[Pkg-samba-maint] Bug#1059323: mount.cifs fails to mount a share which smbclient can access all right

Alain Knaff Alain.Knaff at aev.etat.lu
Fri Dec 22 13:54:50 GMT 2023 

Package: cifs-utils
Version: 2:7.0-2

We have one share here which can be opened by smbclient, but not mounted
using mount.cifs:

smbclient -A ~alain/.smbcredentials-admin //work03.gouv.etat.lu/aev
=> succeeds

# mount.cifs -o credentials=/home/alain/.smbcredentials-admin //work03.gouv.etat.lu/aev  /media/windows/work03
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

kernel log shows:

2023-12-22T11:58:37.212890+01:00 alainpc kernel: [10807.375685] CIFS: fs/smb/client/fs_context.c: CIFS: parsing cifs mount option 'source'
2023-12-22T11:58:37.212910+01:00 alainpc kernel: [10807.375702] CIFS: fs/smb/client/fs_context.c: CIFS: parsing cifs mount option 'ip'
2023-12-22T11:58:37.212913+01:00 alainpc kernel: [10807.375710] CIFS: fs/smb/client/fs_context.c: CIFS: parsing cifs mount option 'unc'
2023-12-22T11:58:37.212914+01:00 alainpc kernel: [10807.375715] CIFS: fs/smb/client/fs_context.c: CIFS: parsing cifs mount option 'user'
2023-12-22T11:58:37.212916+01:00 alainpc kernel: [10807.375720] CIFS: fs/smb/client/fs_context.c: CIFS: parsing cifs mount option 'pass'
2023-12-22T11:58:37.212917+01:00 alainpc kernel: [10807.375726] CIFS: fs/smb/client/cifsfs.c: Devname: \\work03.gouv.etat.lu\aev flags: 0
2023-12-22T11:58:37.212919+01:00 alainpc kernel: [10807.375733] CIFS: fs/smb/client/connect.c: Username: xxxxxx_admin
2023-12-22T11:58:37.212921+01:00 alainpc kernel: [10807.375736] CIFS: fs/smb/client/connect.c: file mode: 0755  dir mode: 0755
2023-12-22T11:58:37.212924+01:00 alainpc kernel: [10807.375743] CIFS: fs/smb/client/connect.c: VFS: in mount_get_conns as Xid: 79 with uid: 0
2023-12-22T11:58:37.212926+01:00 alainpc kernel: [10807.375748] CIFS: fs/smb/client/connect.c: UNC: \\work03.gouv.etat.lu\aev
2023-12-22T11:58:37.212928+01:00 alainpc kernel: [10807.375756] CIFS: fs/smb/client/connect.c: generic_ip_connect: connecting to 148.110.208.152:445
2023-12-22T11:58:37.212959+01:00 alainpc kernel: [10807.375774] CIFS: fs/smb/client/connect.c: Socket created
2023-12-22T11:58:37.212962+01:00 alainpc kernel: [10807.375777] CIFS: fs/smb/client/connect.c: sndbuf 16384 rcvbuf 131072 rcvtimeo 0x6d6
2023-12-22T11:58:37.232875+01:00 alainpc kernel: [10807.396428] CIFS: fs/smb/client/connect.c: cifs_get_tcp_session: next dns resolution scheduled for 600 seconds in the future
2023-12-22T11:58:37.232893+01:00 alainpc kernel: [10807.396441] CIFS: fs/smb/client/connect.c: VFS: in cifs_get_smb_ses as Xid: 80 with uid: 0
2023-12-22T11:58:37.232896+01:00 alainpc kernel: [10807.396447] CIFS: fs/smb/client/connect.c: Existing smb sess not found
2023-12-22T11:58:37.232897+01:00 alainpc kernel: [10807.396455] CIFS: fs/smb/client/smb2pdu.c: Negotiate protocol
2023-12-22T11:58:37.232899+01:00 alainpc kernel: [10807.396467] CIFS: fs/smb/client/transport.c: wait_for_free_credits: remove 1 credits total=0
2023-12-22T11:58:37.232901+01:00 alainpc kernel: [10807.396484] CIFS: fs/smb/client/connect.c: Demultiplex PID: 13815
2023-12-22T11:58:37.232903+01:00 alainpc kernel: [10807.396494] CIFS: fs/smb/client/transport.c: Sending smb: smb_len=252
2023-12-22T11:58:37.252865+01:00 alainpc kernel: [10807.418048] CIFS: fs/smb/client/connect.c: RFC1002 header 0x134
2023-12-22T11:58:37.252887+01:00 alainpc kernel: [10807.418071] CIFS: fs/smb/client/smb2misc.c: SMB2 data length 114 offset 128
2023-12-22T11:58:37.252889+01:00 alainpc kernel: [10807.418076] CIFS: fs/smb/client/smb2misc.c: SMB2 len 242
2023-12-22T11:58:37.252892+01:00 alainpc kernel: [10807.418079] CIFS: fs/smb/client/smb2misc.c: length of negcontexts 60 pad 6
2023-12-22T11:58:37.252894+01:00 alainpc kernel: [10807.418086] CIFS: fs/smb/client/smb2ops.c: smb2_add_credits: added 1 credits total=1
2023-12-22T11:58:37.252895+01:00 alainpc kernel: [10807.418177] CIFS: fs/smb/client/transport.c: cifs_sync_mid_result: cmd=0 mid=0 state=64
2023-12-22T11:58:37.252897+01:00 alainpc kernel: [10807.418199] CIFS: fs/smb/client/misc.c: Null buffer passed to cifs_small_buf_release
2023-12-22T11:58:37.252899+01:00 alainpc kernel: [10807.418205] CIFS: fs/smb/client/smb2pdu.c: mode 0x3
2023-12-22T11:58:37.252902+01:00 alainpc kernel: [10807.418208] CIFS: fs/smb/client/smb2pdu.c: negotiated smb3.1.1 dialect
2023-12-22T11:58:37.252904+01:00 alainpc kernel: [10807.418218] CIFS: fs/smb/client/smb2pdu.c: decoding 2 negotiate contexts
2023-12-22T11:58:37.252907+01:00 alainpc kernel: [10807.418221] CIFS: fs/smb/client/smb2pdu.c: decode SMB3.11 encryption neg context of len 4
2023-12-22T11:58:37.252909+01:00 alainpc kernel: [10807.418224] CIFS: fs/smb/client/smb2pdu.c: SMB311 cipher type:2
2023-12-22T11:58:37.252910+01:00 alainpc kernel: [10807.418229] CIFS: fs/smb/client/connect.c: cifs_setup_session: channel connect bitmap: 0x1
2023-12-22T11:58:37.252931+01:00 alainpc kernel: [10807.418234] CIFS: fs/smb/client/connect.c: Security Mode: 0x3 Capabilities: 0x30005f TimeAdjust: 0
2023-12-22T11:58:37.252935+01:00 alainpc kernel: [10807.418239] CIFS: fs/smb/client/smb2pdu.c: Session Setup
2023-12-22T11:58:37.252938+01:00 alainpc kernel: [10807.418243] CIFS: fs/smb/client/smb2pdu.c: sess setup type 2
2023-12-22T11:58:37.252939+01:00 alainpc kernel: [10807.418248] CIFS: fs/smb/client/smb2pdu.c: Fresh session. Previous: 0
2023-12-22T11:58:37.252941+01:00 alainpc kernel: [10807.418254] CIFS: fs/smb/client/transport.c: wait_for_free_credits: remove 1 credits total=0
2023-12-22T11:58:37.252943+01:00 alainpc kernel: [10807.418273] CIFS: fs/smb/client/transport.c: Sending smb: smb_len=136
2023-12-22T11:58:37.277074+01:00 alainpc kernel: [10807.439279] CIFS: fs/smb/client/connect.c: RFC1002 header 0x106
2023-12-22T11:58:37.277100+01:00 alainpc kernel: [10807.439298] CIFS: fs/smb/client/smb2misc.c: SMB2 data length 190 offset 72
2023-12-22T11:58:37.277103+01:00 alainpc kernel: [10807.439303] CIFS: fs/smb/client/smb2misc.c: SMB2 len 262
2023-12-22T11:58:37.277105+01:00 alainpc kernel: [10807.439309] CIFS: fs/smb/client/smb2ops.c: smb2_add_credits: added 130 credits total=130
2023-12-22T11:58:37.277106+01:00 alainpc kernel: [10807.439381] CIFS: fs/smb/client/transport.c: cifs_sync_mid_result: cmd=1 mid=1 state=64
2023-12-22T11:58:37.277108+01:00 alainpc kernel: [10807.439394] CIFS: Status code returned 0xc0000016 STATUS_MORE_PROCESSING_REQUIRED
2023-12-22T11:58:37.277110+01:00 alainpc kernel: [10807.439407] CIFS: fs/smb/client/smb2maperror.c: Mapping SMB2 status code 0xc0000016 to POSIX err -5
2023-12-22T11:58:37.277112+01:00 alainpc kernel: [10807.439421] CIFS: fs/smb/client/misc.c: Null buffer passed to cifs_small_buf_release
2023-12-22T11:58:37.277115+01:00 alainpc kernel: [10807.439428] CIFS: fs/smb/client/sess.c: decode_ntlmssp_challenge: negotiate=0xe2088235 challenge=0x60898235
2023-12-22T11:58:37.277117+01:00 alainpc kernel: [10807.439434] CIFS: fs/smb/client/smb2pdu.c: rawntlmssp session setup challenge phase
2023-12-22T11:58:37.277119+01:00 alainpc kernel: [10807.439440] CIFS: fs/smb/client/smb2pdu.c: Fresh session. Previous: 0
2023-12-22T11:58:37.277121+01:00 alainpc kernel: [10807.439494] CIFS: fs/smb/client/transport.c: wait_for_free_credits: remove 1 credits total=129
2023-12-22T11:58:37.277123+01:00 alainpc kernel: [10807.439516] CIFS: fs/smb/client/transport.c: Sending smb: smb_len=388
2023-12-22T11:58:37.300823+01:00 alainpc kernel: [10807.462731] CIFS: fs/smb/client/connect.c: RFC1002 header 0x49
2023-12-22T11:58:37.300852+01:00 alainpc kernel: [10807.462755] CIFS: fs/smb/client/smb2misc.c: SMB2 data length 0 offset 0
2023-12-22T11:58:37.300854+01:00 alainpc kernel: [10807.462760] CIFS: fs/smb/client/smb2misc.c: SMB2 len 73
2023-12-22T11:58:37.300856+01:00 alainpc kernel: [10807.462766] CIFS: fs/smb/client/smb2ops.c: smb2_add_credits: added 130 credits total=259
2023-12-22T11:58:37.300858+01:00 alainpc kernel: [10807.462844] CIFS: fs/smb/client/transport.c: cifs_sync_mid_result: cmd=1 mid=2 state=64
2023-12-22T11:58:37.300859+01:00 alainpc kernel: [10807.462857] CIFS: Status code returned 0xc000006e STATUS_ACCOUNT_RESTRICTION
2023-12-22T11:58:37.300861+01:00 alainpc kernel: [10807.462870] CIFS: fs/smb/client/smb2maperror.c: Mapping SMB2 status code 0xc000006e to POSIX err -13
2023-12-22T11:58:37.300864+01:00 alainpc kernel: [10807.462877] CIFS: fs/smb/client/misc.c: Null buffer passed to cifs_small_buf_release
2023-12-22T11:58:37.300866+01:00 alainpc kernel: [10807.462887] CIFS: VFS: \\work03.gouv.etat.lu Send error in SessSetup = -13
2023-12-22T11:58:37.300868+01:00 alainpc kernel: [10807.462895] CIFS: fs/smb/client/connect.c: VFS: leaving cifs_get_smb_ses (xid = 80) rc = -13
2023-12-22T11:58:37.300871+01:00 alainpc kernel: [10807.462904] CIFS: fs/smb/client/dfs_cache.c: cache_refresh_path: search path: \work03.gouv.etat.lu\aev
2023-12-22T11:58:37.300873+01:00 alainpc kernel: [10807.462912] CIFS: fs/smb/client/dfs_cache.c: get_dfs_referral: get an DFS referral for \work03.gouv.etat.lu\aev
2023-12-22T11:58:37.300906+01:00 alainpc kernel: [10807.462932] CIFS: fs/smb/client/connect.c: VFS: leaving mount_put_conns (xid = 79) rc = 0
2023-12-22T11:58:37.300909+01:00 alainpc kernel: [10807.462937] CIFS: VFS: cifs_mount failed w/return code = -13

I tried to gather a network trace and analyze it with wireshark.

The first difference is that mount.cifs' Session Setup Request packet is
annotated with NTLMSSP_NEGOTIATE whereas smbclient's isn't

This packet contains a Security Blob which for smbclient is 1706 bytes
long, and has a GSS-API sub block.
For mount.cifs, the Security Blob is a mere 44 bytes long, and contains
an NTLM Secure Service Provider block.

How can I convince mount.cifs to use GSS-API too?

N.B. it does work with another user in mount.cifs too, but this is not
satisfactory, as that other user has not enough rights for the stuff we
need.

The user for whom it breaks has an underscore in his name, and is 12
characters long (vs the other with just 6 characters and nothing
special), could this be a factor?

Thanks,

-- 
Alain Knaff
Service Informatique

LE GOUVERNEMENT DU GRAND-DUCHÉ DE LUXEMBOURG
Ministère de l'Environnement, du Climat
et de la Biodiversité
Administration de l'environnement

1, avenue du Rock'n'Roll . L-4361 Esch-sur-Alzette
Tél. (+352) 40 56 56-309
E-Mail: Alain.Knaff at aev.etat.lu
www.emwelt.lu . www.environnement.public.lu . www.luxembourg.lu

More information about the Pkg-samba-maint mailing list