clients can no longer mount.cifs the '/' samba share from current Arch server (long)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Guys,

  Something in current Archlinux prevents clients mounting a root samba share
'/' via mount.cifs.

  Since building a new Arch server a month or so ago, I have been chasing an
issue with mount.cifs that prevents the '/' share from being mounted as it
always has. This has worked (and continues to work) on all Arch boxes up until
this latest box. I have addressed this to the samba list (see thread: [Samba]
What in samba 4.1 prevents a '/' share?) After a month of troubleshooting with
the samba devs, it seems that the issue may have to do with the way
/proc/fs/cifs/SecurityFlags, or some other default is now set in Arch. Others
have confirmed the ability to mount '/' shares from servers running samba 4.1.3,
with the exact smb.conf settings, so it appears this is Arch specific. I'm not
100% sure if this is samba related or whether it is cifs related, so I am asking
here so I can get the bug report right -- if needed.

  Several bug reports deal with the drop of ntlm security for the kernel as of
kernel 3.8 and with differing /proc/fs/cifs/SecurityFlags values --
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1113395 (see
specifically No. #12 & #15 citing:
https://bbs.archlinux.org/viewtopic.php?id=159915)

  Historically the value of /proc/fs/cifs/SecurityFlags has been set at 0x7 (or
not set at all on Arch), but now Arch sets the value to 0x85. Examples:

	(older Arch box smbd Version 3.6.6)

[19:32 nirvana:/etc] # cat /proc/fs/cifs/SecurityFlags
cat: /proc/fs/cifs/SecurityFlags: No such file or directory

	(new Arch box smbd Version 4.1.3)

[19:30 phoinix:/home/david/cnf/phoinix/etc] # cat /proc/fs/cifs/SecurityFlags
0x85

  I have set /proc/fs/cifs/SecurityFlags to the traditional value of 0x7, but
there is still something that prevents the mount from working. I will detail
below the config and attempts made to resolve the issue. The bottom line is that
all older Arch servers (and openSuSE boxes) I have can successfully share/mount
a '/' root samba share, but there is now something in current Arch that prevents
this from working. The folks at the samba list are stumped because there is
nothing in samba or cifs that has changed that would prevent this from working.
The bug reports I've read suggest the cifs/SecurityFlags setting may be
involved, but from the testing I've done, I don't know if that makes any
difference. Now I need help from you smarter Archers to help figure out what
changed that prevents this from working and how to fix it.

  The current Arch box (hostname phoinix) is a fully updated box (as of 1/6/14)
with:

 # smbd --version
Version 3.6.7

 # mount.cifs -V
mount.cifs version: 5.6

The samba config:

  The server functions as a standalone server (no PDC, etc..). The smb.conf and
share definitions are:

Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions

[global]
        workgroup = RLFPLLC
        server string = Phoinix Samba %v
        map to guest = Bad User
        smb passwd file = /etc/samba/smbpasswd
        log file = /var/log/samba/%m.log
        max log size = 50
        time server = Yes
        printcap name = /etc/printcap
        show add printer wizard = No
        os level = 66
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        idmap config * : backend = tdb
        admin users = david
        hosts allow = 192.168.6., 192.168.7., 127.
        use sendfile = Yes

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[config]
        comment = Phoinix Config (Archlinux)
        path = /
        valid users = david
        force user = root
        force group = root
        read only = No
        browseable = No

[samba]
        comment = Phoinix - Law
        path = /home/samba
        valid users = @rankin, #, anna
        force group = rankin
        read only = No
        inherit permissions = Yes
<snip>

  Mounting the homes and samba shares work fine and printing via cups works
fine. The only issue is mounting the [config] share. The shares are mounted
making use of a credentials file with:

mount.cifs //phoinix/config /mnt/phx-cfg -v -o
username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm

  The results of mount showing successful mount of the [homes] and [samba] shares:

//phoinix/samba on /mnt/phx type cifs
(rw,relatime,vers=1.0,sec=ntlm,cache=loose,unc=\\phoinix\samba,username=david,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.7.16,unix,posixpaths,serverino,acl,noperm,rsize=1048576,wsize=65536,actimeo=1)
//phoinix/david on /mnt/phx-david type cifs
(rw,relatime,vers=1.0,sec=ntlm,cache=loose,unc=\\phoinix\david,username=david,uid=1000,forceuid,gid=0,noforcegid,addr=192.168.7.16,unix,posixpaths,serverino,acl,noperm,rsize=1048576,wsize=65536,actimeo=1)

  However, attempting to mount the [config] share results in the error:

[18:33 providence:~/tmp/cifs] # mount.cifs //phoinix/config /mnt/phx-cfg -v -o
username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm
mount.cifs kernel mount options:
ip=192.168.7.16,unc=\\phoinix\config,noperm,uid=1000,user=david,pass=********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

  I have tried with 'sec=ntlmv2' and 'sec=ntlmssp' which makes no difference. I
have tried with/without 'domain=rlfpllc' again no difference.

  What I need to determine is whether this is a bug or whether this is a
configuration issue, and if so, in what? I have captured tcpdump traffic during
the mount attempts and they point to smb issuing the error, but I'm not that
great at reading packet contents, so I'm not entirely sure. But basically, after
successful AndX session setup (Tree Connect AndX Request, Path:
\\phoinix\config), the request for \\phoinix\config is made and it is found
successfully by the server, but then the server response with (Tree Connect AndX
Response, Error: STATUS_ACCESS_DENIED) The full ASCII dump of the packet along
with additional testing showing it works on all older servers is included below.

  If you have ideas or would like me to post additional information, just let me
know. I have worked to collect the relevant information from the samba thread,
but let me know if you need anything else Arch related from the box. Thanks in
advance for any help you can provide.






====== Additional Testing and ASCII dump of STATUS_ACCESS_DENIED packet ======

  Testing with other servers I can easily mount the '/' share from any other
computer. Here is my 3-computer test setup:

  On my client (hostname providence) I have:

18:01 providence:~> smbd -V
Version 3.6.7
linux 3.5.3-1
cifs-utils 5.6-2

  On the server (hostname phoinix) I have:

18:15 phoinix:~> smbd -V
Version 4.1.3
linux 3.12.6-1
cifs-utils 6.2-1

  On a second older server (hostname nemesis) I have:

18:30 nemesis:~/scr/mnt> smbd -V
Version 3.4.5-5.1-2300-SUSE-SL11.0
kernel-pae-2.6.25.20-0.7
cifs-mount-3.4.5-5.1

  Mounting the '/' config share from host *providence on nemesis* works fine:

18:31 nemesis:~/scr/mnt> sudo mount.cifs //providence/config /mnt/pv-cfg -o
username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm
18:31 nemesis:~/scr/mnt> l /mnt/pv-cfg
total 4
drwxr-xr-x  21 david root    0 2012-09-04 14:41 ./
drwxr-xr-x  14 root  root 4096 2013-12-28 18:29 ../
drwxr-xr-x   2 david root    0 2012-09-04 14:50 bin/
drwxr-xr-x   3 david root    0 2012-09-04 14:48 boot/
<snip>

  Mounting the '/' share from host *nemesis on providence* works fine:

18:37 providence:~/scr/mnt> sudo mount.cifs //nemesis/config /mnt/nm-cfg -o
username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm
18:37 providence:~/scr/mnt> l /mnt/nm-cfg
total 4
drwxr-xr-x  21 david root    0 Dec  9 11:24 .
drwxr-xr-x  11 root  root 4096 Mar  3  2011 ..
drwxr-xr-x   2 david root    0 Dec  5  2010 bin
drwxr-xr-x   4 david root    0 Mar  8  2010 boot
<snip>

  Mounting the '/' share from host *providence on phoinix* works fine:

18:54 phoinix:~/scr/mnt> sudo mount.cifs //providence/config /mnt/pv-cfg -o
username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm
18:55 phoinix:~/scr/mnt> l /mnt/pv-cfg/
total 4
drwxr-xr-x  21 david root    0 Sep  4  2012 .
drwxr-xr-x   9 root  root 4096 Dec 28 18:42 ..
drwxr-xr-x   2 david root    0 May 13  2011 .config
drwxr-xr-x   2 david root    0 Sep  4  2012 bin
drwxr-xr-x   3 david root    0 Sep  4  2012 boot
<snip>

  Mounting the '/' share from host *nemesis on phoinix* works fine:

18:55 phoinix:~/scr/mnt> sudo mount.cifs //nemesis/config /mnt/nm-cfg -o
username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm
18:57 phoinix:~/scr/mnt> l /mnt/nm-cfg
total 4
drwxr-xr-x  21 david root    0 Dec  9 11:24 .
drwxr-xr-x   9 root  root 4096 Dec 28 18:42 ..
drwxr-xr-x   2 david root    0 Dec  5  2010 bin
drwxr-xr-x   4 david root    0 Mar  8  2010 boot
<snip>

  However, attempting the mount of the '/' share from host *phoinix on anything*
else fails. The only difference I can see is this is when I'm attempting to
mount the share from 4.1.X on anything else:

18:59 nemesis:~/scr/mnt> sudo mount.cifs //phoinix/config /mnt/phx-cfg -o
username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

18:40 providence:~/scr/mnt> sudo mount.cifs //phoinix/config /mnt/phx-cfg -o
username=david,uid=1000,credentials=/home/david/.dcr/mountcfile,noperm
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

  The ASCII packet dissection for the STATUS_ACCESS_DENIED packet is:

No.     Time        Source                Destination           Protocol Length Info
     25 3.487933    192.168.7.16          192.168.7.124         SMB      105
Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED

Frame 25: 105 bytes on wire (840 bits), 105 bytes captured (840 bits)
    WTAP_ENCAP: 1
    Arrival Time: Jan  6, 2014 17:45:50.826685000 CST
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1389051950.826685000 seconds
    [Time delta from previous captured frame: 0.001539000 seconds]
    [Time delta from previous displayed frame: 0.001539000 seconds]
    [Time since reference or first frame: 3.487933000 seconds]
    Frame Number: 25
    Frame Length: 105 bytes (840 bits)
    Capture Length: 105 bytes (840 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:tcp:nbss:smb]
    [Coloring Rule Name: SMB]
    [Coloring Rule String: smb || nbss || nbns || nbipx || ipxsap || netbios]
Ethernet II, Src: Micro-St_1a:8c:fa (00:21:85:1a:8c:fa), Dst: Dell_22:50:08
(00:11:43:22:50:08)
    Destination: Dell_22:50:08 (00:11:43:22:50:08)
        Address: Dell_22:50:08 (00:11:43:22:50:08)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory
default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Micro-St_1a:8c:fa (00:21:85:1a:8c:fa)
        Address: Micro-St_1a:8c:fa (00:21:85:1a:8c:fa)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory
default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: 192.168.7.16 (192.168.7.16), Dst:
192.168.7.124 (192.168.7.124)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT
(Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable
Transport) (0x00)
    Total Length: 91
    Identification: 0x0398 (920)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: TCP (6)
    Header checksum: 0xa728 [correct]
        [Good: True]
        [Bad: False]
    Source: 192.168.7.16 (192.168.7.16)
    Destination: 192.168.7.124 (192.168.7.124)
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: microsoft-ds (445), Dst Port: 50813
(50813), Seq: 210, Ack: 445, Len: 39
    Source port: microsoft-ds (445)
    Destination port: 50813 (50813)
    [Stream index: 2]
    Sequence number: 210    (relative sequence number)
    [Next sequence number: 249    (relative sequence number)]
    Acknowledgment number: 445    (relative ack number)
    Header length: 32 bytes
    Flags: 0x018 (PSH, ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 1... = Push: Set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
    Window size value: 235
    [Calculated window size: 30080]
    [Window size scaling factor: 128]
    Checksum: 0x5220 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        No-Operation (NOP)
            Type: 1
                0... .... = Copy on fragmentation: No
                .00. .... = Class: Control (0)
                ...0 0001 = Number: No-Operation (NOP) (1)
        Timestamps: TSval 290109681, TSecr 203763093
            Kind: Timestamp (8)
            Length: 10
            Timestamp value: 290109681
            Timestamp echo reply: 203763093
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 24]
        [The RTT to ACK the segment was: 0.001539000 seconds]
        [Bytes in flight: 39]
NetBIOS Session Service
    Message Type: Session message (0x00)
    Length: 35
SMB (Server Message Block Protocol)
    SMB Header
        Server Component: SMB
        [Response to: 24]
        [Time from request: 0.001539000 seconds]
        SMB Command: Tree Connect AndX (0x75)
        NT Status: STATUS_ACCESS_DENIED (0xc0000022)
        Flags: 0x80
            1... .... = Request/Response: Message is a response to the
client/redirector
            .0.. .... = Notify: Notify client only on open
            ..0. .... = Oplocks: OpLock not requested/granted
            ...0 .... = Canonicalized Pathnames: Pathnames are not canonicalized
            .... 0... = Case Sensitivity: Path names are case sensitive
            .... ..0. = Receive Buffer Posted: Receive buffer has not been posted
            .... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
        Flags2: 0xc003
            1... .... .... .... = Unicode Strings: Strings are Unicode
            .1.. .... .... .... = Error Code Type: Error codes are NT error codes
            ..0. .... .... .... = Execute-only Reads: Don't permit reads if
execute-only
            ...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
            .... 0... .... .... = Extended Security Negotiation: Extended
security negotiation is not supported
            .... .0.. .... .... = Reparse Path: The request does not use a @GMT
reparse path
            .... .... .0.. .... = Long Names Used: Path names in request are not
long file names
            .... .... ...0 .... = Security Signatures Required: Security
signatures are not required
            .... .... .... 0... = Compressed: Compression is not requested
            .... .... .... .0.. = Security Signatures: Security signatures are
not supported
            .... .... .... ..1. = Extended Attributes: Extended attributes are
supported
            .... .... .... ...1 = Long Names Allowed: Long file names are
allowed in the response
        Process ID High: 0
        Signature: 0000000000000000
        Reserved: 0000
        Tree ID: 0  (\\phoinix\config)
            [Path: \\phoinix\config]
            [Mapped in: 25]
        Process ID: 1996
        User ID: 14822
        Multiplex ID: 3
    Tree Connect AndX Response (0x75)
        Word Count (WCT): 0
        Byte Count (BCC): 0


-- 
David C. Rankin, J.D.,P.E.


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux