[Pkg-samba-maint] Bug#891942: cifs-utils: mounting encrypted SMB3 shares fails with CIFS VFS: protocol revalidation - security settings mismatch, code = -5

Fri Mar 2 22:09:35 UTC 2018

Package: cifs-utils
Version: 2:6.7-1
Severity: important

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

Hi,
I've been watching with interest for the ability in debian to mount encrypted SMBv3 shares

WE recently spun up storage on a Netapp filer - the share requires Encrypted SMBv3 for the mount to be allowed.

Debian 9 stock has an older kernel and the mount option for smbv3 doesnt seem to work.
SO I went and got a 4.14.0-0.bpo.3 kernel from backports.  And now the mount command runs but I get an error from the mount.

Heres what happens:

DIRECT MOUNT OF NETAPP system:
(I have a backgrounded tail -f /var/log/syslog running)

root at rstudio:~# sudo /sbin/mount.cifs //fas8200-1.s.uw.edu/CSDE  /a --verbose  -o rw,uid=mbw,user=mbw,domain=NETID,vers=3                    Password for mbw@//fas8200-1.s.uw.edu/CSDE:  ********
mount.cifs kernel mount options: ip=10.48.76.101,unc=\\fas8200-1.s.uw.edu\CSDE,vers=3,uid=153641,user=mbw,domain=NETID,pass=********
mount error(5): Input/output error
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
root at rstudio:~# Mar  2 13:06:15 rstudio kernel: [161412.073130] CIFS VFS: protocol revalidation - security settings mismatch
Mar  2 13:06:15 rstudio kernel: [161412.073948] CIFS VFS: session ffff8f92f72e4e00 has no tcon available for a dfs referral request
Mar  2 13:06:15 rstudio kernel: [161412.075479] CIFS VFS: cifs_mount failed w/return code = -5

root at rstudio:~# 
root at rstudio:~# uname -a
Linux rstudio 4.14.0-0.bpo.3-amd64 #1 SMP Debian 4.14.13-1~bpo9+1 (2018-01-14) x86_64 GNU/Linux
root at rstudio:~# 

Mount via DFS pointer:

root at rstudio:~# sudo /sbin/mount.cifs //netid.washington.edu/wfs/csde  /a --verbose  -o rw,uid=mbw,user=mbw,domain=NETID,vers=3              
Password for mbw@//netid.washington.edu/wfs/csde:  ********
mount.cifs kernel mount options: ip=172.16.31.136,unc=\\netid.washington.edu\wfs,vers=3,uid=153641,user=mbw,domain=NETID,prefixpath=csde,pass=********
mount error(5): Input/output error
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
Mar  2 13:08:06 rstudio kernel: [161523.613992] CIFS VFS: protocol revalidation - security settings mismatch
root at rstudio:~# Mar  2 13:08:06 rstudio kernel: [161523.615697] CIFS VFS: cifs_mount failed w/return code = -5

root at rstudio:~# 

So I am not sure how to report a bug on this in the most useful/best way for the Debian project.
Should I install Buster alpha and try/log bug there?  Or is this useful to you?

I'd like to help out somehow to get this working, it seems like a lot of work has been done to get this feature moved forward.  I suspect this is either user error on my part or we are *really* close to getting this to work.  lmk what I can do to help

thanks,
Matt Weatherford
Seattle, WA USA

*** End of the template - remove these template lines ***

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-0.bpo.3-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages cifs-utils depends on:
ii  libc6         2.24-11+deb9u1
ii  libcap-ng0    0.7.7-3+b1
ii  libkeyutils1  1.5.9-9
ii  libkrb5-3     1.15-1+deb9u1
ii  libpam0g      1.1.8-3.6
ii  libtalloc2    2.1.8-1
ii  libwbclient0  2:4.5.12+dfsg-2+deb9u1
ii  samba-common  2:4.5.12+dfsg-2+deb9u1

cifs-utils recommends no packages.

Versions of packages cifs-utils suggests:
ii  keyutils   1.5.9-9
ii  smbclient  2:4.5.12+dfsg-2+deb9u1
ii  winbind    2:4.5.12+dfsg-2+deb9u1

-- no debconf information