[Samba] Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
Rowland Penny
rowlandpenny241155 at gmail.com
Wed Jul 15 15:49:24 UTC 2015
On 15/07/15 15:10, Mario Pio Russo wrote:
> OR
>
> is there any way, or magical hidden parmeter in the smb.conf that allows to
> enumerate the users in the Domain Users? tbh this has a huge impact on the
> file share server as many directorys have "domain users" as group
I don't think you understand this at all :-)
If a user is a member of an AD domain, then they are members of the
Domain Users group, this is done via the ' primaryGroupID' attribute
which should be set to '513'
If you examine the 'Domain Users' object in AD, you will find that it
doesn't show as having *any* users, yet every user is a member and
windows recognises this.
So when you upgrade the 'Domain Users' group to being a Unix group by
giving it a 'gidNumber' attribute and samba on a Unix client is set up
correctly, the Unix machine will also recognise this and allow members
of the 'Domain Users' group access to a share, this will happen even if
'getent group Domain\ Users' show no members of the group. You should
note that you may also use domain_users to reference the group.
> ___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
>
> (Embedded image moved to file: pic03260.gif)
>
>
>
> From: Mario Pio Russo/Ireland/IBM at IBMIE
> To: Rowland Penny <rowlandpenny241155 at gmail.com>
> Cc: samba at lists.samba.org, samba <samba-bounces at lists.samba.org>
> Date: 15/07/2015 13:48
> Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box uisng
> cifs command , error "CIFS VFS: cifs_mount failed w/return code
> = -13"
> Sent by: "samba" <samba-bounces at lists.samba.org>
>
>
>
> ok, what do you suggest then? maybe changing the authentication to another
> group like "domainusers" ?
> ___________________________________________________________________________________________
>
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
>
> (Embedded image moved to file: pic05703.gif)
>
>
>
> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> To: samba at lists.samba.org
> Date: 15/07/2015 12:49
> Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box
> uisng
> cifs command , error "CIFS VFS: cifs_mount failed w/return code
> = -13"
> Sent by: "samba" <samba-bounces at lists.samba.org>
>
>
>
> On 15/07/15 11:06, Mario Pio Russo wrote:
>> I have some more findings about this
>>
>> it looks like getent does not get the right information from the Domain
>> Controller, in fact the domain user groups shows with NO member users:
>>
>> getent group | grep "domain users"
>> domain users:x:10000:
>> root at seadog:~#
>>
>>
>> Now funny thing is that other folders for wwhich getent retrieves the
> users
>> correctlly are mounted fine . any idea why I don t see the users in
> getent?
>
> Yes :-D
>
> Oh, you want to know why :-)
>
> Every user is a member of Domain Users and as such they are not shown as
> being members in the AD object, this is why getent doesn't show them.
>
> Rowland
>
>> for example:
>> root at seadog:~# getent group | grep "domain admins"
>> domain admins:x:10001:ieu94629,ieu94243,ftp3-admin,administrator
>>
>> any idea?
>>
>>
> ___________________________________________________________________________________________
>
>
>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>> IBM Ireland Product Distribution Limited registered in Ireland with
> number
>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
> 4
>> (Embedded image moved to file: pic03233.gif)
>>
>>
>>
>> From: Rowland Penny
> <rowlandpenny241155 at gmail.com>
>> To: samba at lists.samba.org
>> Date: 14/07/2015 20:00
>> Subject: Re: [Samba] Samba3 shares cannot be mounted
> on linux box
> uisng
>> cifs command , error "CIFS VFS: cifs_mount failed w/return
> code
>> = -13"
>> Sent by: "samba" <samba-bounces at lists.samba.org>
>>
>>
>>
>> On 14/07/15 19:27, Mario Pio Russo wrote:
>>> well, I have configured the kdc client on the file server, joined the
>>> domain using net ads join and it worked fine, again getnet group ,
> getnet
>>> passwd , wbinfo -u they all works perfectlly fine
>> Well, this sounds like samba is working correctly.
>>
>>> I am also able to browse the shares from any windows machine joined to
>> the
>>> CCDC domain, but I am still not able to do ANY mount.cifs, not even form
>>> linux boxes joined to the domain :-/
>> Any error messages anywhere ?
>> Also when you say 'browse', can you give a bit more info, how are you
>> 'browsing' and where are the shares, on the DC or somewhere else?
>>
>>> I have no idea what's happening.
>>>
>>> P.S. another thing I have noticed is that from windows machines, when I
>> try
>>> to do a network map to a share on the samba4, it gives "Authentication
>>> Failure", while it was working correctly before the migration.
>> Well, that probably means what it says, for some reason, samba is not
>> recognising either your users or their passwords,
>>
>> Rowland
>>
>>> I'm running short of ideas now, any help more than welcome!
>>>
> ___________________________________________________________________________________________
>
>
>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
> 1
>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>> IBM Ireland Product Distribution Limited registered in Ireland with
>> number
>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
> Dublin
>> 4
>>> (Embedded image moved to file: pic10279.gif)
>>>
>>>
>>>
>>> From: Rowland Penny
> <rowlandpenny241155 at gmail.com>
>>> To:
> samba at lists.samba.org
>>> Date: 14/07/2015 19:07
>>> Subject: Re: [Samba] Samba3
> shares cannot be mounted
> on linux box
>> uisng
>>> cifs command , error "CIFS VFS: cifs_mount failed w/return
>> code
>>> = -13"
>>> Sent by: "samba"
> <samba-bounces at lists.samba.org>
>>>
>>>
>>> On 14/07/15 18:19, Mario Pio Russo wrote:
>>>> Thanks Rowland!
>>>>
>>>> few answers to your question:
>>>>
>>>> 1) I used the samba-tool domain classicupgrade to "migrate" the domain
>>> for
>>>> the pdc to a new Ubuntu server with sernet-samba-4.2.2
>>>>
>>>> 2) on the DC, I have configured the service to use the old winbind, as
>>>> that's just enaugh for our domain and it looked more stable during the
>>> test
>>>> phasethe smb.conf of the DC is the following:
>>>>
>>>> [global]
>>>> workgroup = CCDC
>>>> realm = CCDC.LAN
>>>> netbios name = CCDC-SAMBA4-DC1
>>>> server role = active directory domain controller
>>>> idmap_ldb:use rfc2307 = yes
>>>>
>>>> server services = -winbindd +winbind
>>> Remove these lines, they are not doing anything!
>>>> dns forwarder = 9.0.138.50
>>>> #server services = -winbindd +winbind
>>>> idmap config CCDC:backend = ad
>>>> idmap config CCDC:schema_mode = rfc2307
>>>> idmap config CCDC:range = 10000-40000
>>>>
>>>>
>>>> # Store UIDs/GIDs for all other domains (including local
>>>> # accounts/groups of this server) in a tdb file
>>>> idmap config *:backend = tdb
>>>> idmap config *:range = 2000-9999
>>>>
>>>> # Use home directory and shell information from AD
>>>> winbind nss info = rfc2307
>>> Ok, from here on no problems.
>>>> tls enabled = yes
>>>> tls keyfile = tls/myKey.pem
>>>> tls certfile = tls/myCert.pem
>>>> tls cafile =
>>>>
>>>> [netlogon]
>>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>>> read only = No
>>>>
>>>> [sysvol]
>>>> path = /var/lib/samba/sysvol
>>>> read only = No
>>>>
>>>> 3) I will remove the password server as you suggested , thanks
>>>>
>>>> 4) the server is present in the domain, and getent group and getent
>>> passwd
>>>> works correctlly, however it was NOT joined with net ads join, but with
>>> net
>>>> rpc join, could this make the difference? as I am currentlly thinking
> of
>>>> removing the server from the domain, configure kerberos-workstation and
>>> try
>>>> the net ads join, what do you think?
>>> If getent is working, then there should be no reason to leave & rejoin
>>> the domain, but then again, there is no reason not to try it :-)
>>>
>>> Rowland
>>>
>>>> again thanks for the help
>>>>
>>>>
>>>>
>>>>
> ___________________________________________________________________________________________
>
>
>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
>> 1
>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>> IBM Ireland Product Distribution Limited registered in Ireland with
>>> number
>>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
>> Dublin
>>> 4
>>>> (Embedded image moved to file: pic40897.gif)
>>>>
>>>>
>>>>
>>>> From:
> Rowland Penny
>> <rowlandpenny241155 at gmail.com>
>>>> To:
> samba at lists.samba.org
>>>> Date:
> 14/07/2015 17:50
>>>> Subject:
> Re: [Samba]
> Samba3 shares cannot be mounted
>> on linux box
>>> uisng
>>>> cifs command , error "CIFS VFS: cifs_mount failed
> w/return
>>> code
>>>> = -13"
>>>> Sent by:
> "samba"
> <samba-bounces at lists.samba.org>
>>>>
>>>>
>>>> On 14/07/15 16:49, Mario Pio Russo wrote:
>>>>> Good Day All
>>>>>
>>>>> I have a problem for our main fileserver base don samba 3.5.6
>>>>>
>>>>> Let's give a bit of pregress first. We had a samba 3.5.6 installation
>>>> which
>>>>> was acting as a PDC for our internal domian called CCDC. On a
> sapearate
>>>>> machine, we had another installation of samba 3.5.6 to act just as
> file
>>>>> share server.
>>>>>
>>>>> All was working ok, till I upgraded the PDC form samba 3.5.6 to samba
>>>>> 4.2.2 , using the classicupgrade.
>>>> Do you mean you upgraded an NT4 PDC via 'samba-tool domain
>>>> classicupgrade' to an AD DC ?
>>>>
>>>>> Now I am able to access the shares from the windows boxes added to the
>>>> CCDC
>>>>> domain, but when I try to mount a cifs share form a linux box, then I
>>> get
>>>>> the following error:
>>>>>
>>>>>
>>>>> mount.cifs -o
>>>>>
> username=mariopio,domain=CCDC //seadog.mul.ie.ibm.com/scrap/4mario /media/
>>>>> Password:
>>>>> mount error(13): Permission denied
>>>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>>>>
>>>>> form dmesg I can see the following error:
>>>>>
>>>>> CIFS VFS: cifs_mount failed w/return code = -13
>>>>>
>>>> Your user is not known.
>>>>
>>>>> the smb.conf of the file server is the following:
>>>>>
>>>>>
>>>>> root at seadog:/etc/samba# cat smb.conf
>>>>> [global]
>>>>>
>>>>> write cache size = 131072
>>>>>
>>>>> vfs objects = full_audit
>>>>> full_audit:prefix = %u,%I,%m,%S
>>>>> # removed this, so we only log failures.
>>>>> # however will keep it here commented it out for future
>>> reference
>>>>> #full_audit:success = mkdir rename unlink rmdir open chown
>> chmod
>>>>> connect readlink
>>>>> full_audit:failure = mkdir rename unlink rmdir open chown
>> chmod
>>>>> connect readlink
>>>>> full_audit:facility = local7
>>>>> full_audit:priority = NOTICE
>>>>>
>>>>>
>>>>> server string = CSI Samba Server
>>>>> workgroup = CCDC
>>>>> netbios name = SEADOG
>>>>> realm = CCDC.LAN
>>>>> security = ads
>>>>> #security = domain
>>>>> wins server = 9.161.96.220
>>>>> server signing = mandatory
>>>>> password server = 9.161.96.220
>>>> password server shouldn't be set, let samba find it itself.
>>>>
>>>>> map untrusted to domain = yes
>>>>>
>>>>> wins support = no
>>>>> wins proxy = no
>>>>> dns proxy = no
>>>>> name resolve order = wins host bcast
>>>>>
>>>>> winbind use default domain = yes
>>>>>
>>>>> winbind uid = 10000-20000
>>>>> winbind gid = 10000-20000
>>>>> winbind cache time = 15
>>>>> winbind enum users = yes
>>>>> winbind enum groups = yes
>>>>>
>>>>> # This is needed, a fake home folder so that users are able
> to
>>> ftp
>>>>> # this folder is empty but exists, do a getent passwd to see
>>> what
>>>> I
>>>>> mean
>>>>> template homedir = /home/winbind
>>>>>
>>>>> local master = no
>>>>> domain master = no
>>>>>
>>>>> # To o with ACL mapping to windows
>>>>> #
>>>>> dos filemode = Yes
>>>>> acl group control = Yes
>>>>> acl map full control = Yes
>>>>> map acl inherit = Yes
>>>>>
>>>>> guest account = nobody
>>>>> invalid users = root daemon bin sys sync games man lp mail
>> news
>>>> uucp
>>>>> proxy www-data backup list irc gnats Debian-exim sshd ntpd
>>>>>
>>>>> log file = /var/log/samba/log.%m
>>>>> log level = 3
>>>>>
>>>>> max log size = 2000
>>>>> syslog = 0
>>>>>
>>>>> # using these options copied from clearcase.
>>>>> # back in the day we did research these to death
>>>>> #
>>>>> # socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
>>>>> IPTOS_LOWDELAY TCP_NODELAY
>>>>> socket options = SO_RCVBUF=262144 SO_SNDBUF=262144
>> SO_KEEPALIVE
>>>>> IPTOS_LOWDELAY TCP_NODELAY
>>>>>
>>>>> # This disables print options
>>>>> # we are not a print server
>>>>> #
>>>>> load printers = No
>>>>> disable spoolss = Yes
>>>>>
>>>>> smb ports = 139
>>>>>
>>>>> # every mount from the SAN has a lost+found folder
>>>>> # to avoid user confusion, have set this to hidden
>>>>> #
>>>>> hide files = /lost+found/
>>>>>
>>>>> aio read size = 1
>>>>> aio write size = 1
>>>>> follow symlinks = no
>>>>>
>>>>>
>>>>>
>>>>> [scrap]
>>>>> comment = ICS - CSI general scrap Area
>>>>> path = /export/ICS/CSI/scrap
>>>>> valid users = @"Domain Users"
>>>>> force create mode = 750
>>>>> force directory mode = 740
>>>>> writeable = Yes
>>>>> browseable = Yes
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> note that on this fileserver nothing was touched during the
>>>> classiupgrade,
>>>>> a part the following parameters of the smb.conf
>>>> Well, it probably should have been :-)
>>>>
>>>>> realm = CCDC.LAN
>>>>> security = ads
>>>>> wins server = 9.161.96.220
>>>>>
>>>>> password server = 9.161.96.220
>>>>>
>>>>>
>>>>>
>>>>> I have tried already different Linux machine with different
>> distribution
>>>>> and I always get the same error, I have also tried to add the
> parameter
>>>>> "sec=ntlm or ntlmi " but hasn't changed much.
>>>>>
>>>>> Note that for some historical reason, this file server has NOT a
>> kerbero
>>>>> workstation installation and was joined to the CCDC domain using net
>> rpc
>>>>> join instead of net ads join, could this be a problem?
>>>> It would seem the domain has been upgraded to AD and your fileserver
> may
>>>> require joining to the new domain, but it is more likely to be
> something
>>>> to do with the winbindd changes that came in with 4.2.0, see here:
>>>>
>>>> https://www.samba.org/samba/history/samba-4.2.0.html
>>>>
>>>> Rowland
>>>>
>>>>> any help is much appreciated!!!!
>>>>>
>>>>>
>>>>> thanks
>>>>>
> ___________________________________________________________________________________________
>
>
>>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX:
> +353
>>> 1
>>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>>> IBM Ireland Product Distribution Limited registered in Ireland with
>>>> number
>>>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
>>> Dublin
>>>> 4
>>>>> (Embedded image moved to file: pic44465.gif)
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list