[Samba] Openvpn and samba: play nice together?
Douglas D Germann Sr
76066.515 at Compuserve.com
Sat Oct 31 20:45:09 UTC 2015
Friends--
I'm stumped! Cannot get mount.cifs to work over a tun connection. How
would you trouble-shoot this?
1. It cannot be openvpn causing the problem: I can ping across the
connection both directions on all machines.
2. It cannot be samba causing the problem: I can mount.cifs the smb
shares on the lan (using the identical credentials file) without any issue.
3. Have iptables firewall on server, but have the same problem whether
it is active or not.
Specific error messages when trying to mount.cifs: "“Credential
formatted incorrectly: (null) ” and “Unable to find suitable address.”
The second message is more common than the first.
The details:
Production environment, trying to install a new server, named torus.
Server: torus locally is 192.168.0.203; its tun is 10.8.20.1. Runs
Ubuntu 14.04 lts.
Clients:
fire is local client at 192.168.0.6; its tun on torus is 10.8.20.5.
wind is remote client with tun on torus at 10.8.20.13.
air locally is 192.168.0.212, and its tun address for torus is
10.8.20.21. It will eventually go out to live remotely and connect only
through the cloud and a dynamic dns. (For sake of this thread, I will
say that the .conf files on air are the same as wind, and it is having
the same error messages; with it I can test mounting over the lan
(192.168.0.x) and find that it connects; wind is 20 miles away and not
on the 192 lan.)
All these clients run Ubuntu 12.04 lts.
There is another client, svs2, which runs winxp, and it has no problems
connecting nor mounting the shares.
The torus server .conf is:
=====
push "route 10.8.20.0 255.255.255.0"
dev tun
management 127.0.0.1 1195
server 10.8.20.0 255.255.255.0
dh /etc/openvpn/dh4096torus.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/torus.crt
key /etc/openvpn/torus.key
client-config-dir /etc/openvpn/ccd
ifconfig-pool-persist /etc/openvpn/ipp.txt 0
max-clients 6
comp-lzo
persist-tun
persist-key
verb 3
log-append /var/log/openvpn.log
keepalive 10 60
reneg-sec 0
status-version 2
proto udp6
port 1***
user nobody
group nobody
#group nogroup
client-to-client
tls-auth ta.key 0
=====
On torus:
=====
doug at torus:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
default router 0.0.0.0 UG 0 0 0 eth1
10.8.20.0 10.8.20.2 255.255.255.0 UG 0 0 0 tun0
10.8.20.2 * 255.255.255.255 UH 0 0 0 tun0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
doug at torus:~$
=====
On wind:
=====
doug at wind:~$ cat /etc/openvpn/torus.conf
client
dev tun2
proto udp
remote *****.org 1***
resolv-retry infinite
nobind
persist-key
persist-tun
dh dh4096torus.pem
ca /etc/openvpn/caontorus.crt
cert /etc/openvpn/windontorus.crt
key /etc/openvpn/windontorus.key
remote-cert-tls server
comp-lzo
verb 3
tls-auth /etc/openvpn/taontorus.key 1
doug at wind:~$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
10.8.1.0 10.8.1.14 255.255.255.0 UG 0 0 0 tun1
10.8.1.14 * 255.255.255.255 UH 0 0 0 tun1
10.8.20.0 10.8.20.14 255.255.255.0 UG 0 0 0 tun2
10.8.20.14 * 255.255.255.255 UH 0 0 0 tun2
link-local * 255.255.0.0 U 1000 0 0 eth0
192.168.1.0 * 255.255.255.0 U 1 0 0 eth0
doug at wind:~$
=====
(Wind's connection to another server on its tun1 is able to mount.cifs
its shares. Far as I can tell the server.conf and client.conf files are
the same as this set up.)
The smb.conf file on torus is:
=====
[global]
workgroup = EVERYONE
server string = h server (Samba, Ubuntu)
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:
* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
lanman auth = Yes
client lanman auth = Yes
client plaintext auth = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
printcap name = cups
disable spoolss = Yes
showadd printer wizard = No
hosts allow = 192.168.0.0/24 10.8.0.0/24 127.0.0.1
#interfaces = 192.168.0.0/24 10.8.0.0/24 10.8.20.0/24 10.8.1.0/24
########ddg20151026
interfaces = eth* tun* lo
bind interfaces only = yes
#######
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
create mask = 0775
[printers]
comment =All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
browsable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
browsable = No
[vol1]
path = /vol1
valid users = doug, [blanked]
force user = doug
force group = apps
read only = No
[vol2]
path = /vol2
valid users = doug, [blanked]
force user = doug
force group =data read only = No
[label]
path = /vol1/apps/label
valid users = doug, [blanked]
force user = doug
force group = data
read only = No
[doug2]
path = /doug2
valid users = doug
force user = doug
force group = doug
read only = No
browseable = No
browsable = No
[etc]
path = /etc
valid users = doug
force user = doug
force group = doug
read only = No
browseable = No
browsable = No
[home]
path = /home
valid users = doug
force user = doug
force group = doug
read only = No
browseable = No
browsable = No
=====
Here is the error message on wind, with the iptables on torus flushed:
=====
[sudo] password for doug:
mount: proc already mounted on /proc
mount: //mariah/vol1 already mounted on /sam/vol1
mount: //mariah/vol2 already mounted on /sam/vol2
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
Credential formatted incorrectly: (null)
mount.cifs kernel mount options:
ip=10.8.20.1,unc=\\torus\vol2,nobrl,credentials=/root/.toruscredentials,uid=1000,gid=1003,ver=1,user=doug,pass=********
Unable to find suitable address.
doug at wind:~$
=====
The specific line in wind's /etc/fstab involved is:
=====
//torus/vol2 /sam/torus2 cifs
rw,nobrl,mand.user,credentials=/root/.toruscredentials,uid=doug,gid=data
0 0
=====
So how do I get these talking to each other in such a way that I can
mount these samba shares?
Thanks!
--
:- Doug. Germann
More information about the samba
mailing list