[arch-general] clients can no longer mount.cifs the '/' samba share from current Arch server (long)
Guys, Something in current Archlinux prevents clients mounting a root samba share '/' via mount.cifs. Since building a new Arch server a month or so ago, I have been chasing an issue with mount.cifs that prevents the '/' share from being mounted as it always has. This has worked (and continues to work) on all Arch boxes up until this latest box. I have addressed this to the samba list (see thread: [Samba] What in samba 4.1 prevents a '/' share?) After a month of troubleshooting with the samba devs, it seems that the issue may have to do with the way /proc/fs/cifs/SecurityFlags, or some other default is now set in Arch. Others have confirmed the ability to mount '/' shares from servers running samba 4.1.3, with the exact smb.conf settings, so it appears this is Arch specific. I'm not 100% sure if this is samba related or whether it is cifs related, so I am asking here so I can get the bug report right -- if needed. Several bug reports deal with the drop of ntlm security for the kernel as of kernel 3.8 and with differing /proc/fs/cifs/SecurityFlags values -- https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1113395 (see specifically No. #12 & #15 citing: https://bbs.archlinux.org/viewtopic.php?id=159915) Historically the value of /proc/fs/cifs/SecurityFlags has been set at 0x7 (or not set at all on Arch), but now Arch sets the value to 0x85. Examples: (older Arch box smbd Version 3.6.6) [19:32 nirvana:/etc] # cat /proc/fs/cifs/SecurityFlags cat: /proc/fs/cifs/SecurityFlags: No such file or directory (new Arch box smbd Version 4.1.3) [19:30 phoinix:/home/david/cnf/phoinix/etc] # cat /proc/fs/cifs/SecurityFlags 0x85 I have set /proc/fs/cifs/SecurityFlags to the traditional value of 0x7, but there is still something that prevents the mount from working. I will detail below the config and attempts made to resolve the issue. The bottom line is that all older Arch servers (and openSuSE boxes) I have can successfully share/mount a '/' root samba share, but there is now something in current Arch that prevents this from working. The folks at the samba list are stumped because there is nothing in samba or cifs that has changed that would prevent this from working. The bug reports I've read suggest the cifs/SecurityFlags setting may be involved, but from the testing I've done, I don't know if that makes any difference. Now I need help from you smarter Archers to help figure out what changed that prevents this from working and how to fix it. The current Arch box (hostname phoinix) is a fully updated box (as of 1/6/14) with: # smbd --version Version 3.6.7 # mount.cifs -V mount.cifs version: 5.6 The samba config: The server functions as a standalone server (no PDC, etc..). The smb.conf and share definitions are: Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = RLFPLLC server string = Phoinix Samba %v map to guest = Bad User smb passwd file = /etc/samba/smbpasswd log file = /var/log/samba/%m.log max log size = 50 time server = Yes printcap name = /etc/printcap show add printer wizard = No os level = 66 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes idmap config * : backend = tdb admin users = david hosts allow = 192.168.6., 192.168.7., 127. use sendfile = Yes [homes] comment = Home Directories read only = No browseable = No [config] comment = Phoinix Config (Archlinux) path = / valid users = david force user = root force group = root read only = No browseable = No [samba] comment = Phoinix - Law path = /home/samba valid users = @rankin, #, anna force group = rankin read only = No inherit permissions = Yes <snip> Mounting the homes and samba shares work fine and printing via cups works fine. The only issue is mounting the [config] share. The shares are mounted making use of a credentials file with: mount.cifs //phoinix/config /mnt/phx-cfg -v -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm The results of mount showing successful mount of the [homes] and [samba] shares: //phoinix/samba on /mnt/phx type cifs (rw,relatime,vers=1.0,sec=ntlm,cache=loose,unc=\\phoinix\samba,username=david,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.7.16,unix,posixpaths,serverino,acl,noperm,rsize=1048576,wsize=65536,actimeo=1) //phoinix/david on /mnt/phx-david type cifs (rw,relatime,vers=1.0,sec=ntlm,cache=loose,unc=\\phoinix\david,username=david,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.7.16,unix,posixpaths,serverino,acl,noperm,rsize=1048576,wsize=65536,actimeo=1) However, attempting to mount the [config] share results in the error: [18:33 providence:~/tmp/cifs] # mount.cifs //phoinix/config /mnt/phx-cfg -v -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm mount.cifs kernel mount options: ip=192.168.7.16,unc=\\phoinix\config,noperm,uid=1000,user=david,pass=******** mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) I have tried with 'sec=ntlmv2' and 'sec=ntlmssp' which makes no difference. I have tried with/without 'domain=rlfpllc' again no difference. What I need to determine is whether this is a bug or whether this is a configuration issue, and if so, in what? I have captured tcpdump traffic during the mount attempts and they point to smb issuing the error, but I'm not that great at reading packet contents, so I'm not entirely sure. But basically, after successful AndX session setup (Tree Connect AndX Request, Path: \\phoinix\config), the request for \\phoinix\config is made and it is found successfully by the server, but then the server response with (Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED) The full ASCII dump of the packet along with additional testing showing it works on all older servers is included below. If you have ideas or would like me to post additional information, just let me know. I have worked to collect the relevant information from the samba thread, but let me know if you need anything else Arch related from the box. Thanks in advance for any help you can provide. ====== Additional Testing and ASCII dump of STATUS_ACCESS_DENIED packet ====== Testing with other servers I can easily mount the '/' share from any other computer. Here is my 3-computer test setup: On my client (hostname providence) I have: 18:01 providence:~> smbd -V Version 3.6.7 linux 3.5.3-1 cifs-utils 5.6-2 On the server (hostname phoinix) I have: 18:15 phoinix:~> smbd -V Version 4.1.3 linux 3.12.6-1 cifs-utils 6.2-1 On a second older server (hostname nemesis) I have: 18:30 nemesis:~/scr/mnt> smbd -V Version 3.4.5-5.1-2300-SUSE-SL11.0 kernel-pae-2.6.25.20-0.7 cifs-mount-3.4.5-5.1 Mounting the '/' config share from host *providence on nemesis* works fine: 18:31 nemesis:~/scr/mnt> sudo mount.cifs //providence/config /mnt/pv-cfg -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm 18:31 nemesis:~/scr/mnt> l /mnt/pv-cfg total 4 drwxr-xr-x 21 david root 0 2012-09-04 14:41 ./ drwxr-xr-x 14 root root 4096 2013-12-28 18:29 ../ drwxr-xr-x 2 david root 0 2012-09-04 14:50 bin/ drwxr-xr-x 3 david root 0 2012-09-04 14:48 boot/ <snip> Mounting the '/' share from host *nemesis on providence* works fine: 18:37 providence:~/scr/mnt> sudo mount.cifs //nemesis/config /mnt/nm-cfg -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm 18:37 providence:~/scr/mnt> l /mnt/nm-cfg total 4 drwxr-xr-x 21 david root 0 Dec 9 11:24 . drwxr-xr-x 11 root root 4096 Mar 3 2011 .. drwxr-xr-x 2 david root 0 Dec 5 2010 bin drwxr-xr-x 4 david root 0 Mar 8 2010 boot <snip> Mounting the '/' share from host *providence on phoinix* works fine: 18:54 phoinix:~/scr/mnt> sudo mount.cifs //providence/config /mnt/pv-cfg -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm 18:55 phoinix:~/scr/mnt> l /mnt/pv-cfg/ total 4 drwxr-xr-x 21 david root 0 Sep 4 2012 . drwxr-xr-x 9 root root 4096 Dec 28 18:42 .. drwxr-xr-x 2 david root 0 May 13 2011 .config drwxr-xr-x 2 david root 0 Sep 4 2012 bin drwxr-xr-x 3 david root 0 Sep 4 2012 boot <snip> Mounting the '/' share from host *nemesis on phoinix* works fine: 18:55 phoinix:~/scr/mnt> sudo mount.cifs //nemesis/config /mnt/nm-cfg -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm 18:57 phoinix:~/scr/mnt> l /mnt/nm-cfg total 4 drwxr-xr-x 21 david root 0 Dec 9 11:24 . drwxr-xr-x 9 root root 4096 Dec 28 18:42 .. drwxr-xr-x 2 david root 0 Dec 5 2010 bin drwxr-xr-x 4 david root 0 Mar 8 2010 boot <snip> However, attempting the mount of the '/' share from host *phoinix on anything* else fails. The only difference I can see is this is when I'm attempting to mount the share from 4.1.X on anything else: 18:59 nemesis:~/scr/mnt> sudo mount.cifs //phoinix/config /mnt/phx-cfg -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) 18:40 providence:~/scr/mnt> sudo mount.cifs //phoinix/config /mnt/phx-cfg -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) The ASCII packet dissection for the STATUS_ACCESS_DENIED packet is: No. Time Source Destination Protocol Length Info 25 3.487933 192.168.7.16 192.168.7.124 SMB 105 Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED Frame 25: 105 bytes on wire (840 bits), 105 bytes captured (840 bits) WTAP_ENCAP: 1 Arrival Time: Jan 6, 2014 17:45:50.826685000 CST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1389051950.826685000 seconds [Time delta from previous captured frame: 0.001539000 seconds] [Time delta from previous displayed frame: 0.001539000 seconds] [Time since reference or first frame: 3.487933000 seconds] Frame Number: 25 Frame Length: 105 bytes (840 bits) Capture Length: 105 bytes (840 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:nbss:smb] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Micro-St_1a:8c:fa (00:21:85:1a:8c:fa), Dst: Dell_22:50:08 (00:11:43:22:50:08) Destination: Dell_22:50:08 (00:11:43:22:50:08) Address: Dell_22:50:08 (00:11:43:22:50:08) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Micro-St_1a:8c:fa (00:21:85:1a:8c:fa) Address: Micro-St_1a:8c:fa (00:21:85:1a:8c:fa) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 192.168.7.16 (192.168.7.16), Dst: 192.168.7.124 (192.168.7.124) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 91 Identification: 0x0398 (920) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0xa728 [correct] [Good: True] [Bad: False] Source: 192.168.7.16 (192.168.7.16) Destination: 192.168.7.124 (192.168.7.124) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 50813 (50813), Seq: 210, Ack: 445, Len: 39 Source port: microsoft-ds (445) Destination port: 50813 (50813) [Stream index: 2] Sequence number: 210 (relative sequence number) [Next sequence number: 249 (relative sequence number)] Acknowledgment number: 445 (relative ack number) Header length: 32 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 235 [Calculated window size: 30080] [Window size scaling factor: 128] Checksum: 0x5220 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 290109681, TSecr 203763093 Kind: Timestamp (8) Length: 10 Timestamp value: 290109681 Timestamp echo reply: 203763093 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 24] [The RTT to ACK the segment was: 0.001539000 seconds] [Bytes in flight: 39] NetBIOS Session Service Message Type: Session message (0x00) Length: 35 SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response to: 24] [Time from request: 0.001539000 seconds] SMB Command: Tree Connect AndX (0x75) NT Status: STATUS_ACCESS_DENIED (0xc0000022) Flags: 0x80 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized .... 0... = Case Sensitivity: Path names are case sensitive .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc003 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported .... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... ...0 .... = Security Signatures Required: Security signatures are not required .... .... .... 0... = Compressed: Compression is not requested .... .... .... .0.. = Security Signatures: Security signatures are not supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 0 (\\phoinix\config) [Path: \\phoinix\config] [Mapped in: 25] Process ID: 1996 User ID: 14822 Multiplex ID: 3 Tree Connect AndX Response (0x75) Word Count (WCT): 0 Byte Count (BCC): 0 -- David C. Rankin, J.D.,P.E.
On 01/06/2014 07:21 PM, David C. Rankin wrote:
The current Arch box (hostname phoinix) is a fully updated box (as of 1/6/14) with:
# smbd --version Version 3.6.7
Sorry, grabbed the wrong xterm. The current is: [18:25 phoinix:/etc/samba] # smbd -V Version 4.1.3 -- David C. Rankin, J.D.,P.E.
On 01/06/2014 07:21 PM, David C. Rankin wrote:
The bug reports I've read suggest the cifs/SecurityFlags setting may be involved, but from the testing I've done, I don't know if that makes any difference. Now I need help from you smarter Archers to help figure out what changed that prevents this from working and how to fix it.
I have all but eliminated the cifs/SecurityFlags setting as being related to the cause of not being able to mount the share. From linux-3.12.6/fs/cifs/cifsglob.h you have: CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP) checking: CIFSSEC_MAY_SIGN 0x00001 CIFSSEC_MAY_NTLMV2 0x00004 CIFSSEC_MAY_NTLMSSP 0x00080 /* raw ntlmssp with ntlmv2 */ ------- 0x00085 explains why /proc/fs/cifs/SecurityFlags is 0x85. Testing whether adding ntml in as a security feature helps: CIFSSEC_MAY_SIGN 0x00001 CIFSSEC_MAY_NTLM 0x00002 CIFSSEC_MAY_NTLMV2 0x00004 CIFSSEC_MAY_NTLMSSP 0x00080 /* raw ntlmssp with ntlmv2 */ ------- 0x00087 [03:30 phoinix:/home/david/pkg/src/linux] # echo 0x87 >/proc/fs/cifs/SecurityFlags Then attempting to mount the share from my Arch client (hostname providence) fails again: [03:30 providence:/usr/src/linux-3.5.3-1-ARCH] # mount.cifs //phoinix/config /mnt/phx-cfg -v -o username=david,domain=RLFPLLC,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm mount.cifs kernel mount options: ip=192.168.7.16,unc=\\phoinix\config,noperm,uid=1000,user=david,,domain=RLFPLLC,pass=******** mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) So we are back to step 1. Any ideas welcomed here. -- David C. Rankin, J.D.,P.E.
On Tue, Jan 7, 2014 at 2:21 AM, David C. Rankin <drankinatty@suddenlinkmail.com> wrote:
Guys,
[...]
The results of mount showing successful mount of the [homes] and [samba] shares:
//phoinix/samba on /mnt/phx type cifs (rw,relatime,vers=1.0,sec=ntlm,cache=loose,unc=\\phoinix\samba,username=david,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.7.16,unix,posixpaths,serverino,acl,noperm,rsize=1048576,wsize=65536,actimeo=1) //phoinix/david on /mnt/phx-david type cifs (rw,relatime,vers=1.0,sec=ntlm,cache=loose,unc=\\phoinix\david,username=david,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.7.16,unix,posixpaths,serverino,acl,noperm,rsize=1048576,wsize=65536,actimeo=1)
However, attempting to mount the [config] share results in the error:
[18:33 providence:~/tmp/cifs] # mount.cifs //phoinix/config /mnt/phx-cfg -v -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm mount.cifs kernel mount options: ip=192.168.7.16,unc=\\phoinix\config,noperm,uid=1000,user=david,pass=******** mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
This vs. [0] vs.
[03:30 providence:/usr/src/linux-3.5.3-1-ARCH] # mount.cifs //phoinix/config/mnt/phx-cfg -v -o username=david,domain=RLFPLLC,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm mount.cifs kernel mount options: ip=192.168.7.16,unc=\\phoinix\config,noperm,uid=1000,user=david,,domain=RLFPLLC,pass=******** mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
I fail to see sec=ntlm in both your failing commands. Is that intentional or uncautious paste? cheers! mar77i [0] https://bbs.archlinux.org/viewtopic.php?id=160047
On 01/07/2014 03:51 AM, Martti Kühne wrote:
I fail to see sec=ntlm in both your failing commands. Is that intentional or uncautious paste?
cheers! mar77i
Marti, ntlm was apparently dropped for kernels >= 3.8, but I've tried that as well: [14:09 providence:/home/david] # mount.cifs //phoinix/config /mnt/phx-cfg -v -o username=david,domain=RLFPLLC,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm,sec=ntlm mount.cifs kernel mount options: ip=192.168.7.16,unc=\\phoinix\config,noperm,sec=ntlm,uid=1000,user=david,,domain=RLFPLLC,pass=******** mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) Something else is at play here that is specific to allowing the '/' share from (hostname phoinix) to be mounted. All other shares ([homes] [samba]} mount just fine: [14:09 providence:/home/david] # mount <snip> //phoinix/samba on /mnt/phx type cifs (rw,relatime,vers=1.0,sec=ntlm,cache=loose,unc=\\phoinix\samba,username=david,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.7.16,unix,posixpaths,serverino,acl,noperm,rsize=1048576,wsize=65536,actimeo=1) //phoinix/david on /mnt/phx-david type cifs (rw,relatime,vers=1.0,sec=ntlm,cache=loose,unc=\\phoinix\david,username=david,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.7.16,unix,posixpaths,serverino,acl,noperm,rsize=1048576,wsize=65536,actimeo=1) smbclient reports all public shares as well: [14:10 providence:/home/david] # smbclient -L phoinix -U% Domain=[RLFPLLC] OS=[Unix] Server=[Samba 4.1.3] Sharename Type Comment --------- ---- ------- samba Disk Phoinix - Law print$ Disk pdf-gen Printer PDF Generator print-pdf IPC$ IPC IPC Service (Phoinix Samba 4.1.3) dcr4100n Printer HP Laserjet 4100n SharpM355N Printer Sharp AR-M355N Sharp_AR-505 Printer Sharp AR-505 HPLJ4200 Printer HP Laserjet 4200 Domain=[RLFPLLC] OS=[Unix] Server=[Samba 4.1.3] Server Comment --------- ------- NEMESIS Samba 3.4.5-5.1-2300-SUSE-SL11.0 PHOINIX Phoinix Samba 4.1.3 PROVIDENCE Samba 3.6.7 RECEPTION Reception Workgroup Master --------- ------- RLFPLLC PHOINIX It is a bizarre issue. You can set up a test share easily with the config I posted. I have successfully used this config for the past decade at least and I've never had an issue with the mount until this box. For example, on an Arch server not yet updated to systemd (hostname nirvana (separate subnet)), the mount of the config share works fine: 18:33 nirvana:/home/samba/law/rankin/clients> smbclient -U% -Llocalhost Domain=[RLFPLLC] OS=[Unix] Server=[Samba 3.6.6] Sharename Type Comment --------- ---- ------- samba Disk Nirvana - Skyline, Pictures, Law print$ Disk pdf-gen Printer PDF Generator print-pdf IPC$ IPC IPC Service (Samba 3.6.6) LaserJet Printer Home Office Laserjet 4 Domain=[RLFPLLC] OS=[Unix] Server=[Samba 3.6.6] Server Comment --------- ------- DCRGX dcrgx KILLERZ LAKEHOUSE Samba 3.3.4-0.1.146-2113-SUSE-SL10.3 NIRVANA Samba 3.6.6 RIPPER XP2800 SUPERSFF Samba 3.6.12 Workgroup Master --------- ------- RLFPLLC NIRVANA [14:18 nirvana:/home/david/tmp] # smbd -V Version 3.6.6 mount.cifs version: 5.5 [17:48 alchemy:/etc] # mount <snip> //nirvana/config/ on /mnt/nv type cifs (rw,relatime,unc=\\nirvana\config,username=david,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.6.17,posixpaths,serverino,acl,rsize=16384,wsize=57344,actimeo=1) //lakehouse/config/ on /mnt/lake type cifs (rw,relatime,unc=\\lakehouse\config,username=david,domain=rlfpllc,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.6.105,posixpaths,acl,rsize=16384,wsize=57344,actimeo=1) Another older Arch box (hostname supersff) [19:53 supersff:/var/log/samba] # smbd -V Version 3.6.12 mount.cifs version: 5.9 [19:46 alchemy:/mnt] # mount.cifs //supersff/config /mnt/sff -v -o username=david,uid=1000,domain=rlfpllc,credentials=/home/david/.dcr/mountcfile,noperm mount.cifs kernel mount options: ip=192.168.6.109,unc=\\supersff\config,credentials=/home/david/.dcr/mountcfile,noperm,uid=1000,ver=1,user=david,domain=rlfpllc,pass=******** [19:47 alchemy:/mnt] # mount <snip> //supersff/config/ on /mnt/sff type cifs (rw,relatime,unc=\\supersff\config,username=david,domain=rlfpllc,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.6.109,posixpaths,serverino,acl,rsize=16384,wsize=57344,actimeo=1) On all other boxes, the mount command (regardless of various options just work in the form: mount.cifs //server/share /mnt/mpoint If I'm reading the level 10 correctly, when the connection occurs, the server finds user david and determines that david is OK for share //phoinix/config: [2014/01/07 20:32:58.157111, 5, pid=5405, effective(0, 0), real(0, 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc) Finding user david <snip> [2014/01/07 20:32:58.158932, 10, pid=5405, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:237(user_ok_token) user_ok_token: share config is ok for unix user david But the problem comes in when it does it's magical (switch to user root). Then we get: [2014/01/07 20:32:58.159036, 5, pid=5405, effective(0, 0), real(0, 0)] ../source3/lib/username.c:181(Get_Pwnam_alloc) Finding user root <snip a whole bunch of stuff> [2014/01/07 20:32:58.176304, 10, pid=5405, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:215(user_ok_token) User root not in 'valid users' <snip> [2014/01/07 20:32:58.176620, 3, pid=5405, effective(0, 0), real(0, 0)] ../source3/smbd/error.c:82(error_packet_set) NT error packet at ../source3/smbd/reply.c(952) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED So this is starting to look more like a smb problem after all. Got any other thoughts? -- David C. Rankin, J.D.,P.E.
On Wed, Jan 8, 2014 at 4:20 AM, David C. Rankin <drankinatty@suddenlinkmail.com> wrote: [...]
So this is starting to look more like a smb problem after all. Got any other thoughts?
comparing with the config you posted and [0], why not take the error message literally? cheers! mar77i [0] http://www.samba.org/samba/docs/using_samba/ch09.html#samba2-CHP-9-SECT-2
On 01/08/2014 04:22 AM, Martti Kühne wrote:
On Wed, Jan 8, 2014 at 4:20 AM, David C. Rankin <drankinatty@suddenlinkmail.com> wrote: [...]
So this is starting to look more like a smb problem after all. Got any other thoughts?
comparing with the config you posted and [0], why not take the error message literally?
cheers! mar77i
[0] http://www.samba.org/samba/docs/using_samba/ch09.html#samba2-CHP-9-SECT-2
Well, I see what you are saying, but that does not explain why mounting a '/' share suddenly starts to fail upon upgrade to samba 4.1.3. The error itself suggests a permissions problem: mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) However, that was precisely what the 'admin users' option was designed to provide: admin users = david From the link above: <quote> admin users This option specifies a list of users that perform file operations as if they were root. This means that they can modify or destroy any other user's files, regardless of the permissions. Any files that they create will have root ownership and will use the default group of the admin user. The admin users option allows PC users to act as administrators for particular shares. Be very careful when using this option, and make sure good password and other security policies are in place. </quote> And for all versions of samba from 1.8.x through 3.6.7, that is exactly what the 'admin users' option allowed. Testing the default config in 4.1.3 (testparm -v), 'invalid users' is unset: invalid users = valid users = admin users = david So there should be no prohibition to mounting the config share. *********************** HOLY CR...... ************************ I have tested the share incrementally trying without the 'force user' and then 'force group' but I had never removed both at the same time. I just tested that and BINGO! it works. Thank you Martti! The link did not mention the prohibition, but it did prompt the additional information that solved this! [22:34 providence:/home/david] # mount.cifs //phoinix/config /mnt/phx-cfg/ -v -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile mount.cifs kernel mount options: ip=192.168.7.16,unc=\\phoinix\config,uid=1000,user=david,pass=******** [22:34 providence:/home/david] # l /mnt/phx-cfg total 8 <snip> drwxr-xr-x 4 david root 0 Dec 26 13:02 boot drwxr-xr-x 58 david david 0 Jan 2 23:51 dat_e drwxr-xr-x 11 david david 0 Aug 23 2012 dat_f drwxr-xr-x 17 david root 0 Dec 26 13:05 dev drwxr-xr-x 71 david root 0 Jan 10 21:01 etc drwxr-xr-x 14 david root 0 Dec 9 12:17 home <snip> [22:34 providence:/home/david] # mount //phoinix/config on /mnt/phx-cfg type cifs (rw,relatime,vers=1.0,sec=ntlm,cache=loose,unc=\\phoinix\config,username=david,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.7.16,unix,posixpaths,serverino,acl,rsize=1048576,wsize=65536,actimeo=1) It works -- this one is done... -- David C. Rankin, J.D.,P.E.
On 01/10/2014 10:39 PM, David C. Rankin wrote:
So there should be no prohibition to mounting the config share.
For those running samba, there is a bug in 4.1.x regarding the use of 'force user' 'force group'. (not just in my case) See for details: https://bugzilla.samba.org/show_bug.cgi?id=9878 -- David C. Rankin, J.D.,P.E.
participants (2)
-
David C. Rankin
-
Martti Kühne