GeneriK
asked on
SAMBA Client - domain authentication
I'm running Debian 3.0r2 with Samba 2.2.3a-12.3.
I'm not extremely concerned about hosting SMB shares at present, just with connecting to them.
I can connect fine to one WIntel box with smbclient to list all available shares "smbclient -L server1 -U myusername" Then prompts for password and lists all shares fine. Will also mount perfectly.
However, username and password I am using for server1 are local accounts. When I try to connect to a file server on the Win2K AD domain, I get the "NT_STATUS_ACCESS_DENIED" error. I have tried prefixing my username with "DOMAIN\" with no avail.
I have SWAT however it's not the most intuitive console in the world and I'm happy just using vi, but the smb.conf manual is confusing me.
I'm pretty sure the issue lies with this conf file. If somebody can give me a specific set of explained steps to set up domain authentication I'd be most grateful. Cheers.
I'm not extremely concerned about hosting SMB shares at present, just with connecting to them.
I can connect fine to one WIntel box with smbclient to list all available shares "smbclient -L server1 -U myusername" Then prompts for password and lists all shares fine. Will also mount perfectly.
However, username and password I am using for server1 are local accounts. When I try to connect to a file server on the Win2K AD domain, I get the "NT_STATUS_ACCESS_DENIED" error. I have tried prefixing my username with "DOMAIN\" with no avail.
I have SWAT however it's not the most intuitive console in the world and I'm happy just using vi, but the smb.conf manual is confusing me.
I'm pretty sure the issue lies with this conf file. If somebody can give me a specific set of explained steps to set up domain authentication I'd be most grateful. Cheers.
Can you print out your current smb.conf?
I have seen problems with Windows 2000 machines not allowing plain text password from linux machines. By default NT allowed plain text password and 2000 doesn't. I think you need a registry entry
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Rd r\Paramete rs]
"EnablePlainTextPassword"= dword:0000 0001
To allow a linux box into a 2000 SMB server
[HKEY_LOCAL_MACHINE\SYSTEM
"EnablePlainTextPassword"=
To allow a linux box into a 2000 SMB server
ASKER
/etc/samba/smb.conf
# Samba config file created using SWAT
# from localhost (127.0.0.1)
# Date: 2003/12/03 12:41:41
# Global parameters
[global]
workgroup = LINUX
netbios name = VIPER
server string = %h server (Samba %v)
security = SERVER
encrypt passwords = Yes
update encrypted = Yes
obey pam restrictions = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spasswor
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
[homes]
comment = Home Directories
create mask = 0700
directory mask = 0700
browseable = No
[printers]
comment = All Printers
path = /tmp
create mask = 0700
printable = Yes
browseable = No
--------------------------
Should have mentioned also that I do not have admin access to the WIntel and therefore cannot make any registry mods etc.
ASKER
Do the maintainers of this site realise that it looks crap in galeon?
ASKER
frames don't work properly
ASKER
Incidentally, a collegue connected successfully with a RH8 box to the same share. Unfortunately he blasted his HDD so I can't compare smb.conf files.
smbclient doesn't use the smb.conf file.
Do
smbclient -L server1 -U myusername -W DOMAIN
where DOMAIN is your AD domain and myusername is a valid user within that domain.
The corresponding smbmount options are "username=...,password=... .,workgrou p=....", giving the following /etc/fstab entry template:
//server1/share /mnt/server1share smbfs noauto,username=...,passwo rd=....,wo rkgroup=.. .. 0 0
Be sure that the mountpoint directory exist first.
If you have reservations about having plaintext passwords in /etc/fstab you can instead use the credentials=<filename> stratagem (the file contains the username=... and password=... entries on separate lines... only root need be able to read this file) or the environment variable thing mentioned in the smbmount man-page.
-- Glenn
Do
smbclient -L server1 -U myusername -W DOMAIN
where DOMAIN is your AD domain and myusername is a valid user within that domain.
The corresponding smbmount options are "username=...,password=...
//server1/share /mnt/server1share smbfs noauto,username=...,passwo
Be sure that the mountpoint directory exist first.
If you have reservations about having plaintext passwords in /etc/fstab you can instead use the credentials=<filename> stratagem (the file contains the username=... and password=... entries on separate lines... only root need be able to read this file) or the environment variable thing mentioned in the smbmount man-page.
-- Glenn
ASKER
Glenn - how you doing?
$ smbclient -L server2 -U user.name -W DOMAIN
added interface ip=10.160.21.3 bcast=10.160.23.255 nmask=255.255.252.0
Password: <password>
Domain=[BC] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
tree connect failed: NT_STATUS_ACCESS_DENIED
same error as before. My account is definately valid on the domain as I can see the fileserver from my WIntel box.
cheers,
Erik
$ smbclient -L server2 -U user.name -W DOMAIN
added interface ip=10.160.21.3 bcast=10.160.23.255 nmask=255.255.252.0
Password: <password>
Domain=[BC] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
tree connect failed: NT_STATUS_ACCESS_DENIED
same error as before. My account is definately valid on the domain as I can see the fileserver from my WIntel box.
cheers,
Erik
did u turn on the guest account on windows system.
try to create a guest account on windows and then try to connect with the guest account.
try to create a guest account on windows and then try to connect with the guest account.
also coult u try to mount the smb share.
smbmount or simple
mount -t smbfs -o <options> -username=xxx,password=xxx //computer/share /mount/point
smbmount or simple
mount -t smbfs -o <options> -username=xxx,password=xxx
Also check this post. may be related to your problem.
https://www.experts-exchange.com/questions/20605057/Problems-connecting-SMB-Client-to-2K3-Server.html
https://www.experts-exchange.com/questions/20605057/Problems-connecting-SMB-Client-to-2K3-Server.html
ASKER
shivsa - read the thread - I do not have admin access to the WIntel file server.
Guest accounts are disabled on the estate for security.
The mount -t smbfs command doesn't work for this server either.
Guest accounts are disabled on the estate for security.
The mount -t smbfs command doesn't work for this server either.
> smbclient doesn't use the smb.conf file.
... slight amendment: it uses the file, yes, but everything important can be overridden (and probably should be:-). Since you specify the domain/workgroup, the setting "security = SERVER" shouldn't have any effect (for the client. This is the only real diff I can see )... You could try commenting it though.
At the root of your trouble seems to lie the guest (non-)access restriction.
We have this working, since we allow anonymous guest, but have (reportedly... according to our AD guru:) taken steps to minimize the security ramifications it'll have. I can perhaps massage his ego so that he'll share (:-) some info.
Is the server exposed, or do you run a high security shop?
Anyway, regardless of the "browseability", you should still be able to access the shares directly with something like
mount -t smbfs -o username=user.name,passwor d=thepassw ord,workgr oup=BC //server2/name_of_share /mountpoint
(mkdir /mountpoint first etc etc) This will be transformed by the mount.smbfs script to a smbmount command, or /sbin/mount.smbfs might be a symbolic link to smbmount ... anyway, smbmount gets called like
smbmount //server2/name_of_share /mountpoint -o username=user.name,passwor d=thepassw ord,workgr oup=BC
As said, this should work...:)
Have you thought of upgrading samba? 2.2.3a isn't smoking exactly:-)... And I'm a bit ... stumped (unable to reproduce your exact situation).
-- Glenn
... slight amendment: it uses the file, yes, but everything important can be overridden (and probably should be:-). Since you specify the domain/workgroup, the setting "security = SERVER" shouldn't have any effect (for the client. This is the only real diff I can see )... You could try commenting it though.
At the root of your trouble seems to lie the guest (non-)access restriction.
We have this working, since we allow anonymous guest, but have (reportedly... according to our AD guru:) taken steps to minimize the security ramifications it'll have. I can perhaps massage his ego so that he'll share (:-) some info.
Is the server exposed, or do you run a high security shop?
Anyway, regardless of the "browseability", you should still be able to access the shares directly with something like
mount -t smbfs -o username=user.name,passwor
(mkdir /mountpoint first etc etc) This will be transformed by the mount.smbfs script to a smbmount command, or /sbin/mount.smbfs might be a symbolic link to smbmount ... anyway, smbmount gets called like
smbmount //server2/name_of_share /mountpoint -o username=user.name,passwor
As said, this should work...:)
Have you thought of upgrading samba? 2.2.3a isn't smoking exactly:-)... And I'm a bit ... stumped (unable to reproduce your exact situation).
-- Glenn
ASKER
It's relatatively high security here I'm afraid - I'm on a massive enterprise implementation at a client site so no access to production AD configuration for anyone except the outsourced support organisation (it's a production file share).
I might take your advice with the upgrade, but it's not samba I really need to upgrade, is it? I don't really care about hosting shares on Linux box (ftpd works, right?) so it must be smbclient that the problem is with, or maybe some kernel config options? I don't think there is a dependency for smbclient / smbmount for the samba package if you only want to mount shares.
I have read about the anonymous guest access issue (bug?) but don't really understand it - is the problem resolved in later versions of smbclient / smbmount?
I might take your advice with the upgrade, but it's not samba I really need to upgrade, is it? I don't really care about hosting shares on Linux box (ftpd works, right?) so it must be smbclient that the problem is with, or maybe some kernel config options? I don't think there is a dependency for smbclient / smbmount for the samba package if you only want to mount shares.
I have read about the anonymous guest access issue (bug?) but don't really understand it - is the problem resolved in later versions of smbclient / smbmount?
ASKER
i have also tried the mount -t smbfs command in various permutations but no dice with this either.
I'm looking at bugzilla.... Nothing conclusive as of yet:).
I tend to keep samba and smbclient in "lockstep". It's (of course) the latter that needs upgrading:-).
There are binaries for debian at http://www.samba.org for more recent offerings.
-- Glenn
I tend to keep samba and smbclient in "lockstep". It's (of course) the latter that needs upgrading:-).
There are binaries for debian at http://www.samba.org for more recent offerings.
-- Glenn
ASKER
glenn
I upgraded to Samba 3 (all components) and smbclient now works - I can list the shares available.
This is great, but... when trying to mount:
# mount -t smbfs -o username-user.name,passwor d=password ,rw //server/share /mnt/
cli_negprot: SMB signing is mandatory and we have disabled it.
1743: protocol negotiation failed
SMB connection failed
i've seen this in some other forums and tried adding client signing = yes (as suggested) to my smb.conf but this doesn't seem to work.
I upgraded to Samba 3 (all components) and smbclient now works - I can list the shares available.
This is great, but... when trying to mount:
# mount -t smbfs -o username-user.name,passwor
cli_negprot: SMB signing is mandatory and we have disabled it.
1743: protocol negotiation failed
SMB connection failed
i've seen this in some other forums and tried adding client signing = yes (as suggested) to my smb.conf but this doesn't seem to work.
ASKER
looks like the earlier version of samba can handle authentication to a local host domain, but not to that host's domain controller.
ASKER
is no-one prepared to give more help with this one?
otherwise I have to close, sorry.
otherwise I have to close, sorry.
Sorry Erik, I'm (unfortunately) very busy ATM with Real (paying) Work...
I did a quick search, and turned up a lot of errors of this kind, some more or less fitting your description...
Seems to me like the 3.0 client succeeds authentication, but the subsequent SMB protocol negotiating borks out on the default behaviour for client signing... Do you have
client signing = yes
("client use spnego = yes" should be the default already)
in your smb.conf?
If that didn't work, this post http://www.spinics.net/lists/samba/msg09710.html hints that http://www.samba.org/samba/Linux_CIFS_client.html might be your solution.
-- Glenn
I did a quick search, and turned up a lot of errors of this kind, some more or less fitting your description...
Seems to me like the 3.0 client succeeds authentication, but the subsequent SMB protocol negotiating borks out on the default behaviour for client signing... Do you have
client signing = yes
("client use spnego = yes" should be the default already)
in your smb.conf?
If that didn't work, this post http://www.spinics.net/lists/samba/msg09710.html hints that http://www.samba.org/samba/Linux_CIFS_client.html might be your solution.
-- Glenn
ASKER
thanks - i'll try it
do you have the right to join domain?
[global]
workgroup =YOUR DOMAIN NAME
netbios name = VIPER
security = domain
password server=*
then join domain, type: smbpasswd -j YOUR DOMAIN NAME -r DOMAIN DC -U ADMINISTRATOR'S NAME
after you join the domain, you shouldn't have any problem to mount the file server share
mount -t smbfs //file server name/share /mount point
remember to ask your admin to add root in the win2k domain as a user.
use file server's name then ip.
[global]
workgroup =YOUR DOMAIN NAME
netbios name = VIPER
security = domain
password server=*
then join domain, type: smbpasswd -j YOUR DOMAIN NAME -r DOMAIN DC -U ADMINISTRATOR'S NAME
after you join the domain, you shouldn't have any problem to mount the file server share
mount -t smbfs //file server name/share /mount point
remember to ask your admin to add root in the win2k domain as a user.
use file server's name then ip.
ASKER
I cannot join the domain - only authenticate to shares on it to which I have been granted access.
>> remember to ask your admin to add root in the win2k domain as a user.
err... why? I already have an account on the domain controller.
looks like CIFS is the best option but I haven't had time to set it up yet.
>> remember to ask your admin to add root in the win2k domain as a user.
err... why? I already have an account on the domain controller.
looks like CIFS is the best option but I haven't had time to set it up yet.
Well, since 2.6.0 (which include CIFS vfs) is released you could combine the fun of testing out the new kernel and fixing this problem;-). As usual get it from http://www.kernel.org (... or is there already an unstable package for Debian to just apt-get?-).
-- Glenn
-- Glenn
ASKER
wow! i've been out of action for too long! never realised 2.6 was out of beta yet!
that settles it - eat my dust 2.4.23, it was good while it lasted (but here comes the daddy).
that settles it - eat my dust 2.4.23, it was good while it lasted (but here comes the daddy).
ASKER
sorry for returning to this after so long
I know this is not a 2.6.1 issues thread - but I reckon you could tell me where I can find a list of required QT packages to install in order get the kernel configuration GUI to work.
the 2.4.x GUIs were fine ...
i'm on Debian 3.0 r2
I know this is not a 2.6.1 issues thread - but I reckon you could tell me where I can find a list of required QT packages to install in order get the kernel configuration GUI to work.
the 2.4.x GUIs were fine ...
i'm on Debian 3.0 r2
Nope, sorry.... I've not used GUI method in years... (wasn't xconfig tcl/tk back then:-). menuconfig usually suit my mood:-)
Documentation/Changes should mention it, but doesn't... bummer. Don't really have time to dig today... Sorry.
It doesn't fly with what you've got then? Neither gtkconfig nor xconfig?
-- Glenn
Documentation/Changes should mention it, but doesn't... bummer. Don't really have time to dig today... Sorry.
It doesn't fly with what you've got then? Neither gtkconfig nor xconfig?
-- Glenn
ASKER
yeah - sorry - i'm used to the GUI. i didn't know there was an option for GTK though
i will try that
thanks
i will try that
thanks
Ooops... gtkconfig should be gconfig (for gtk)...
-- Glenn (a.k.a. Le Grand Typo)
-- Glenn (a.k.a. Le Grand Typo)
ASKER
tak
ASKER
Right
Back to Samba - sorry again this has been such a massive thread.
I'm nw running 2.6.4 (yay!)
but smbclient still isn't working. New error message though:
SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!
Ring any bells? Let me know if you need more info
Back to Samba - sorry again this has been such a massive thread.
I'm nw running 2.6.4 (yay!)
but smbclient still isn't working. New error message though:
SMB Signature verification failed on incoming packet!
session setup failed: Server packet had invalid SMB signature!
Ring any bells? Let me know if you need more info
Um, shouldn't you be using mount.cifs mount helper program (part of samba 3)... Look at the use instructions etc at http://cvs.samba.org/cgi-bin/cvsweb/cifsvfs/fs/cifs/README?rev=1.20&content-type=text/x-cvsweb-markup
mount -t cifs .....
-- Glenn
mount -t cifs .....
-- Glenn
ASKER
CONFIG_CIFS=y
When I use mount (rather than smbclient) tried both cifs and smbfs for this
mount -t cifs -o username="DOMAIN\user.name ",password ="password ",uid=user ,gid=group ,rw //server/share /mnt
mount: Connection refused
and
mount -t smbfs -o username="DOMAIN\user.name ",password ="password ",uid=user ,gid=group ,rw //server/share /mnt
cli_negprot: SMB signing is mandatory and we have disabled it.
1089: protocol negotiation failed
SMB connection failed
When I use mount (rather than smbclient) tried both cifs and smbfs for this
mount -t cifs -o username="DOMAIN\user.name
mount: Connection refused
and
mount -t smbfs -o username="DOMAIN\user.name
cli_negprot: SMB signing is mandatory and we have disabled it.
1089: protocol negotiation failed
SMB connection failed
mount -t cifs -o username="user.name",passw ord="passw ord",domai n="DOMAIN" ,uid=user, gid=group, rw //server/share /mnt
... perhaps would work better? The readme lists some more tips and tricks.
-- Glenn
... perhaps would work better? The readme lists some more tips and tricks.
-- Glenn
ASKER
OK - thanks but I just upgraded to an even newer version of Samba and now it appears I can connect with CIFS to the server.
Running this command (as you suggested)
mount -t cifs -o username="user.name",passw ord="passw ord",domai n="DOMAIN" ,uid=user, gid=group, rw //server/share /mnt
Now gives me this mount error:
mount: cannot mount block device //feltfps0005/gengrpshare0 020/ read-only
I have also tried to mount rw - same problem
mount: block device //feltfps0005/gengrpshare0 020/ is write-protected, mounting read-only
mount: cannot mount block device //feltfps0005/gengrpshare0 020/ read-only
My mount directory has nothing else in it, is not listed in /etc/fstab and has permissions set to 777
Running this command (as you suggested)
mount -t cifs -o username="user.name",passw
Now gives me this mount error:
mount: cannot mount block device //feltfps0005/gengrpshare0
I have also tried to mount rw - same problem
mount: block device //feltfps0005/gengrpshare0
mount: cannot mount block device //feltfps0005/gengrpshare0
My mount directory has nothing else in it, is not listed in /etc/fstab and has permissions set to 777
ASKER
am I missing a block device kernel driver?
ASKER
CONFIG_BLK_DEV_NBD is not set
this could be the problem.
Let me quickly reconfigure and recompile and I'll come back
this could be the problem.
Let me quickly reconfigure and recompile and I'll come back
(Just to make sure... You have the mount.cifs "helper executable" in /sbin?).
You're probably on to it... When you've got cifs in the kernel you should be able to increase verbosity by
echo 1 > /proc/fs/cifs/cifsFYI
... or even
echo 1 > /proc/fs/cifs/traceSMB
... But you knew this from the README;).
-- Glenn
You're probably on to it... When you've got cifs in the kernel you should be able to increase verbosity by
echo 1 > /proc/fs/cifs/cifsFYI
... or even
echo 1 > /proc/fs/cifs/traceSMB
... But you knew this from the README;).
-- Glenn
ASKER
OK I can now browse with smbclient (yay!) but still get the same
mount: cannot mount block device //feltfps0005/gengrpshare0 020/ read-only
error with mount -t cifs
thoughts on this?
mount: cannot mount block device //feltfps0005/gengrpshare0
error with mount -t cifs
thoughts on this?
ASKER
I don't have a helper executable
Bummer (at least a reaction, if not a true "thought":-).
Do you get this with any share? ... Probably, since I think this is a problem with mount rather than anything else... Perhaps failing to use the mount.cifs helper.
-- Glenn
Do you get this with any share? ... Probably, since I think this is a problem with mount rather than anything else... Perhaps failing to use the mount.cifs helper.
-- Glenn
ASKER
Kernel log output with verbose CIFS debugging
Mar 17 11:50:07 viper kernel: fs/cifs/cifsfs.c: Devname: //<server>/<share>/ flags: 1
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 4 with uid: 0
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Entering cifs_mount. Xid: 4 with: username=<user.name>,passw ord=<passw ord>,domai n=<domain> ,uid=0,gid =0
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Domain name set
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Username: <user.name>
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: UNC: \\<server>/<share>/
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Socket created
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Existing smb sess not found
Mar 17 11:50:07 viper kernel: fs/cifs/transport.c: For smb_command 114
Mar 17 11:50:07 viper kernel: fs/cifs/transport.c: Sending smb of length 47
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Demultiplex PID: 579
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Peek length rcvd: 36 with smb length: 97
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Mid 0x9 matched - waking up
Mar 17 11:50:07 viper kernel: fs/cifs/asn1.c: cls = 1 con = 0 tag = 1
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Security Mode: 0x1 Capabilities: 0x80e3fd Time Zone: 0
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: In sesssetup
Mar 17 11:50:07 viper kernel: fs/cifs/transport.c: For smb_command 115
Mar 17 11:50:07 viper kernel: fs/cifs/transport.c: Sending smb of length 228
Mar 17 11:50:08 viper kernel: fs/cifs/connect.c: Peek length rcvd: 36 with smb length: 39
Mar 17 11:50:08 viper kernel: fs/cifs/connect.c: Mid 0xa matched - waking up
Mar 17 11:50:08 viper kernel: Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
Mar 17 11:50:08 viper kernel: fs/cifs/netmisc.c: !!Mapping smb error code 5 to POSIX err -13 !!
Mar 17 11:50:08 viper kernel: CIFS VFS: Send error in SessSetup = -13
Mar 17 11:50:08 viper kernel: fs/cifs/connect.c: About to exit from demultiplex thread
mount: cannot mount block device //<server>/<share>/ read-only
viper:/var/log# Mar 17 11:50:09 viper kernel: fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 4) rc = -13
Mar 17 11:50:09 viper kernel: CIFS VFS: cifs_mount failed w/return code = -13
Mar 17 11:50:07 viper kernel: fs/cifs/cifsfs.c: Devname: //<server>/<share>/ flags: 1
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 4 with uid: 0
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Entering cifs_mount. Xid: 4 with: username=<user.name>,passw
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Domain name set
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Username: <user.name>
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: UNC: \\<server>/<share>/
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Socket created
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Existing smb sess not found
Mar 17 11:50:07 viper kernel: fs/cifs/transport.c: For smb_command 114
Mar 17 11:50:07 viper kernel: fs/cifs/transport.c: Sending smb of length 47
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Demultiplex PID: 579
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Peek length rcvd: 36 with smb length: 97
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Mid 0x9 matched - waking up
Mar 17 11:50:07 viper kernel: fs/cifs/asn1.c: cls = 1 con = 0 tag = 1
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: Security Mode: 0x1 Capabilities: 0x80e3fd Time Zone: 0
Mar 17 11:50:07 viper kernel: fs/cifs/connect.c: In sesssetup
Mar 17 11:50:07 viper kernel: fs/cifs/transport.c: For smb_command 115
Mar 17 11:50:07 viper kernel: fs/cifs/transport.c: Sending smb of length 228
Mar 17 11:50:08 viper kernel: fs/cifs/connect.c: Peek length rcvd: 36 with smb length: 39
Mar 17 11:50:08 viper kernel: fs/cifs/connect.c: Mid 0xa matched - waking up
Mar 17 11:50:08 viper kernel: Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
Mar 17 11:50:08 viper kernel: fs/cifs/netmisc.c: !!Mapping smb error code 5 to POSIX err -13 !!
Mar 17 11:50:08 viper kernel: CIFS VFS: Send error in SessSetup = -13
Mar 17 11:50:08 viper kernel: fs/cifs/connect.c: About to exit from demultiplex thread
mount: cannot mount block device //<server>/<share>/ read-only
viper:/var/log# Mar 17 11:50:09 viper kernel: fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 4) rc = -13
Mar 17 11:50:09 viper kernel: CIFS VFS: cifs_mount failed w/return code = -13
(note the "colliding comment effect" here:-) You can either get ity from the cifs page, or from the samba 3.0 sourcetree... Let's see if I can find a link ....
Here's a prebuilt one http://www.samba.org/samba/ftp/cifs-cvs/mount.cifs
and here's source http://cvs.samba.org/cgi-bin/cvsweb/samba/source/client/mount.cifs.c
and finally a manpage for mount.cifs (unformatted, need be placed in a man directory....:-) http://www.samba.org/samba/ftp/cifs-cvs/mount.cifs.8
-- Glenn
Here's a prebuilt one http://www.samba.org/samba/ftp/cifs-cvs/mount.cifs
and here's source http://cvs.samba.org/cgi-bin/cvsweb/samba/source/client/mount.cifs.c
and finally a manpage for mount.cifs (unformatted, need be placed in a man directory....:-) http://www.samba.org/samba/ftp/cifs-cvs/mount.cifs.8
-- Glenn
> Mar 17 11:50:08 viper kernel: Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
> Mar 17 11:50:08 viper kernel: fs/cifs/netmisc.c: !!Mapping smb error code 5 to POSIX err -13 !!
...
> mount: cannot mount block device //<server>/<share>/ read-only
How very dissapointing!
On a slightly different tack, you say
> OK I can now browse with smbclient (yay!) but still get the same
... So whatif you use smbclient in its "textmode ftp-looking" mode to actually access the share? Does that work too?
Would be a little fall in the right direction, since then you'd at least be able to up/download files....:-).
-- Glenn
> Mar 17 11:50:08 viper kernel: fs/cifs/netmisc.c: !!Mapping smb error code 5 to POSIX err -13 !!
...
> mount: cannot mount block device //<server>/<share>/ read-only
How very dissapointing!
On a slightly different tack, you say
> OK I can now browse with smbclient (yay!) but still get the same
... So whatif you use smbclient in its "textmode ftp-looking" mode to actually access the share? Does that work too?
Would be a little fall in the right direction, since then you'd at least be able to up/download files....:-).
-- Glenn
ASKER
Alright, let's re-synchronise here:
I had already downloaded and installed the mount helper, but this makes no difference - I get the same output from the kernel log except now there is a "permission denied" error from mount.cifs. There is some sort of logon problem here - keep seeing that NT_STATUS_LOGON failure message as if it's a wrong username/password (which it clearly is not)
Yes, smbclient does work and I can use those "FTP-like" commands but it's a bit rubbish - I'll settle for it if there's no way to get this working but I can't believe that to be the case. If it works on RH8 with an old kernel and Samba, it's damn well gonna work on Debian with the latest version of the kernel, Samba and CIFS. RH8, by the way, does not appear to use CIFS at all, yet can still connect to this server!
I had already downloaded and installed the mount helper, but this makes no difference - I get the same output from the kernel log except now there is a "permission denied" error from mount.cifs. There is some sort of logon problem here - keep seeing that NT_STATUS_LOGON failure message as if it's a wrong username/password (which it clearly is not)
Yes, smbclient does work and I can use those "FTP-like" commands but it's a bit rubbish - I'll settle for it if there's no way to get this working but I can't believe that to be the case. If it works on RH8 with an old kernel and Samba, it's damn well gonna work on Debian with the latest version of the kernel, Samba and CIFS. RH8, by the way, does not appear to use CIFS at all, yet can still connect to this server!
.... Ok, this is new, and potentially important, information... At least as far as I rememnber this thread (yeah, I'm lazy... didn't take the time to read through it again:-). Might be wrong though.
We made a great leap in versions here (from "mumified" to "bleeding edge":-) and probably jumped past the version RH8 uses (which BTW uses smbfs in the kernel).
This also tells us that we strictly speaking shouldn't need CIFS kernel support. Hohum, and now... with the smbclient working, if you use smbmount (which is what the mount.smbfs mount helper should do... on some distros it's even just a link to smbmount) or
mount -t smbfs username="user.name",passw ord="passw ord",workg roup="DOMA IN",uid=us er,gid=gro up,rw //server/share /mnt
it comes back with pretty much the same error? (Sorry for the repetitions Erik... Things seem to have changed a lot, so we need cover some "old ground" again)
While you try this, I might have some moments to look through the thread again.
-- Glenn
We made a great leap in versions here (from "mumified" to "bleeding edge":-) and probably jumped past the version RH8 uses (which BTW uses smbfs in the kernel).
This also tells us that we strictly speaking shouldn't need CIFS kernel support. Hohum, and now... with the smbclient working, if you use smbmount (which is what the mount.smbfs mount helper should do... on some distros it's even just a link to smbmount) or
mount -t smbfs username="user.name",passw
it comes back with pretty much the same error? (Sorry for the repetitions Erik... Things seem to have changed a lot, so we need cover some "old ground" again)
While you try this, I might have some moments to look through the thread again.
-- Glenn
ASKER
Thanks Glenn - you're right - my mount.smbfs is a symlink to smbmount. I'm pretty sure smbclient wouldn't work here without CIFS in the kernel - this was the situation before and the main reason for me to upgrade.
And yes, pretty much I still get the original error if I try to use mount -t smbfs or smbmount
cli_negprot: SMB signing is mandatory and we have disabled it.
1095: protocol negotiation failed
SMB connection failed
My smb.conf file did get overwritten when i upgraded today but I added:
client signing = yes
client use spnego = yes
as you suggested some time ago.
I have also just now posted a question to the samba and cifs mailing lists with a link to this thread so hopefully those guys can give some helpful input.
And yes, pretty much I still get the original error if I try to use mount -t smbfs or smbmount
cli_negprot: SMB signing is mandatory and we have disabled it.
1095: protocol negotiation failed
SMB connection failed
My smb.conf file did get overwritten when i upgraded today but I added:
client signing = yes
client use spnego = yes
as you suggested some time ago.
I have also just now posted a question to the samba and cifs mailing lists with a link to this thread so hopefully those guys can give some helpful input.
Ok... Just one more "stupid thing"... The user.name isn't locked out or somesuch? Perhaps due to the ... test activity...:-)? The same user that works with smbclient?
Over to CIFS... You could try forcing PackeSigning (by setting it to 2)
echo 2 > /proc/fs/cifs/PacketSignin gEnabled
and/or setting spnego with
echo 1 > /proc/fs/cifs/ExtendedSecu rity
or even
echo 1 > /proc/fs/cifs/NTLMV2Enable d
cifs vfs really doesn't read the smb.conf for these things.
-- Glenn
Over to CIFS... You could try forcing PackeSigning (by setting it to 2)
echo 2 > /proc/fs/cifs/PacketSignin
and/or setting spnego with
echo 1 > /proc/fs/cifs/ExtendedSecu
or even
echo 1 > /proc/fs/cifs/NTLMV2Enable
cifs vfs really doesn't read the smb.conf for these things.
-- Glenn
ASKER
Account is not locked, and unfortunately none of those options worked :(
Then I'm out of ideas... Sorry.
-- Glenn
-- Glenn
Note: You should install Active Directory on the server, run Windows Update to load the latest updates from Microsoft, and then reboot the server before disabling SMB signing as described below.
Preferred method to disable SMB signing
Microsoft has a help topic that describes how to disable SMB signing on domain controllers so that clients (such as PCs or RocketVault™) that do not have this capability can connect to the server. You can view this Microsoft help topic by starting Help and Support on the server console and searching for "smb signing". An excerpt from the Microsoft help topic is shown below:
1. Open Active Directory Users and Computers.
2. In the console tree, right-click Domain Controllers, click Properties, and then click the Group Policy tab.
3. Click Default Domain Controllers Policy, and then click Edit.
4. Under Security Options, right-click Microsoft network server: Digitally sign communications (always), click Properties, and then click Disabled.
Alternative method to disable SMB signing
If you do not want to use the preferred method described above, you can edit the Windows registry directly, as described below:
1. Start Registry Editor (Regedt32.exe).
2. Locate and select the following key in the registry:
HKEY_LOCAL_MACHINE\System\ CurrentCon trolSet\
Service\lanmanserver\param eters
3. Double-click the RequireSecuritySignature value, type 0 in the Value data box, and then click OK.
4. Double-click the EnableSecuritySignature value, type 0 in the Value data box, and then click OK.
5. Quit Registry Editor.
6. Reboot the server for the Registry changes to take effect.
Note: You can edit the registry by using Registry Editor (Regedit.exe or Regedt32.exe). If you use Registry Editor incorrectly, you can cause serious problems that may require you to reinstall your operating system. Microsoft does not guarantee that problems that you cause by using Registry Editor incorrectly can be resolved. Use Registry Editor at your own risk. Before you modify the registry, make sure to back up the registry, and make sure that you understand how to restore the registry if a problem occurs. For additional information about backing up and restoring the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Windows Server 2003.
If it works for you, please let me know and I have a question that you can help me answer too
Preferred method to disable SMB signing
Microsoft has a help topic that describes how to disable SMB signing on domain controllers so that clients (such as PCs or RocketVault™) that do not have this capability can connect to the server. You can view this Microsoft help topic by starting Help and Support on the server console and searching for "smb signing". An excerpt from the Microsoft help topic is shown below:
1. Open Active Directory Users and Computers.
2. In the console tree, right-click Domain Controllers, click Properties, and then click the Group Policy tab.
3. Click Default Domain Controllers Policy, and then click Edit.
4. Under Security Options, right-click Microsoft network server: Digitally sign communications (always), click Properties, and then click Disabled.
Alternative method to disable SMB signing
If you do not want to use the preferred method described above, you can edit the Windows registry directly, as described below:
1. Start Registry Editor (Regedt32.exe).
2. Locate and select the following key in the registry:
HKEY_LOCAL_MACHINE\System\
Service\lanmanserver\param
3. Double-click the RequireSecuritySignature value, type 0 in the Value data box, and then click OK.
4. Double-click the EnableSecuritySignature value, type 0 in the Value data box, and then click OK.
5. Quit Registry Editor.
6. Reboot the server for the Registry changes to take effect.
Note: You can edit the registry by using Registry Editor (Regedit.exe or Regedt32.exe). If you use Registry Editor incorrectly, you can cause serious problems that may require you to reinstall your operating system. Microsoft does not guarantee that problems that you cause by using Registry Editor incorrectly can be resolved. Use Registry Editor at your own risk. Before you modify the registry, make sure to back up the registry, and make sure that you understand how to restore the registry if a problem occurs. For additional information about backing up and restoring the registry, click the following article number to view the article in the Microsoft Knowledge Base: 322756 HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Windows Server 2003.
If it works for you, please let me know and I have a question that you can help me answer too
ASKER
adnano,
I'm sorry this is a really long thread and you may not have seen it near the top, but administrative access to this machine (well, all machines on this domain) is impossible. Thanks for your input though.
If you raise your issue in a new thread and post the link here I'll have a look and see if what i've learned from this can help you.
I'm sorry this is a really long thread and you may not have seen it near the top, but administrative access to this machine (well, all machines on this domain) is impossible. Thanks for your input though.
If you raise your issue in a new thread and post the link here I'll have a look and see if what i've learned from this can help you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Oh...I have posted my question under LinuxNet as it was relating to mounting Windows 2003 or XP server using CIFS....
but here is the link.................
https://www.experts-exchange.com/questions/20925060/mounting-Windows-all-version-using-CIFS-on-kernel-2-4.html
I really need to get this working................... .:=)
but here is the link.................
https://www.experts-exchange.com/questions/20925060/mounting-Windows-all-version-using-CIFS-on-kernel-2-4.html
I really need to get this working...................
ASKER
Thanks Glenn for all your time and help
i can cope with smbclient, it suits my needs for now. Mounting the share was more of a "nice to have".
I'll keep tweaking config files until it works - i think the only way forward here is "trial & error" fixing.
i can cope with smbclient, it suits my needs for now. Mounting the share was more of a "nice to have".
I'll keep tweaking config files until it works - i think the only way forward here is "trial & error" fixing.
One more note about samba and digital signing. Once you change the security options per adnano's post, you do not have to reboot. Domain controller policies refresh automatically every 5 minutes by default. Or you can use the DOS command line and type in "gpupdate" and the policy change will refresh immediately.
I know this is "closed", but the answer is to use cifs as the mount type instead of smbfs. Example: mount -t cifs -o username=<username>,passwo rd=<skeete r> //server/directory /mnt/mountpoint/
Sorry, one more thing I forgot to add to my comment above: this is in the case one is trying to access a Windows 2003 Server directory. SMB signing is turned on by "default" in Win 2003 server when a share is created, so making the above change to your mount will enable samba to talk to the Win 2003 share.
Hm, guys (or gals, what do I know:) .... You're commenting on an issue approximately one and a half year old.
What was the true state of things back then and what is now just don't match. Nice "addendum info" though, so thanks for that.
-- Glenn
What was the true state of things back then and what is now just don't match. Nice "addendum info" though, so thanks for that.
-- Glenn
Glenn,
It's an issue we are just running into. Do you have any new info you would like to share? We would love to hear it.
It's an issue we are just running into. Do you have any new info you would like to share? We would love to hear it.
Are you saying you have no admin rights (on the DCs) and run into the problems described above? With cifs too? I'd have thought they'd solved that by now... Or perhaps that is exactly what you are saying(?).
-- Glenn
-- Glenn
Hi Glenn,
We have admin rights to both machines. I think I should put this in a new thread, but cifs seems to be unreliable (weird synching problems with the Win2003 Server). We can "mount" if you will, but some times the refresh time on the directory list is very slow (ls -l can take up to 12 minutes), and it appears we can have only one cifs-type mount at a time. Also, we don't want to mess with putting AD on the 2003 box because it's over-kill for what we need it for. We've discussed running a cron-job that touches all the files in the share so that cifs (or Samba, I'm not sure which would be in charge of this portion) wakes up and says "oh yeah, I've got new files, I have changed files, or I have less files", as you will. I've seen a thread on this in the aims group lists http://marc.theaimsgroup.com/?l=samba-technical&m=112471315417425&w=2 which describes similar anomalies we are seeing. I think I will start a new thread/question on this. If you could give any new help/insite, I'll definitely give you the points. Also, any new news about whether or not smbfs will work with smb signing yet, or will it never work with smb signing?
Thanks Glenn!
Tami (girl)
We have admin rights to both machines. I think I should put this in a new thread, but cifs seems to be unreliable (weird synching problems with the Win2003 Server). We can "mount" if you will, but some times the refresh time on the directory list is very slow (ls -l can take up to 12 minutes), and it appears we can have only one cifs-type mount at a time. Also, we don't want to mess with putting AD on the 2003 box because it's over-kill for what we need it for. We've discussed running a cron-job that touches all the files in the share so that cifs (or Samba, I'm not sure which would be in charge of this portion) wakes up and says "oh yeah, I've got new files, I have changed files, or I have less files", as you will. I've seen a thread on this in the aims group lists http://marc.theaimsgroup.com/?l=samba-technical&m=112471315417425&w=2 which describes similar anomalies we are seeing. I think I will start a new thread/question on this. If you could give any new help/insite, I'll definitely give you the points. Also, any new news about whether or not smbfs will work with smb signing yet, or will it never work with smb signing?
Thanks Glenn!
Tami (girl)
Are you trying to do something similar to what Saman Benham is? If so, youd probably have the same oplocking woes:-(... Unless it's been fixed in a recent cifs version...
https://bugzilla.samba.org/buglist.cgi?query_format=specific&order=relevance+desc&bug_status=__open__&product=CifsVFS&content= does give any immediate hint that it *isn't* fixed though:).
I wouldn't hold my breath regarding smbfs and "new features"... CIFS is more or less here to replace it.
-- Glenn (man)
https://bugzilla.samba.org/buglist.cgi?query_format=specific&order=relevance+desc&bug_status=__open__&product=CifsVFS&content= does give any immediate hint that it *isn't* fixed though:).
I wouldn't hold my breath regarding smbfs and "new features"... CIFS is more or less here to replace it.
-- Glenn (man)
ASKER
this is an ancient question and should have been deleted a long time ago.
please do not post further comments here. i will move to close it down.
please do not post further comments here. i will move to close it down.