[Samba] Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"

Rowland Penny rowlandpenny241155 at gmail.com
Wed Jul 15 16:43:14 UTC 2015


On 15/07/15 17:12, Mario Pio Russo wrote:
> well that's peculiar, as I am experiencing something different. in fact
> from ADUC I can see all the users belonging to the "domain users" groups.
> the authentication, however, does not work on that group, and the share
> "scrap" cannot be accessed with this config:

Well, yes you can see them with ADUC, but we were discussing Unix tools.

>
> valid users          = @"Domain Users"

Have you tried "@Domain Users" ?
But having said that, that will be everybody any, so you probably don't 
need the line anyway.

Rowland

>
> however, I have created an auxiliarry group called domainusers , added all
> the users to that group and changed the scrap access policy to this:
>
>
> valid users          = @"domainusers"
>
>
> now all works fine. I am modifying the share in order to never use the
> "domain users" groups as after the migration it simly doesn't work.
>
> maybe this workaround can be helpful for others,
>
> Bye for now!
>
> ___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
>
> (Embedded image moved to file: pic33473.gif)
>
>
>
> From:	Rowland Penny <rowlandpenny241155 at gmail.com>
> To:	samba at lists.samba.org
> Date:	15/07/2015 16:55
> Subject:	Re: [Samba] Samba3 shares cannot be mounted on linux box uisng
>              cifs command , error "CIFS VFS: cifs_mount failed w/return code
>              = -13"
> Sent by:	"samba" <samba-bounces at lists.samba.org>
>
>
>
> On 15/07/15 15:10, Mario Pio Russo wrote:
>> OR
>>
>> is there any way, or magical hidden parmeter in the smb.conf that allows
> to
>> enumerate the users in the Domain Users? tbh this has a huge impact on
> the
>> file share server as many directorys have "domain users" as group
> I don't think you understand this at all :-)
>
> If a user is a member of an AD domain, then they are members of the
> Domain Users group, this is done via the ' primaryGroupID' attribute
> which should be set to '513'
>
> If you examine the 'Domain Users' object in AD, you will find that it
> doesn't show as having *any* users, yet every user is a member and
> windows recognises this.
>
> So when you upgrade the 'Domain Users' group to being a Unix group by
> giving it a 'gidNumber' attribute and samba on a Unix client is set up
> correctly, the Unix machine will also recognise this and allow members
> of the 'Domain Users' group access to a share, this will happen even if
> 'getent group Domain\ Users' show no members of the group. You should
> note that you may also use domain_users to reference the group.
>
>
> ___________________________________________________________________________________________
>
>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>> IBM Ireland Product Distribution Limited registered in Ireland with
> number
>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
> 4
>> (Embedded image moved to file: pic03260.gif)
>>
>>
>>
>> From:		 Mario Pio Russo/Ireland/IBM at IBMIE
>> To:		 Rowland Penny <rowlandpenny241155 at gmail.com>
>> Cc:		 samba at lists.samba.org, samba <samba-bounces at lists.samba.org>
>> Date:		 15/07/2015 13:48
>> Subject:		 Re: [Samba] Samba3 shares cannot be mounted on linux box
> uisng
>>               cifs command , error "CIFS VFS: cifs_mount failed w/return
> code
>>               = -13"
>> Sent by:		 "samba" <samba-bounces at lists.samba.org>
>>
>>
>>
>> ok, what do you suggest then? maybe changing the authentication to
> another
>> group like "domainusers" ?
>>
> ___________________________________________________________________________________________
>
>>
>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>> IBM Ireland Product Distribution Limited registered in Ireland with
> number
>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
> 4
>> (Embedded image moved to file: pic05703.gif)
>>
>>
>>
>> From:		 		  Rowland Penny
> <rowlandpenny241155 at gmail.com>
>> To:		 		  samba at lists.samba.org
>> Date:		 		  15/07/2015 12:49
>> Subject:		 		  Re: [Samba] Samba3 shares cannot be mounted
> on linux box
>> uisng
>>               cifs command , error "CIFS VFS: cifs_mount failed w/return
> code
>>               = -13"
>> Sent by:		 		  "samba" <samba-bounces at lists.samba.org>
>>
>>
>>
>> On 15/07/15 11:06, Mario Pio Russo wrote:
>>> I have some more findings about this
>>>
>>> it looks like getent does not get the right information from the Domain
>>> Controller, in fact the domain user groups shows with NO member users:
>>>
>>> getent group | grep "domain users"
>>> domain users:x:10000:
>>> root at seadog:~#
>>>
>>>
>>> Now funny thing is that other folders for wwhich getent retrieves the
>> users
>>> correctlly are mounted fine . any idea why I don t see the users in
>> getent?
>>
>> Yes :-D
>>
>> Oh, you want to know why :-)
>>
>> Every user is a member of Domain Users and as such they are not shown as
>> being members in the AD object, this is why getent doesn't show them.
>>
>> Rowland
>>
>>> for example:
>>> root at seadog:~# getent group | grep "domain admins"
>>> domain admins:x:10001:ieu94629,ieu94243,ftp3-admin,administrator
>>>
>>> any idea?
>>>
>>>
> ___________________________________________________________________________________________
>
>>
>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
> 1
>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>> IBM Ireland Product Distribution Limited registered in Ireland with
>> number
>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
> Dublin
>> 4
>>> (Embedded image moved to file: pic03233.gif)
>>>
>>>
>>>
>>> From:		 		  		 		   Rowland Penny
>> <rowlandpenny241155 at gmail.com>
>>> To:
> samba at lists.samba.org
>>> Date:		 		  		 		   14/07/2015 20:00
>>> Subject:		 		  		 		   Re: [Samba] Samba3
> shares cannot be mounted
>> on linux box
>> uisng
>>>                cifs command , error "CIFS VFS: cifs_mount failed w/return
>> code
>>>                = -13"
>>> Sent by:		 		  		 		   "samba"
> <samba-bounces at lists.samba.org>
>>>
>>>
>>> On 14/07/15 19:27, Mario Pio Russo wrote:
>>>> well, I have configured the kdc client on the file server, joined the
>>>> domain using net ads join and it worked fine, again getnet group ,
>> getnet
>>>> passwd , wbinfo -u they all works perfectlly fine
>>> Well, this sounds like samba is working correctly.
>>>
>>>> I am also able to browse the shares from any windows machine joined to
>>> the
>>>> CCDC domain, but I am still not able to do ANY mount.cifs, not even
> form
>>>> linux boxes joined to the domain :-/
>>> Any error messages anywhere ?
>>> Also when you say 'browse', can you give a bit more info, how are you
>>> 'browsing' and where are the shares, on the DC or somewhere else?
>>>
>>>> I have no idea what's happening.
>>>>
>>>> P.S. another thing I have noticed is that from windows machines, when I
>>> try
>>>> to do a network map to a share on the samba4, it gives "Authentication
>>>> Failure", while it was working correctly before the migration.
>>> Well, that probably means what it says, for some reason, samba is not
>>> recognising either your users or their passwords,
>>>
>>> Rowland
>>>
>>>> I'm running short of ideas now, any help more than welcome!
>>>>
> ___________________________________________________________________________________________
>
>>
>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
>> 1
>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>> IBM Ireland Product Distribution Limited registered in Ireland with
>>> number
>>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
>> Dublin
>>> 4
>>>> (Embedded image moved to file: pic10279.gif)
>>>>
>>>>
>>>>
>>>> From:
>    		 		    Rowland Penny
>> <rowlandpenny241155 at gmail.com>
>>>> To:
>> samba at lists.samba.org
>>>> Date:
>    		 		    14/07/2015 19:07
>>>> Subject:
> 	  		 		    Re: [Samba] Samba3
>> shares cannot be mounted
>> on linux box
>>> uisng
>>>>                 cifs command , error "CIFS VFS: cifs_mount failed
> w/return
>>> code
>>>>                 = -13"
>>>> Sent by:
> 	  		 		    "samba"
>> <samba-bounces at lists.samba.org>
>>>>
>>>> On 14/07/15 18:19, Mario Pio Russo wrote:
>>>>> Thanks Rowland!
>>>>>
>>>>> few answers to your question:
>>>>>
>>>>> 1) I  used the samba-tool domain classicupgrade to "migrate" the
> domain
>>>> for
>>>>> the pdc to a new Ubuntu server with sernet-samba-4.2.2
>>>>>
>>>>> 2) on the DC, I have configured the service to use the old winbind, as
>>>>> that's just enaugh for our domain and it looked more stable during the
>>>> test
>>>>> phasethe smb.conf of the DC is the following:
>>>>>
>>>>> [global]
>>>>>              workgroup = CCDC
>>>>>              realm = CCDC.LAN
>>>>>              netbios name = CCDC-SAMBA4-DC1
>>>>>              server role = active directory domain controller
>>>>>              idmap_ldb:use rfc2307 = yes
>>>>>
>>>>>              server services = -winbindd +winbind
>>>> Remove these lines, they are not doing anything!
>>>>>              dns forwarder = 9.0.138.50
>>>>>              #server services = -winbindd +winbind
>>>>>              idmap config CCDC:backend = ad
>>>>>              idmap config CCDC:schema_mode = rfc2307
>>>>>              idmap config CCDC:range = 10000-40000
>>>>>
>>>>>
>>>>>              # Store UIDs/GIDs for all other domains (including local
>>>>>              # accounts/groups of this server) in a tdb file
>>>>>              idmap config *:backend = tdb
>>>>>              idmap config *:range = 2000-9999
>>>>>
>>>>>              # Use home directory and shell information from AD
>>>>>              winbind nss info = rfc2307
>>>> Ok, from here on no problems.
>>>>>              tls enabled  = yes
>>>>>              tls keyfile  = tls/myKey.pem
>>>>>              tls certfile = tls/myCert.pem
>>>>>              tls cafile   =
>>>>>
>>>>> [netlogon]
>>>>>              path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>>>>              read only = No
>>>>>
>>>>> [sysvol]
>>>>>              path = /var/lib/samba/sysvol
>>>>>              read only = No
>>>>>
>>>>> 3) I will remove the password server as you suggested , thanks
>>>>>
>>>>> 4) the server is present in the domain, and getent group and getent
>>>> passwd
>>>>> works correctlly, however it was NOT joined with net ads join, but
> with
>>>> net
>>>>> rpc join, could this make the difference? as I am currentlly thinking
>> of
>>>>> removing the server from the domain, configure kerberos-workstation
> and
>>>> try
>>>>> the net ads join, what do you think?
>>>> If getent is working, then there should be no reason to leave & rejoin
>>>> the domain, but then again, there is no reason not to try it :-)
>>>>
>>>> Rowland
>>>>
>>>>> again thanks for the help
>>>>>
>>>>>
>>>>>
>>>>>
> ___________________________________________________________________________________________
>
>>
>>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX:
> +353
>>> 1
>>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>>> IBM Ireland Product Distribution Limited registered in Ireland with
>>>> number
>>>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
>>> Dublin
>>>> 4
>>>>> (Embedded image moved to file: pic40897.gif)
>>>>>
>>>>>
>>>>>
>>>>> From:
>>     		 		  		 		     Rowland Penny
>>> <rowlandpenny241155 at gmail.com>
>>>>> To:
>> samba at lists.samba.org
>>>>> Date:
>>     		 		  		 		     14/07/2015 17:50
>>>>> Subject:
>> 		   		 		  		 		     Re:
> [Samba]
>> Samba3 shares cannot be mounted
>>> on linux box
>>>> uisng
>>>>>                  cifs command , error "CIFS VFS: cifs_mount failed
>> w/return
>>>> code
>>>>>                  = -13"
>>>>> Sent by:
>> 		   		 		  		 		     "samba"
>> <samba-bounces at lists.samba.org>
>>>>>
>>>>> On 14/07/15 16:49, Mario Pio Russo wrote:
>>>>>> Good Day All
>>>>>>
>>>>>> I have a problem for our main fileserver base don samba 3.5.6
>>>>>>
>>>>>> Let's give a bit of pregress first. We had a samba 3.5.6 installation
>>>>> which
>>>>>> was acting as a PDC for our internal domian called CCDC. On a
>> sapearate
>>>>>> machine, we had another installation of samba 3.5.6 to act just as
>> file
>>>>>> share server.
>>>>>>
>>>>>> All was working ok, till I upgraded the PDC form samba 3.5.6 to samba
>>>>>> 4.2.2 , using the classicupgrade.
>>>>> Do you mean you upgraded an NT4 PDC via 'samba-tool domain
>>>>> classicupgrade' to an AD DC ?
>>>>>
>>>>>> Now I am able to access the shares from the windows boxes added to
> the
>>>>> CCDC
>>>>>> domain, but when I try to mount a cifs share form a linux box, then I
>>>> get
>>>>>> the following error:
>>>>>>
>>>>>>
>>>>>> mount.cifs -o
>>>>>>
> username=mariopio,domain=CCDC  //seadog.mul.ie.ibm.com/scrap/4mario /media/
>>>>>> Password:
>>>>>> mount error(13): Permission denied
>>>>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>>>>>
>>>>>> form dmesg I can see the following error:
>>>>>>
>>>>>> CIFS VFS: cifs_mount failed w/return code = -13
>>>>>>
>>>>> Your user is not known.
>>>>>
>>>>>> the smb.conf of the file server is the following:
>>>>>>
>>>>>>
>>>>>> root at seadog:/etc/samba# cat smb.conf
>>>>>> [global]
>>>>>>
>>>>>>               write cache size = 131072
>>>>>>
>>>>>>             vfs objects = full_audit
>>>>>>             full_audit:prefix = %u,%I,%m,%S
>>>>>>             # removed this, so we only log failures.
>>>>>>             # however will keep it here commented it out for future
>>>> reference
>>>>>>             #full_audit:success = mkdir rename unlink rmdir open chown
>>> chmod
>>>>>> connect readlink
>>>>>>             full_audit:failure = mkdir rename unlink rmdir open chown
>>> chmod
>>>>>> connect readlink
>>>>>>             full_audit:facility = local7
>>>>>>             full_audit:priority = NOTICE
>>>>>>
>>>>>>
>>>>>>             server string = CSI Samba Server
>>>>>>             workgroup = CCDC
>>>>>>             netbios name = SEADOG
>>>>>>             realm = CCDC.LAN
>>>>>>             security = ads
>>>>>>             #security = domain
>>>>>>             wins server = 9.161.96.220
>>>>>>             server signing = mandatory
>>>>>>             password server = 9.161.96.220
>>>>> password server shouldn't be set, let samba find it itself.
>>>>>
>>>>>>            map untrusted to domain = yes
>>>>>>
>>>>>>             wins support = no
>>>>>>             wins proxy = no
>>>>>>             dns proxy = no
>>>>>>             name resolve order = wins host bcast
>>>>>>
>>>>>>             winbind use default domain = yes
>>>>>>
>>>>>>             winbind uid = 10000-20000
>>>>>>             winbind gid = 10000-20000
>>>>>>             winbind cache time = 15
>>>>>>             winbind enum users = yes
>>>>>>             winbind enum groups = yes
>>>>>>
>>>>>>             # This is needed, a fake home folder so that users are
> able
>> to
>>>> ftp
>>>>>>             # this folder is empty but exists, do a getent passwd to
> see
>>>> what
>>>>> I
>>>>>> mean
>>>>>>             template homedir = /home/winbind
>>>>>>
>>>>>>             local master = no
>>>>>>             domain master = no
>>>>>>
>>>>>>             # To o with ACL mapping to windows
>>>>>>             #
>>>>>>             dos filemode = Yes
>>>>>>             acl group control = Yes
>>>>>>             acl map full control = Yes
>>>>>>              map acl inherit = Yes
>>>>>>
>>>>>>             guest account = nobody
>>>>>>             invalid users = root daemon bin sys sync games man lp mail
>>> news
>>>>> uucp
>>>>>> proxy www-data backup list irc gnats Debian-exim sshd ntpd
>>>>>>
>>>>>>             log file = /var/log/samba/log.%m
>>>>>>             log level = 3
>>>>>>
>>>>>>             max log size = 2000
>>>>>>             syslog = 0
>>>>>>
>>>>>>             # using these options copied from clearcase.
>>>>>>             # back in the day we did research these to death
>>>>>>             #
>>>>>> #      socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
>>>>>> IPTOS_LOWDELAY TCP_NODELAY
>>>>>>             socket options = SO_RCVBUF=262144 SO_SNDBUF=262144
>>> SO_KEEPALIVE
>>>>>> IPTOS_LOWDELAY TCP_NODELAY
>>>>>>
>>>>>>             # This disables print options
>>>>>>             # we are not a print server
>>>>>>             #
>>>>>>             load printers = No
>>>>>>             disable spoolss = Yes
>>>>>>
>>>>>>             smb ports = 139
>>>>>>
>>>>>>             # every mount from the SAN has a lost+found folder
>>>>>>             # to avoid user confusion, have set this to hidden
>>>>>>             #
>>>>>>             hide files = /lost+found/
>>>>>>
>>>>>>             aio read size = 1
>>>>>>             aio write size = 1
>>>>>>             follow symlinks          = no
>>>>>>
>>>>>>
>>>>>>
>>>>>> [scrap]
>>>>>>             comment              = ICS - CSI general scrap Area
>>>>>>             path                 = /export/ICS/CSI/scrap
>>>>>>             valid users          = @"Domain Users"
>>>>>>             force create mode    = 750
>>>>>>             force directory mode = 740
>>>>>>             writeable            = Yes
>>>>>>             browseable           = Yes
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> note that on this fileserver nothing was touched during the
>>>>> classiupgrade,
>>>>>> a part the following parameters of the smb.conf
>>>>> Well, it probably should have been :-)
>>>>>
>>>>>>             realm = CCDC.LAN
>>>>>>             security = ads
>>>>>>             wins server = 9.161.96.220
>>>>>>
>>>>>>             password server = 9.161.96.220
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have tried already different Linux machine with different
>>> distribution
>>>>>> and I always get the same error, I have also tried to add the
>> parameter
>>>>>> "sec=ntlm or ntlmi " but hasn't changed much.
>>>>>>
>>>>>> Note that for some historical reason, this file server has NOT a
>>> kerbero
>>>>>> workstation installation and was joined to the CCDC domain using net
>>> rpc
>>>>>> join instead of net ads join, could this be a problem?
>>>>> It would seem the domain has been upgraded to AD and your fileserver
>> may
>>>>> require joining to the new domain, but it is more likely to be
>> something
>>>>> to do with the winbindd changes that came in with 4.2.0, see here:
>>>>>
>>>>> https://www.samba.org/samba/history/samba-4.2.0.html
>>>>>
>>>>> Rowland
>>>>>
>>>>>> any help is much appreciated!!!!
>>>>>>
>>>>>>
>>>>>> thanks
>>>>>>
> ___________________________________________________________________________________________
>
>>
>>>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX:
>> +353
>>>> 1
>>>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>>>> IBM Ireland Product Distribution Limited registered in Ireland with
>>>>> number
>>>>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
>>>> Dublin
>>>>> 4
>>>>>> (Embedded image moved to file: pic44465.gif)
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>




More information about the samba mailing list