samba - Jul 2015 - Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"

Good Day All

I have a problem for our main fileserver base don samba 3.5.6

Let's give a bit of pregress first. We had a samba 3.5.6 installation which
was acting as a PDC for our internal domian called CCDC. On a sapearate
machine, we had another installation of samba 3.5.6 to act just as file
share server.

All was working ok, till I upgraded the PDC form samba 3.5.6 to samba
4.2.2 , using the classicupgrade.

Now I am able to access the shares from the windows boxes added to the CCDC
domain, but when I try to mount a cifs share form a linux box, then I get
the following error:


mount.cifs -o
username=mariopio,domain=CCDC  //seadog.mul.ie.ibm.com/scrap/4mario /media/
Password:
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

form dmesg I can see the following error:

CIFS VFS: cifs_mount failed w/return code = -13


the smb.conf of the file server is the following:


root at seadog:/etc/samba# cat smb.conf
[global]

        write cache size = 131072

      vfs objects = full_audit
      full_audit:prefix = %u,%I,%m,%S
      # removed this, so we only log failures.
      # however will keep it here commented it out for future reference

      #full_audit:success = mkdir rename unlink rmdir open chown chmod
connect readlink
      full_audit:failure = mkdir rename unlink rmdir open chown chmod
connect readlink
      full_audit:facility = local7
      full_audit:priority = NOTICE


      server string = CSI Samba Server
      workgroup = CCDC
      netbios name = SEADOG
      realm = CCDC.LAN
      security = ads
      #security = domain
      wins server = 9.161.96.220
      server signing = mandatory
      password server = 9.161.96.220

     map untrusted to domain = yes

      wins support = no
      wins proxy = no
      dns proxy = no
      name resolve order = wins host bcast

      winbind use default domain = yes

      winbind uid = 10000-20000
      winbind gid = 10000-20000
      winbind cache time = 15
      winbind enum users = yes
      winbind enum groups = yes

      # This is needed, a fake home folder so that users are able to ftp
      # this folder is empty but exists, do a getent passwd to see what I
mean
      template homedir = /home/winbind

      local master = no
      domain master = no

      # To o with ACL mapping to windows
      #
      dos filemode = Yes
      acl group control = Yes
      acl map full control = Yes
       map acl inherit = Yes

      guest account = nobody
      invalid users = root daemon bin sys sync games man lp mail news uucp
proxy www-data backup list irc gnats Debian-exim sshd ntpd

      log file = /var/log/samba/log.%m
      log level = 3

      max log size = 2000
      syslog = 0

      # using these options copied from clearcase.
      # back in the day we did research these to death
      #
#      socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
IPTOS_LOWDELAY TCP_NODELAY
      socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
IPTOS_LOWDELAY TCP_NODELAY

      # This disables print options
      # we are not a print server
      #
      load printers = No
      disable spoolss = Yes

      smb ports = 139

      # every mount from the SAN has a lost+found folder
      # to avoid user confusion, have set this to hidden
      #
      hide files = /lost+found/

      aio read size = 1
      aio write size = 1
      follow symlinks          = no



[scrap]
      comment              = ICS - CSI general scrap Area
      path                 = /export/ICS/CSI/scrap
      valid users          = @"Domain Users"
      force create mode    = 750
      force directory mode = 740
      writeable            = Yes
      browseable           = Yes




note that on this fileserver nothing was touched during the classiupgrade,
a part the following parameters of the smb.conf


      realm = CCDC.LAN
      security = ads
      wins server = 9.161.96.220

      password server = 9.161.96.220



I have tried already different Linux machine with different distribution
and I always get the same error, I have also tried to add the parameter
"sec=ntlm or ntlmi " but hasn't changed much.

Note that for some historical reason, this file server has NOT a kerbero
workstation installation and was joined to the CCDC domain using net rpc
join instead of net ads join, could this be a problem?

any help is much appreciated!!!!


thanks
___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic44465.gif)

On 14/07/15 16:49, Mario Pio Russo wrote:
>
> Good Day All
>
> I have a problem for our main fileserver base don samba 3.5.6
>
> Let's give a bit of pregress first. We had a samba 3.5.6 installation
which
> was acting as a PDC for our internal domian called CCDC. On a sapearate
> machine, we had another installation of samba 3.5.6 to act just as file
> share server.
>
> All was working ok, till I upgraded the PDC form samba 3.5.6 to samba
> 4.2.2 , using the classicupgrade.
Do you mean you upgraded an NT4 PDC via 'samba-tool domain 
classicupgrade' to an AD DC ?
>
> Now I am able to access the shares from the windows boxes added to the CCDC
> domain, but when I try to mount a cifs share form a linux box, then I get
> the following error:
>
>
> mount.cifs -o
> username=mariopio,domain=CCDC  //seadog.mul.ie.ibm.com/scrap/4mario /media/
> Password:
> mount error(13): Permission denied
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>
> form dmesg I can see the following error:
>
> CIFS VFS: cifs_mount failed w/return code = -13
>
Your user is not known.
> the smb.conf of the file server is the following:
>
>
> root at seadog:/etc/samba# cat smb.conf
> [global]
>
>          write cache size = 131072
>
>        vfs objects = full_audit
>        full_audit:prefix = %u,%I,%m,%S
>        # removed this, so we only log failures.
>        # however will keep it here commented it out for future reference
>
>        #full_audit:success = mkdir rename unlink rmdir open chown chmod
> connect readlink
>        full_audit:failure = mkdir rename unlink rmdir open chown chmod
> connect readlink
>        full_audit:facility = local7
>        full_audit:priority = NOTICE
>
>
>        server string = CSI Samba Server
>        workgroup = CCDC
>        netbios name = SEADOG
>        realm = CCDC.LAN
>        security = ads
>        #security = domain
>        wins server = 9.161.96.220
>        server signing = mandatory
>        password server = 9.161.96.220
password server shouldn't be set, let samba find it itself.
>
>       map untrusted to domain = yes
>
>        wins support = no
>        wins proxy = no
>        dns proxy = no
>        name resolve order = wins host bcast
>
>        winbind use default domain = yes
>
>        winbind uid = 10000-20000
>        winbind gid = 10000-20000
>        winbind cache time = 15
>        winbind enum users = yes
>        winbind enum groups = yes
>
>        # This is needed, a fake home folder so that users are able to ftp
>        # this folder is empty but exists, do a getent passwd to see what I
> mean
>        template homedir = /home/winbind
>
>        local master = no
>        domain master = no
>
>        # To o with ACL mapping to windows
>        #
>        dos filemode = Yes
>        acl group control = Yes
>        acl map full control = Yes
>         map acl inherit = Yes
>
>        guest account = nobody
>        invalid users = root daemon bin sys sync games man lp mail news uucp
> proxy www-data backup list irc gnats Debian-exim sshd ntpd
>
>        log file = /var/log/samba/log.%m
>        log level = 3
>
>        max log size = 2000
>        syslog = 0
>
>        # using these options copied from clearcase.
>        # back in the day we did research these to death
>        #
> #      socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
>        socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
>
>        # This disables print options
>        # we are not a print server
>        #
>        load printers = No
>        disable spoolss = Yes
>
>        smb ports = 139
>
>        # every mount from the SAN has a lost+found folder
>        # to avoid user confusion, have set this to hidden
>        #
>        hide files = /lost+found/
>
>        aio read size = 1
>        aio write size = 1
>        follow symlinks          = no
>
>
>
> [scrap]
>        comment              = ICS - CSI general scrap Area
>        path                 = /export/ICS/CSI/scrap
>        valid users          = @"Domain Users"
>        force create mode    = 750
>        force directory mode = 740
>        writeable            = Yes
>        browseable           = Yes
>
>
>
>
> note that on this fileserver nothing was touched during the classiupgrade,
> a part the following parameters of the smb.conf
Well, it probably should have been :-)
>
>        realm = CCDC.LAN
>        security = ads
>        wins server = 9.161.96.220
>
>        password server = 9.161.96.220
>
>
>
> I have tried already different Linux machine with different distribution
> and I always get the same error, I have also tried to add the parameter
> "sec=ntlm or ntlmi " but hasn't changed much.
>
> Note that for some historical reason, this file server has NOT a kerbero
> workstation installation and was joined to the CCDC domain using net rpc
> join instead of net ads join, could this be a problem?
It would seem the domain has been upgraded to AD and your fileserver may 
require joining to the new domain, but it is more likely to be something 
to do with the winbindd changes that came in with 4.2.0, see here:

https://www.samba.org/samba/history/samba-4.2.0.html

Rowland
> any help is much appreciated!!!!
>
>
> thanks
>
___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
>
> (Embedded image moved to file: pic44465.gif)

Thanks Rowland!

few answers to your question:

1) I  used the samba-tool domain classicupgrade to "migrate" the
domain for
the pdc to a new Ubuntu server with sernet-samba-4.2.2

2) on the DC, I have configured the service to use the old winbind, as
that's just enaugh for our domain and it looked more stable during the test
phasethe smb.conf of the DC is the following:

[global]
        workgroup = CCDC
        realm = CCDC.LAN
        netbios name = CCDC-SAMBA4-DC1
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes

        server services = -winbindd +winbind
        dns forwarder = 9.0.138.50
        #server services = -winbindd +winbind
        idmap config CCDC:backend = ad
        idmap config CCDC:schema_mode = rfc2307
        idmap config CCDC:range = 10000-40000


        # Store UIDs/GIDs for all other domains (including local
        # accounts/groups of this server) in a tdb file
        idmap config *:backend = tdb
        idmap config *:range = 2000-9999

        # Use home directory and shell information from AD
        winbind nss info = rfc2307

        tls enabled  = yes
        tls keyfile  = tls/myKey.pem
        tls certfile = tls/myCert.pem
        tls cafile   
[netlogon]
        path = /var/lib/samba/sysvol/ccdc.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

3) I will remove the password server as you suggested , thanks

4) the server is present in the domain, and getent group and getent passwd
works correctlly, however it was NOT joined with net ads join, but with net
rpc join, could this make the difference? as I am currentlly thinking of
removing the server from the domain, configure kerberos-workstation and try
the net ads join, what do you think?

again thanks for the help



___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic02723.gif)



From:	Rowland Penny <rowlandpenny241155 at gmail.com>
To:	samba at lists.samba.org
Date:	14/07/2015 17:50
Subject:	Re: [Samba] Samba3 shares cannot be mounted on linux box uisng
            cifs command , error "CIFS VFS: cifs_mount failed w/return code
            = -13"
Sent by:	"samba" <samba-bounces at lists.samba.org>



On 14/07/15 16:49, Mario Pio Russo wrote:
>
> Good Day All
>
> I have a problem for our main fileserver base don samba 3.5.6
>
> Let's give a bit of pregress first. We had a samba 3.5.6 installation
which
> was acting as a PDC for our internal domian called CCDC. On a sapearate
> machine, we had another installation of samba 3.5.6 to act just as file
> share server.
>
> All was working ok, till I upgraded the PDC form samba 3.5.6 to samba
> 4.2.2 , using the classicupgrade.
Do you mean you upgraded an NT4 PDC via 'samba-tool domain
classicupgrade' to an AD DC ?
>
> Now I am able to access the shares from the windows boxes added to the
CCDC
> domain, but when I try to mount a cifs share form a linux box, then I get
> the following error:
>
>
> mount.cifs -o
>
username=mariopio,domain=CCDC  //seadog.mul.ie.ibm.com/scrap/4mario
/media/
> Password:
> mount error(13): Permission denied
> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>
> form dmesg I can see the following error:
>
> CIFS VFS: cifs_mount failed w/return code = -13
>
Your user is not known.
> the smb.conf of the file server is the following:
>
>
> root at seadog:/etc/samba# cat smb.conf
> [global]
>
>          write cache size = 131072
>
>        vfs objects = full_audit
>        full_audit:prefix = %u,%I,%m,%S
>        # removed this, so we only log failures.
>        # however will keep it here commented it out for future reference
>
>        #full_audit:success = mkdir rename unlink rmdir open chown chmod
> connect readlink
>        full_audit:failure = mkdir rename unlink rmdir open chown chmod
> connect readlink
>        full_audit:facility = local7
>        full_audit:priority = NOTICE
>
>
>        server string = CSI Samba Server
>        workgroup = CCDC
>        netbios name = SEADOG
>        realm = CCDC.LAN
>        security = ads
>        #security = domain
>        wins server = 9.161.96.220
>        server signing = mandatory
>        password server = 9.161.96.220
password server shouldn't be set, let samba find it itself.
>
>       map untrusted to domain = yes
>
>        wins support = no
>        wins proxy = no
>        dns proxy = no
>        name resolve order = wins host bcast
>
>        winbind use default domain = yes
>
>        winbind uid = 10000-20000
>        winbind gid = 10000-20000
>        winbind cache time = 15
>        winbind enum users = yes
>        winbind enum groups = yes
>
>        # This is needed, a fake home folder so that users are able to ftp
>        # this folder is empty but exists, do a getent passwd to see what
I
> mean
>        template homedir = /home/winbind
>
>        local master = no
>        domain master = no
>
>        # To o with ACL mapping to windows
>        #
>        dos filemode = Yes
>        acl group control = Yes
>        acl map full control = Yes
>         map acl inherit = Yes
>
>        guest account = nobody
>        invalid users = root daemon bin sys sync games man lp mail news
uucp
> proxy www-data backup list irc gnats Debian-exim sshd ntpd
>
>        log file = /var/log/samba/log.%m
>        log level = 3
>
>        max log size = 2000
>        syslog = 0
>
>        # using these options copied from clearcase.
>        # back in the day we did research these to death
>        #
> #      socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
>        socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE
> IPTOS_LOWDELAY TCP_NODELAY
>
>        # This disables print options
>        # we are not a print server
>        #
>        load printers = No
>        disable spoolss = Yes
>
>        smb ports = 139
>
>        # every mount from the SAN has a lost+found folder
>        # to avoid user confusion, have set this to hidden
>        #
>        hide files = /lost+found/
>
>        aio read size = 1
>        aio write size = 1
>        follow symlinks          = no
>
>
>
> [scrap]
>        comment              = ICS - CSI general scrap Area
>        path                 = /export/ICS/CSI/scrap
>        valid users          = @"Domain Users"
>        force create mode    = 750
>        force directory mode = 740
>        writeable            = Yes
>        browseable           = Yes
>
>
>
>
> note that on this fileserver nothing was touched during the
classiupgrade,
> a part the following parameters of the smb.conf
Well, it probably should have been :-)
>
>        realm = CCDC.LAN
>        security = ads
>        wins server = 9.161.96.220
>
>        password server = 9.161.96.220
>
>
>
> I have tried already different Linux machine with different distribution
> and I always get the same error, I have also tried to add the parameter
> "sec=ntlm or ntlmi " but hasn't changed much.
>
> Note that for some historical reason, this file server has NOT a kerbero
> workstation installation and was joined to the CCDC domain using net rpc
> join instead of net ads join, could this be a problem?
It would seem the domain has been upgraded to AD and your fileserver may
require joining to the new domain, but it is more likely to be something
to do with the winbindd changes that came in with 4.2.0, see here:

https://www.samba.org/samba/history/samba-4.2.0.html

Rowland
> any help is much appreciated!!!!
>
>
> thanks
>
___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with
number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
4
>
> (Embedded image moved to file: pic44465.gif)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba