[Samba] cifs-utils change between Debian Bullseye (6.11) and Debian Bookwork (7.0)
james.zuelow at juneau.gov
Tue Jun 27 21:55:53 UTC 2023
I have several Linux machines that mount a share on a Windows Server 2012 R2 (I know, it's old, its on the list!) server for backup purposes using mount.cifs and fstab.
The fstab definition looks like this:
//server.domain.local/linux/ /root/backup cifs acl,rw,user,noauto,credentials=/home/bu/.nt/creds,vers=3.0 0 0
And the creds file looks like this:
Additionally the L_Backup user has the userWorkstations attribute set in Active Directory, with the IP addresses (not NetBIOS names) of the machines it should be connecting from.
This works perfectly for Bullseye machines. Any Linux machine with an IP address listed in userWorkstations connects and disconnects to the network share without trouble.
(ii cifs-utils 2:6.11-3.1+deb11u1 amd64 Common Internet File System utilities)
This does not work for Bookworm machines. No Bookworm machine can connect to the share.
(ii cifs-utils 2:7.0-2 amd64 Common Internet File System utilities)
With Bookworm machines, I get an error -13 invalid workstation error in dmesg/syslog. That led me to the the SMBServer security log on the file server in question, which generates an event 551 SMB Session Authentication Failure
That error looks like this:
Client Name: \\192.168.22.166<file://192.168.22.166>
Client Address: 192.168.22.166:34230
Session ID: 0x883BC000305
Status: The user account is restricted such that it may not be used to log on from the source workstation. (0xC0000070)
(I noticed the user name field was blank, but see below.)
Because the error refers to user restrictions, and the userWorkstations field is active for the L_Backup account, I tried explicitly setting the NetBIOS name in fstab and ensuring that the same name was in the userWorkstations field, but that didn't work. The fstab definition changed to:
//server.domain.local/linux/ /root/backup cifs acl,rw,user,noauto,netbiosname=linux_server,credentials=/home/bu/.nt/creds,vers=3.0 0 0 0
Specifying netbiosname not work. (The NetBIOS name was already set in smb.conf anyway, but I'm not sure whether that would affect the mount at all.) I rolled that change back. I then tried specifying SMB3 instead of CIFS:
//server.domain.local/linux/ /root/backup smb3 acl,rw,user,noauto,credentials=/home/bu/.nt/creds,vers=3.0 0 0
Specifying SMB3 instead of CIFS had no effect I could see.
The only effective solution I found is to clear the userWorkstations attribute for the service account in Active Directory. So even though the event 551 is logging a blank user name, changing that attribute for the L_Backup account DOES resolve the issue - I assume the blank field is just a Microsoft logging issue as the server certainly knows which account is being used to access the share. However, clearing the userWorkstations field leaves the service account with the ability to log onto arbitrary workstations, which I would like to avoid.
I've been so far unable to find a changelog or documentation describing any change in how mount.cifs may have changed how it reports workstations. Even though the Microsoft documentation says that the userWorkstations attribute should be a list of NetBIOS names, I've used IP addresses successfully for years - and the Bullseye machines can still connect with IP addresses in the userWorkstations field.
I assume I'm missing an important piece of documentation somewhere, possibly in the main Samba documentation and not specifically in mount.cifs docs. Can you point me in the right direction for a proper fix?
Systems Operations Manager
City and Borough of Juneau Information Technology
(907) 586-5295 x4212
More information about the samba