> Any error messages anywhere ?
> Also when you say 'browse', can you give a bit more info, how are you
> 'browsing' and where are the shares, on the DC or somewhere else?
>
>> I have no idea what's happening.
>>
>> P.S. another thing I have noticed is that from windows machines, when I
> try
>> to do a network map to a share on the samba4, it gives "Authentication
>> Failure", while it was working correctly before the migration.
> Well, that probably means what it says, for some reason, samba is not
> recognising either your users or their passwords,
>
> Rowland
>
>> I'm running short of ideas now, any help more than welcome!
>>
>
___________________________________________________________________________________________


>
>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
1
>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>> IBM Ireland Product Distribution Limited registered in Ireland with
> number
>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
Dublin
> 4
>> (Embedded image moved to file: pic10279.gif)
>>
>>
>>
>> From:		 		  		 		   Rowland Penny
<rowlandpenny241155 at gmail.com>
>> To:
samba at lists.samba.org
>> Date:		 		  		 		   14/07/2015 19:07
>> Subject:		 		  		 		   Re: [Samba] Samba3
shares cannot be mounted
on linux box
> uisng
>>               cifs command , error "CIFS VFS: cifs_mount failed w/return
> code
>>               = -13"
>> Sent by:		 		  		 		   "samba"
<samba-bounces at lists.samba.org>
>>
>>
>>
>> On 14/07/15 18:19, Mario Pio Russo wrote:
>>> Thanks Rowland!
>>>
>>> few answers to your question:
>>>
>>> 1) I  used the samba-tool domain classicupgrade to "migrate" the domain
>> for
>>> the pdc to a new Ubuntu server with sernet-samba-4.2.2
>>>
>>> 2) on the DC, I have configured the service to use the old winbind, as
>>> that's just enaugh for our domain and it looked more stable during the
>> test
>>> phasethe smb.conf of the DC is the following:
>>>
>>> [global]
>>>            workgroup = CCDC
>>>            realm = CCDC.LAN
>>>            netbios name = CCDC-SAMBA4-DC1
>>>            server role = active directory domain controller
>>>            idmap_ldb:use rfc2307 = yes
>>>
>>>            server services = -winbindd +winbind
>> Remove these lines, they are not doing anything!
>>>            dns forwarder = 9.0.138.50
>>>            #server services = -winbindd +winbind
>>>            idmap config CCDC:backend = ad
>>>            idmap config CCDC:schema_mode = rfc2307
>>>            idmap config CCDC:range = 10000-40000
>>>
>>>
>>>            # Store UIDs/GIDs for all other domains (including local
>>>            # accounts/groups of this server) in a tdb file
>>>            idmap config *:backend = tdb
>>>            idmap config *:range = 2000-9999
>>>
>>>            # Use home directory and shell information from AD
>>>            winbind nss info = rfc2307
>> Ok, from here on no problems.
>>>            tls enabled  = yes
>>>            tls keyfile  = tls/myKey.pem
>>>            tls certfile = tls/myCert.pem
>>>            tls cafile   =
>>>
>>> [netlogon]
>>>            path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>>            read only = No
>>>
>>> [sysvol]
>>>            path = /var/lib/samba/sysvol
>>>            read only = No
>>>
>>> 3) I will remove the password server as you suggested , thanks
>>>
>>> 4) the server is present in the domain, and getent group and getent
>> passwd
>>> works correctlly, however it was NOT joined with net ads join, but with
>> net
>>> rpc join, could this make the difference? as I am currentlly thinking
of
>>> removing the server from the domain, configure kerberos-workstation and
>> try
>>> the net ads join, what do you think?
>> If getent is working, then there should be no reason to leave & rejoin
>> the domain, but then again, there is no reason not to try it :-)
>>
>> Rowland
>>
>>> again thanks for the help
>>>
>>>
>>>
>>>
>
___________________________________________________________________________________________


>
>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
> 1
>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>> IBM Ireland Product Distribution Limited registered in Ireland with
>> number
>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
> Dublin
>> 4
>>> (Embedded image moved to file: pic40897.gif)
>>>
>>>
>>>
>>> From:
  		 		    Rowland Penny
> <rowlandpenny241155 at gmail.com>
>>> To:
samba at lists.samba.org
>>> Date:
  		 		    14/07/2015 17:50
>>> Subject:
	  		 		    Re: [Samba]
Samba3 shares cannot be mounted
> on linux box
>> uisng
>>>                cifs command , error "CIFS VFS: cifs_mount failed
w/return
>> code
>>>                = -13"
>>> Sent by:
	  		 		    "samba"
<samba-bounces at lists.samba.org>
>>>
>>>
>>>
>>> On 14/07/15 16:49, Mario Pio Russo wrote:
>>>> Good Day All
>>>>
>>>> I have a problem for our main fileserver base don samba 3.5.6
>>>>
>>>> Let's give a bit of pregress first. We had a samba 3.5.6 installation
>>> which
>>>> was acting as a PDC for our internal domian called CCDC. On a
sapearate
>>>> machine, we had another installation of samba 3.5.6 to act just as
file
>>>> share server.
>>>>
>>>> All was working ok, till I upgraded the PDC form samba 3.5.6 to samba
>>>> 4.2.2 , using the classicupgrade.
>>> Do you mean you upgraded an NT4 PDC via 'samba-tool domain
>>> classicupgrade' to an AD DC ?
>>>
>>>> Now I am able to access the shares from the windows boxes added to the
>>> CCDC
>>>> domain, but when I try to mount a cifs share form a linux box, then I
>> get
>>>> the following error:
>>>>
>>>>
>>>> mount.cifs -o
>>>>
>
username=mariopio,domain=CCDC  //seadog.mul.ie.ibm.com/scrap/4mario /media/
>>>> Password:
>>>> mount error(13): Permission denied
>>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>>>
>>>> form dmesg I can see the following error:
>>>>
>>>> CIFS VFS: cifs_mount failed w/return code = -13
>>>>
>>> Your user is not known.
>>>
>>>> the smb.conf of the file server is the following:
>>>>
>>>>
>>>> root at seadog:/etc/samba# cat smb.conf
>>>> [global]
>>>>
>>>>             write cache size = 131072
>>>>
>>>>           vfs objects = full_audit
>>>>           full_audit:prefix = %u,%I,%m,%S
>>>>           # removed this, so we only log failures.
>>>>           # however will keep it here commented it out for future
>> reference
>>>>           #full_audit:success = mkdir rename unlink rmdir open chown
> chmod
>>>> connect readlink
>>>>           full_audit:failure = mkdir rename unlink rmdir open chown
> chmod
>>>> connect readlink
>>>>           full_audit:facility = local7
>>>>           full_audit:priority = NOTICE
>>>>
>>>>
>>>>           server string = CSI Samba Server
>>>>           workgroup = CCDC
>>>>           netbios name = SEADOG
>>>>           realm = CCDC.LAN
>>>>           security = ads
>>>>           #security = domain
>>>>           wins server = 9.161.96.220
>>>>           server signing = mandatory
>>>>           password server = 9.161.96.220
>>> password server shouldn't be set, let samba find it itself.
>>>
>>>>          map untrusted to domain = yes
>>>>
>>>>           wins support = no
>>>>           wins proxy = no
>>>>           dns proxy = no
>>>>           name resolve order = wins host bcast
>>>>
>>>>           winbind use default domain = yes
>>>>
>>>>           winbind uid = 10000-20000
>>>>           winbind gid = 10000-20000
>>>>           winbind cache time = 15
>>>>           winbind enum users = yes
>>>>           winbind enum groups = yes
>>>>
>>>>           # This is needed, a fake home folder so that users are able
to
>> ftp
>>>>           # this folder is empty but exists, do a getent passwd to see
>> what
>>> I
>>>> mean
>>>>           template homedir = /home/winbind
>>>>
>>>>           local master = no
>>>>           domain master = no
>>>>
>>>>           # To o with ACL mapping to windows
>>>>           #
>>>>           dos filemode = Yes
>>>>           acl group control = Yes
>>>>           acl map full control = Yes
>>>>            map acl inherit = Yes
>>>>
>>>>           guest account = nobody
>>>>           invalid users = root daemon bin sys sync games man lp mail
> news
>>> uucp
>>>> proxy www-data backup list irc gnats Debian-exim sshd ntpd
>>>>
>>>>           log file = /var/log/samba/log.%m
>>>>           log level = 3
>>>>
>>>>           max log size = 2000
>>>>           syslog = 0
>>>>
>>>>           # using these options copied from clearcase.
>>>>           # back in the day we did research these to death
>>>>           #
>>>> #      socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
>>>> IPTOS_LOWDELAY TCP_NODELAY
>>>>           socket options = SO_RCVBUF=262144 SO_SNDBUF=262144
> SO_KEEPALIVE
>>>> IPTOS_LOWDELAY TCP_NODELAY
>>>>
>>>>           # This disables print options
>>>>           # we are not a print server
>>>>           #
>>>>           load printers = No
>>>>           disable spoolss = Yes
>>>>
>>>>           smb ports = 139
>>>>
>>>>           # every mount from the SAN has a lost+found folder
>>>>           # to avoid user confusion, have set this to hidden
>>>>           #
>>>>           hide files = /lost+found/
>>>>
>>>>           aio read size = 1
>>>>           aio write size = 1
>>>>           follow symlinks          = no
>>>>
>>>>
>>>>
>>>> [scrap]
>>>>           comment              = ICS - CSI general scrap Area
>>>>           path                 = /export/ICS/CSI/scrap
>>>>           valid users          = @"Domain Users"
>>>>           force create mode    = 750
>>>>           force directory mode = 740
>>>>           writeable            = Yes
>>>>           browseable           = Yes
>>>>
>>>>
>>>>
>>>>
>>>> note that on this fileserver nothing was touched during the
>>> classiupgrade,
>>>> a part the following parameters of the smb.conf
>>> Well, it probably should have been :-)
>>>
>>>>           realm = CCDC.LAN
>>>>           security = ads
>>>>           wins server = 9.161.96.220
>>>>
>>>>           password server = 9.161.96.220
>>>>
>>>>
>>>>
>>>> I have tried already different Linux machine with different
> distribution
>>>> and I always get the same error, I have also tried to add the
parameter
>>>> "sec=ntlm or ntlmi " but hasn't changed much.
>>>>
>>>> Note that for some historical reason, this file server has NOT a
> kerbero
>>>> workstation installation and was joined to the CCDC domain using net
> rpc
>>>> join instead of net ads join, could this be a problem?
>>> It would seem the domain has been upgraded to AD and your fileserver
may
>>> require joining to the new domain, but it is more likely to be
something
>>> to do with the winbindd changes that came in with 4.2.0, see here:
>>>
>>> https://www.samba.org/samba/history/samba-4.2.0.html
>>>
>>> Rowland
>>>
>>>> any help is much appreciated!!!!
>>>>
>>>>
>>>> thanks
>>>>
>
___________________________________________________________________________________________


>
>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX:
+353
>> 1
>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>> IBM Ireland Product Distribution Limited registered in Ireland with
>>> number
>>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
>> Dublin
>>> 4
>>>> (Embedded image moved to file: pic44465.gif)
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list