Re: [Samba] mount.cifs with "sec=ntlmv2" fails ("mount error(22): Invalid argument")

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Hello,

On 22.08.2011 18:28, Shirish Pargaonkar wrote:
> On Mon, Aug 22, 2011 at 11:10 AM, Till Dörges <doerges@xxxxxxxxxxxx> wrote:
>
>> Hello, everyone,
>>
>> I'm trying to mount a CIFS share served by Samba using mount.cifs with NTLMv2
>> authentication.
>>
>>
>> According to 'man mount.cifs' the option "sec=ntlmv2" should be supported, but it
>> keeps giving me "mount error(22): Invalid argument".
>>
>> The Samba server enforces the use of NTLMv2. When allowing for NTLMv1 on both sides
>> everything works just fine.
>>
>>
>> The client runs kernel 2.6.37.6-0.7-desktop (fully patched openSUSE-11.4) with the
>> CIFS kernel module version 1.68. mount.cifs identifies as "version: 4.6".
>>
>>
>> Mounting on the client side it looks like this:
>>
>> --- snip ---
>> #  mount.cifs //abctest.box/abclaufwerk /mnt/mnt/ --verbose -o
>> domain=ABCTEST,user=abc,pass=secrect,sec=ntlmv2
>>
>> mount.cifs kernel mount options:
>> ip=10.9.0.103,unc=\\abctest.box\abclaufwerk,sec=ntlmv2,ver=1,user=abc,domain=ABCTEST,pass=********
>> mount error(22): Invalid argument
>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>> --- snap ---
>>
>> CIFS debugging on the client is enabled:
>>
>> --- snip ---
>> #  cat /proc/fs/cifs/cifsFYI
>> 1
>> --- snap ---
>>
>> Which yields the following lines in syslog (for the full log see attachment)
>>
>> --- snip ---
>> Aug 22 17:47:34 client kernel: [28966.056081]
>> /usr/src/packages/BUILD/kernel-desktop-2.6.37.6/linux-2.6.37/fs/cifs/connect.c:
>> Security Mode: 0x3 Capabilities: 0x80f3fd TimeAdjust: -7200
>> Aug 22 17:47:34 client kernel: [28966.056088]
>> /usr/src/packages/BUILD/kernel-desktop-2.6.37.6/linux-2.6.37/fs/cifs/sess.c: sess
>> setup type 2
>> --- snap ---
>>
>> "sess setup type 2" seems to indicate that NTLMv2 is used.
>>
>>
>> The server is running a fully patched openSUSE 11.3 with kernel 2.6.34.8-0.2-default
>> and Samba 3.5.4. Both "lanman auth" and "ntlm auth" are disabled, which should force
>> the use of NTLMv2 according to 'man smb.conf':
>>
>> --- snip ---
>> server # testparm 2> /dev/null | egrep 'ntlm|lan'
>>        ntlm auth = No
>> server #
>> --- snap ---
>>
>> The server's corresponding log entries are also attached.
>>
>>
>> Like said above, when I allow for the use of NTLMv1 on both sides (ntlm auth = Yes on
>> the server and no sec=ntlmv2 on the client) everything works just fine.
>>
>> When I enforce NTLMv2 on the server and don't specify "sec=ntlmv2" with mount.cifs I
>> get "mount error(13): Permission denied" and syslog on the client shows that NTLMv1
>> is tried ("sess setup type 1").
>>
>>
>> So is there anything wrong with my setup? Should NTLMv2 be working between Samba and
>> mount.cifs? If it should, why isn't it in this particular setup?
>>
>>
>> Any hints will be greatly appreciated.
>>
>>
>> TIA -- Till

[...]

> sec=ntlmv2 auth type should work between cifs vfs client and Samba server.

Ack.

> Can you try sec=ntlmssp and see if it works?

Yes, that works.
I see "sess setup type 3" in my syslog on the client, and "ntlm_password_check:
Checking NTLMv2 password with domain [***]" on the server. I can sucessfully create
and remove files on the server from the client.

> Can you list the smb.conf file here?

See attachment.

> And a wireshark trace when sec=ntlmv2 fails would be really helpful.

See attachment.

HTH -- Till
-- 
Dipl.-Inform. Till Dörges                  doerges@xxxxxxxxxxxx
                                  Tel. +49 - 40 - 244 2407 - 14
                                  Fax  +49 - 40 - 244 2407 - 24
PRESENSE Technologies GmbH            Sachsenstr. 5, D-20097 HH
                                         USt-IdNr.: DE263765024
Geschäftsführer/Managing Directors       AG Hamburg, HRB 107844
Till Dörges           Jürgen Sander              Axel Theilmann
# server # egrep -v ^# /etc/samba/smb.conf
[global]
        workgroup = WDSTEST
        passdb backend = tdbsam
        map to guest = Bad User
        guest account = wdsguest
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = Yes
        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
        domain logons = Yes
        domain master = Yes
        local master = Yes
        netbios name = WDSSAMBA
        os level = 65
        preferred master = Yes

        security = user
        lanman auth = no
        ntlm auth = no

        wins support = Yes
        log level = 10

[gastlaufwerk]
        comment = Zugriff fuer Gaeste
        inherit acls = Yes
        path = /srv/samba/guestshare
        read only = No
        guest ok = yes
        guest only = yes

[wdslaufwerk]
        comment = Share fuer Nutzer 'wds'
        inherit acls = Yes
        path = /srv/samba/wdsshare
        read only = No
        guest ok = no
        valid users = wds

Attachment: ntlmv2-mount-failure.pcap
Description: Binary data


[Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]    [Yosemite Photos]    [Free Online Dating]     [Linux Kernel]     [Linux SCSI]     [XFree86]

Add to Google Powered by Linux