Guys, Something in current Archlinux prevents clients mounting a root samba share '/' via mount.cifs. Since building a new Arch server a month or so ago, I have been chasing an issue with mount.cifs that prevents the '/' share from being mounted as it always has. This has worked (and continues to work) on all Arch boxes up until this latest box. I have addressed this to the samba list (see thread: [Samba] What in samba 4.1 prevents a '/' share?) After a month of troubleshooting with the samba devs, it seems that the issue may have to do with the way /proc/fs/cifs/SecurityFlags, or some other default is now set in Arch. Others have confirmed the ability to mount '/' shares from servers running samba 4.1.3, with the exact smb.conf settings, so it appears this is Arch specific. I'm not 100% sure if this is samba related or whether it is cifs related, so I am asking here so I can get the bug report right -- if needed. Several bug reports deal with the drop of ntlm security for the kernel as of kernel 3.8 and with differing /proc/fs/cifs/SecurityFlags values -- https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1113395 (see specifically No. #12 & #15 citing: https://bbs.archlinux.org/viewtopic.php?id=159915) Historically the value of /proc/fs/cifs/SecurityFlags has been set at 0x7 (or not set at all on Arch), but now Arch sets the value to 0x85. Examples: (older Arch box smbd Version 3.6.6) [19:32 nirvana:/etc] # cat /proc/fs/cifs/SecurityFlags cat: /proc/fs/cifs/SecurityFlags: No such file or directory (new Arch box smbd Version 4.1.3) [19:30 phoinix:/home/david/cnf/phoinix/etc] # cat /proc/fs/cifs/SecurityFlags 0x85 I have set /proc/fs/cifs/SecurityFlags to the traditional value of 0x7, but there is still something that prevents the mount from working. I will detail below the config and attempts made to resolve the issue. The bottom line is that all older Arch servers (and openSuSE boxes) I have can successfully share/mount a '/' root samba share, but there is now something in current Arch that prevents this from working. The folks at the samba list are stumped because there is nothing in samba or cifs that has changed that would prevent this from working. The bug reports I've read suggest the cifs/SecurityFlags setting may be involved, but from the testing I've done, I don't know if that makes any difference. Now I need help from you smarter Archers to help figure out what changed that prevents this from working and how to fix it. The current Arch box (hostname phoinix) is a fully updated box (as of 1/6/14) with: # smbd --version Version 3.6.7 # mount.cifs -V mount.cifs version: 5.6 The samba config: The server functions as a standalone server (no PDC, etc..). The smb.conf and share definitions are: Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] workgroup = RLFPLLC server string = Phoinix Samba %v map to guest = Bad User smb passwd file = /etc/samba/smbpasswd log file = /var/log/samba/%m.log max log size = 50 time server = Yes printcap name = /etc/printcap show add printer wizard = No os level = 66 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes idmap config * : backend = tdb admin users = david hosts allow = 192.168.6., 192.168.7., 127. use sendfile = Yes [homes] comment = Home Directories read only = No browseable = No [config] comment = Phoinix Config (Archlinux) path = / valid users = david force user = root force group = root read only = No browseable = No [samba] comment = Phoinix - Law path = /home/samba valid users = @rankin, #, anna force group = rankin read only = No inherit permissions = Yes <snip> Mounting the homes and samba shares work fine and printing via cups works fine. The only issue is mounting the [config] share. The shares are mounted making use of a credentials file with: mount.cifs //phoinix/config /mnt/phx-cfg -v -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm The results of mount showing successful mount of the [homes] and [samba] shares: //phoinix/samba on /mnt/phx type cifs (rw,relatime,vers=1.0,sec=ntlm,cache=loose,unc=\\phoinix\samba,username=david,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.7.16,unix,posixpaths,serverino,acl,noperm,rsize=1048576,wsize=65536,actimeo=1) //phoinix/david on /mnt/phx-david type cifs (rw,relatime,vers=1.0,sec=ntlm,cache=loose,unc=\\phoinix\david,username=david,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.7.16,unix,posixpaths,serverino,acl,noperm,rsize=1048576,wsize=65536,actimeo=1) However, attempting to mount the [config] share results in the error: [18:33 providence:~/tmp/cifs] # mount.cifs //phoinix/config /mnt/phx-cfg -v -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm mount.cifs kernel mount options: ip=192.168.7.16,unc=\\phoinix\config,noperm,uid=1000,user=david,pass=******** mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) I have tried with 'sec=ntlmv2' and 'sec=ntlmssp' which makes no difference. I have tried with/without 'domain=rlfpllc' again no difference. What I need to determine is whether this is a bug or whether this is a configuration issue, and if so, in what? I have captured tcpdump traffic during the mount attempts and they point to smb issuing the error, but I'm not that great at reading packet contents, so I'm not entirely sure. But basically, after successful AndX session setup (Tree Connect AndX Request, Path: \\phoinix\config), the request for \\phoinix\config is made and it is found successfully by the server, but then the server response with (Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED) The full ASCII dump of the packet along with additional testing showing it works on all older servers is included below. If you have ideas or would like me to post additional information, just let me know. I have worked to collect the relevant information from the samba thread, but let me know if you need anything else Arch related from the box. Thanks in advance for any help you can provide. ====== Additional Testing and ASCII dump of STATUS_ACCESS_DENIED packet ====== Testing with other servers I can easily mount the '/' share from any other computer. Here is my 3-computer test setup: On my client (hostname providence) I have: 18:01 providence:~> smbd -V Version 3.6.7 linux 3.5.3-1 cifs-utils 5.6-2 On the server (hostname phoinix) I have: 18:15 phoinix:~> smbd -V Version 4.1.3 linux 3.12.6-1 cifs-utils 6.2-1 On a second older server (hostname nemesis) I have: 18:30 nemesis:~/scr/mnt> smbd -V Version 3.4.5-5.1-2300-SUSE-SL11.0 kernel-pae-2.6.25.20-0.7 cifs-mount-3.4.5-5.1 Mounting the '/' config share from host *providence on nemesis* works fine: 18:31 nemesis:~/scr/mnt> sudo mount.cifs //providence/config /mnt/pv-cfg -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm 18:31 nemesis:~/scr/mnt> l /mnt/pv-cfg total 4 drwxr-xr-x 21 david root 0 2012-09-04 14:41 ./ drwxr-xr-x 14 root root 4096 2013-12-28 18:29 ../ drwxr-xr-x 2 david root 0 2012-09-04 14:50 bin/ drwxr-xr-x 3 david root 0 2012-09-04 14:48 boot/ <snip> Mounting the '/' share from host *nemesis on providence* works fine: 18:37 providence:~/scr/mnt> sudo mount.cifs //nemesis/config /mnt/nm-cfg -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm 18:37 providence:~/scr/mnt> l /mnt/nm-cfg total 4 drwxr-xr-x 21 david root 0 Dec 9 11:24 . drwxr-xr-x 11 root root 4096 Mar 3 2011 .. drwxr-xr-x 2 david root 0 Dec 5 2010 bin drwxr-xr-x 4 david root 0 Mar 8 2010 boot <snip> Mounting the '/' share from host *providence on phoinix* works fine: 18:54 phoinix:~/scr/mnt> sudo mount.cifs //providence/config /mnt/pv-cfg -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm 18:55 phoinix:~/scr/mnt> l /mnt/pv-cfg/ total 4 drwxr-xr-x 21 david root 0 Sep 4 2012 . drwxr-xr-x 9 root root 4096 Dec 28 18:42 .. drwxr-xr-x 2 david root 0 May 13 2011 .config drwxr-xr-x 2 david root 0 Sep 4 2012 bin drwxr-xr-x 3 david root 0 Sep 4 2012 boot <snip> Mounting the '/' share from host *nemesis on phoinix* works fine: 18:55 phoinix:~/scr/mnt> sudo mount.cifs //nemesis/config /mnt/nm-cfg -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm 18:57 phoinix:~/scr/mnt> l /mnt/nm-cfg total 4 drwxr-xr-x 21 david root 0 Dec 9 11:24 . drwxr-xr-x 9 root root 4096 Dec 28 18:42 .. drwxr-xr-x 2 david root 0 Dec 5 2010 bin drwxr-xr-x 4 david root 0 Mar 8 2010 boot <snip> However, attempting the mount of the '/' share from host *phoinix on anything* else fails. The only difference I can see is this is when I'm attempting to mount the share from 4.1.X on anything else: 18:59 nemesis:~/scr/mnt> sudo mount.cifs //phoinix/config /mnt/phx-cfg -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) 18:40 providence:~/scr/mnt> sudo mount.cifs //phoinix/config /mnt/phx-cfg -o username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) The ASCII packet dissection for the STATUS_ACCESS_DENIED packet is: No. Time Source Destination Protocol Length Info 25 3.487933 192.168.7.16 192.168.7.124 SMB 105 Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED Frame 25: 105 bytes on wire (840 bits), 105 bytes captured (840 bits) WTAP_ENCAP: 1 Arrival Time: Jan 6, 2014 17:45:50.826685000 CST [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1389051950.826685000 seconds [Time delta from previous captured frame: 0.001539000 seconds] [Time delta from previous displayed frame: 0.001539000 seconds] [Time since reference or first frame: 3.487933000 seconds] Frame Number: 25 Frame Length: 105 bytes (840 bits) Capture Length: 105 bytes (840 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ip:tcp:nbss:smb] [Coloring Rule Name: SMB] [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios] Ethernet II, Src: Micro-St_1a:8c:fa (00:21:85:1a:8c:fa), Dst: Dell_22:50:08 (00:11:43:22:50:08) Destination: Dell_22:50:08 (00:11:43:22:50:08) Address: Dell_22:50:08 (00:11:43:22:50:08) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Micro-St_1a:8c:fa (00:21:85:1a:8c:fa) Address: Micro-St_1a:8c:fa (00:21:85:1a:8c:fa) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IP (0x0800) Internet Protocol Version 4, Src: 192.168.7.16 (192.168.7.16), Dst: 192.168.7.124 (192.168.7.124) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport)) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00) Total Length: 91 Identification: 0x0398 (920) Flags: 0x02 (Don't Fragment) 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: TCP (6) Header checksum: 0xa728 [correct] [Good: True] [Bad: False] Source: 192.168.7.16 (192.168.7.16) Destination: 192.168.7.124 (192.168.7.124) [Source GeoIP: Unknown] [Destination GeoIP: Unknown] Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 50813 (50813), Seq: 210, Ack: 445, Len: 39 Source port: microsoft-ds (445) Destination port: 50813 (50813) [Stream index: 2] Sequence number: 210 (relative sequence number) [Next sequence number: 249 (relative sequence number)] Acknowledgment number: 445 (relative ack number) Header length: 32 bytes Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set Window size value: 235 [Calculated window size: 30080] [Window size scaling factor: 128] Checksum: 0x5220 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) No-Operation (NOP) Type: 1 0... .... = Copy on fragmentation: No .00. .... = Class: Control (0) ...0 0001 = Number: No-Operation (NOP) (1) Timestamps: TSval 290109681, TSecr 203763093 Kind: Timestamp (8) Length: 10 Timestamp value: 290109681 Timestamp echo reply: 203763093 [SEQ/ACK analysis] [This is an ACK to the segment in frame: 24] [The RTT to ACK the segment was: 0.001539000 seconds] [Bytes in flight: 39] NetBIOS Session Service Message Type: Session message (0x00) Length: 35 SMB (Server Message Block Protocol) SMB Header Server Component: SMB [Response to: 24] [Time from request: 0.001539000 seconds] SMB Command: Tree Connect AndX (0x75) NT Status: STATUS_ACCESS_DENIED (0xc0000022) Flags: 0x80 1... .... = Request/Response: Message is a response to the client/redirector .0.. .... = Notify: Notify client only on open ..0. .... = Oplocks: OpLock not requested/granted ...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized .... 0... = Case Sensitivity: Path names are case sensitive .... ..0. = Receive Buffer Posted: Receive buffer has not been posted .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported Flags2: 0xc003 1... .... .... .... = Unicode Strings: Strings are Unicode .1.. .... .... .... = Error Code Type: Error codes are NT error codes ..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs .... 0... .... .... = Extended Security Negotiation: Extended security negotiation is not supported .... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path .... .... .0.. .... = Long Names Used: Path names in request are not long file names .... .... ...0 .... = Security Signatures Required: Security signatures are not required .... .... .... 0... = Compressed: Compression is not requested .... .... .... .0.. = Security Signatures: Security signatures are not supported .... .... .... ..1. = Extended Attributes: Extended attributes are supported .... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response Process ID High: 0 Signature: 0000000000000000 Reserved: 0000 Tree ID: 0 (\\phoinix\config) [Path: \\phoinix\config] [Mapped in: 25] Process ID: 1996 User ID: 14822 Multiplex ID: 3 Tree Connect AndX Response (0x75) Word Count (WCT): 0 Byte Count (BCC): 0 -- David C. Rankin, J.D.,P.E.