samba - Jan 2019 - Fwd: mounting a windows share on a linux client using mount.cifs with encryption

Hello everyone,

I'm trying to mount a CIFS share served by Windows 10 Samba with encryption.

On the Windows server side, I made a regular share and told Windows via
Powershell command
Set-SmbServerConfiguration -EncryptData 1
to encrypt the data if possible, and via
Set-SmbServerConfiguration -RejectUnencryptedAccess 1
to reject unencrypted connections instead of negotiating an unencrypted
connection.

I then proceed to connect on Linux client side via
mount -t cifs //192.168.1.176/Share /mnt -o username=user,seal
Expectation: after being prompted to enter the password, the mount
should be active.
Actual result: after entering the correct password, i get "mount
error(13): Permission denied".

However, if I turn off the rule to only accept encrypted access, then
use the same command without the "seal" option, it works as expected.

I attached tcpdumps of both attempts.
Linux client versions tested are OpenSUSE Leap 42.3 with latest Patches
and Kernel 4.4.165-81-default as well as OpenSUSE Leap 15 with latest
Patches and Kernel Version 4.12.14-lp150.12.28-default.
Windows Server is Windows 10 Professional 64 bit Build 10240, also
tested with Windows 10 Professional 64 bit Version 1809 Build 17763.95.
Mount.cifs version is 6.5.

I also tried smbclient, but as long as Windows is told to reject
unencrypted access, it won't even list the shares. Once I tell windows
to accept unencrypted access, it works fine - however encryption is
absolutely needed, just working w/o crypto's not an option.

Is my sealed mounting command wrong, or is this simply impossible?
Any hints would be greatly appreciated.

Regards,
René

-- 
René Bräuer                                braeuer at pre-sense.de
PRESENSE Technologies GmbH            Sachsenstr. 5, D-20097 HH
Geschäftsführer/Managing Directors       AG Hamburg, HRB 107844
Till Dörges, Jürgen Sander               USt-IdNr.: DE263765024


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190107/a7ebc0a9/signature.sig>

I'm terribly sorry for the double-post, but it seems there was a problem
with the attachments the first time around.
Here goes the second attempt.

Am 07.01.19 um 15:58 schrieb René Bräuer via samba:
> Hello everyone,
> 
> I'm trying to mount a CIFS share served by Windows 10 Samba with
encryption.
> 
> On the Windows server side, I made a regular share and told Windows via
> Powershell command
> Set-SmbServerConfiguration -EncryptData 1
> to encrypt the data if possible, and via
> Set-SmbServerConfiguration -RejectUnencryptedAccess 1
> to reject unencrypted connections instead of negotiating an unencrypted
> connection.
> 
> I then proceed to connect on Linux client side via
> mount -t cifs //192.168.1.176/Share /mnt -o username=user,seal
> Expectation: after being prompted to enter the password, the mount
> should be active.
> Actual result: after entering the correct password, i get "mount
> error(13): Permission denied".
> 
> However, if I turn off the rule to only accept encrypted access, then
> use the same command without the "seal" option, it works as
expected.
> 
> I attached tcpdumps of both attempts.
> Linux client versions tested are OpenSUSE Leap 42.3 with latest Patches
> and Kernel 4.4.165-81-default as well as OpenSUSE Leap 15 with latest
> Patches and Kernel Version 4.12.14-lp150.12.28-default.
> Windows Server is Windows 10 Professional 64 bit Build 10240, also
> tested with Windows 10 Professional 64 bit Version 1809 Build 17763.95.
> Mount.cifs version is 6.5.
> 
> I also tried smbclient, but as long as Windows is told to reject
> unencrypted access, it won't even list the shares. Once I tell windows
> to accept unencrypted access, it works fine - however encryption is
> absolutely needed, just working w/o crypto's not an option.
> 
> Is my sealed mounting command wrong, or is this simply impossible?
> Any hints would be greatly appreciated.
> 
> Regards,
> René
> 
> 

-- 
René Bräuer                                braeuer at pre-sense.de
PRESENSE Technologies GmbH            Sachsenstr. 5, D-20097 HH
Geschäftsführer/Managing Directors       AG Hamburg, HRB 107844
Till Dörges, Jürgen Sander               USt-IdNr.: DE263765024

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190107/0e3d3587/signature.sig>

On Mon, 7 Jan 2019 16:21:19 +0100
René Bräuer via samba <samba at lists.samba.org> wrote:
> I'm terribly sorry for the double-post, but it seems there was a
> problem with the attachments the first time around.
> Here goes the second attempt.
> 
No, there wasn't a problem, this list strips any attachments.

I don't think this is a Samba problem, I think you need to add
'vers=3.0' and use a kernel >= 4.11 (or one that has had encryption
backported)

Rowland

René Bräuer via samba <samba at lists.samba.org>
writes:
> Hello everyone,
>
> I'm trying to mount a CIFS share served by Windows 10 Samba with
encryption.
Which kernel and distro are you using? You may have to use the vers=3.0
mount option as the default for the linux client was SMB1 until recently
and encryption was only added in SMB3.

Additionally encryption can be set or enforced per session or per share
(via Set-SmbShare [1]).

1: https://www.rootusers.com/enable-smb-encryption-on-smb-shares/

Cheers,
-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)