Mario Pio Russo
2015-Jul-15 12:42 UTC
[Samba] Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
ok, what do you suggest then? maybe changing the authentication to another
group like "domainusers" ?
___________________________________________________________________________________________
Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
(Embedded image moved to file: pic05703.gif)
From: Rowland Penny <rowlandpenny241155 at gmail.com>
To: samba at lists.samba.org
Date: 15/07/2015 12:49
Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box uisng
cifs command , error "CIFS VFS: cifs_mount failed w/return code
= -13"
Sent by: "samba" <samba-bounces at lists.samba.org>
On 15/07/15 11:06, Mario Pio Russo wrote:> I have some more findings about this
>
> it looks like getent does not get the right information from the Domain
> Controller, in fact the domain user groups shows with NO member users:
>
> getent group | grep "domain users"
> domain users:x:10000:
> root at seadog:~#
>
>
> Now funny thing is that other folders for wwhich getent retrieves the
users> correctlly are mounted fine . any idea why I don t see the users in
getent?
Yes :-D
Oh, you want to know why :-)
Every user is a member of Domain Users and as such they are not shown as
being members in the AD object, this is why getent doesn't show them.
Rowland
>
> for example:
> root at seadog:~# getent group | grep "domain admins"
> domain admins:x:10001:ieu94629,ieu94243,ftp3-admin,administrator
>
> any idea?
>
>
___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with
number> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
4>
> (Embedded image moved to file: pic03233.gif)
>
>
>
> From: Rowland Penny <rowlandpenny241155 at gmail.com>
> To: samba at lists.samba.org
> Date: 14/07/2015 20:00
> Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box
uisng> cifs command , error "CIFS VFS: cifs_mount failed
w/return
code> = -13"
> Sent by: "samba" <samba-bounces at lists.samba.org>
>
>
>
> On 14/07/15 19:27, Mario Pio Russo wrote:
>> well, I have configured the kdc client on the file server, joined the
>> domain using net ads join and it worked fine, again getnet group ,
getnet>> passwd , wbinfo -u they all works perfectlly fine
> Well, this sounds like samba is working correctly.
>
>> I am also able to browse the shares from any windows machine joined to
> the
>> CCDC domain, but I am still not able to do ANY mount.cifs, not even
form
>> linux boxes joined to the domain :-/
> Any error messages anywhere ?
> Also when you say 'browse', can you give a bit more info, how are
you
> 'browsing' and where are the shares, on the DC or somewhere else?
>
>> I have no idea what's happening.
>>
>> P.S. another thing I have noticed is that from windows machines, when I
> try
>> to do a network map to a share on the samba4, it gives
"Authentication
>> Failure", while it was working correctly before the migration.
> Well, that probably means what it says, for some reason, samba is not
> recognising either your users or their passwords,
>
> Rowland
>
>> I'm running short of ideas now, any help more than welcome!
>>
>
___________________________________________________________________________________________
>
>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX:
+353
1>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>> IBM Ireland Product Distribution Limited registered in Ireland with
> number
>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
Dublin> 4
>> (Embedded image moved to file: pic10279.gif)
>>
>>
>>
>> From: Rowland Penny
<rowlandpenny241155 at gmail.com>>> To: samba at lists.samba.org
>> Date: 14/07/2015 19:07
>> Subject: Re: [Samba] Samba3 shares cannot be mounted
on linux box> uisng
>> cifs command , error "CIFS VFS: cifs_mount failed
w/return
> code
>> = -13"
>> Sent by: "samba" <samba-bounces at
lists.samba.org>
>>
>>
>>
>> On 14/07/15 18:19, Mario Pio Russo wrote:
>>> Thanks Rowland!
>>>
>>> few answers to your question:
>>>
>>> 1) I used the samba-tool domain classicupgrade to
"migrate" the domain
>> for
>>> the pdc to a new Ubuntu server with sernet-samba-4.2.2
>>>
>>> 2) on the DC, I have configured the service to use the old winbind,
as
>>> that's just enaugh for our domain and it looked more stable
during the
>> test
>>> phasethe smb.conf of the DC is the following:
>>>
>>> [global]
>>> workgroup = CCDC
>>> realm = CCDC.LAN
>>> netbios name = CCDC-SAMBA4-DC1
>>> server role = active directory domain controller
>>> idmap_ldb:use rfc2307 = yes
>>>
>>> server services = -winbindd +winbind
>> Remove these lines, they are not doing anything!
>>> dns forwarder = 9.0.138.50
>>> #server services = -winbindd +winbind
>>> idmap config CCDC:backend = ad
>>> idmap config CCDC:schema_mode = rfc2307
>>> idmap config CCDC:range = 10000-40000
>>>
>>>
>>> # Store UIDs/GIDs for all other domains (including local
>>> # accounts/groups of this server) in a tdb file
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-9999
>>>
>>> # Use home directory and shell information from AD
>>> winbind nss info = rfc2307
>> Ok, from here on no problems.
>>> tls enabled = yes
>>> tls keyfile = tls/myKey.pem
>>> tls certfile = tls/myCert.pem
>>> tls cafile >>>
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>> 3) I will remove the password server as you suggested , thanks
>>>
>>> 4) the server is present in the domain, and getent group and getent
>> passwd
>>> works correctlly, however it was NOT joined with net ads join, but
with
>> net
>>> rpc join, could this make the difference? as I am currentlly
thinking
of>>> removing the server from the domain, configure kerberos-workstation
and
>> try
>>> the net ads join, what do you think?
>> If getent is working, then there should be no reason to leave &
rejoin
>> the domain, but then again, there is no reason not to try it :-)
>>
>> Rowland
>>
>>> again thanks for the help
>>>
>>>
>>>
>>>
>
___________________________________________________________________________________________
>
>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
FAX: +353
> 1
>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>> IBM Ireland Product Distribution Limited registered in Ireland with
>> number
>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
> Dublin
>> 4
>>> (Embedded image moved to file: pic40897.gif)
>>>
>>>
>>>
>>> From: Rowland Penny
> <rowlandpenny241155 at gmail.com>
>>> To:
samba at lists.samba.org>>> Date: 14/07/2015 17:50
>>> Subject: Re: [Samba]
Samba3 shares cannot be mounted> on linux box
>> uisng
>>> cifs command , error "CIFS VFS: cifs_mount
failed
w/return>> code
>>> = -13"
>>> Sent by: "samba"
<samba-bounces at lists.samba.org>>>>
>>>
>>>
>>> On 14/07/15 16:49, Mario Pio Russo wrote:
>>>> Good Day All
>>>>
>>>> I have a problem for our main fileserver base don samba 3.5.6
>>>>
>>>> Let's give a bit of pregress first. We had a samba 3.5.6
installation
>>> which
>>>> was acting as a PDC for our internal domian called CCDC. On a
sapearate>>>> machine, we had another installation of samba 3.5.6 to act just
as
file>>>> share server.
>>>>
>>>> All was working ok, till I upgraded the PDC form samba 3.5.6 to
samba
>>>> 4.2.2 , using the classicupgrade.
>>> Do you mean you upgraded an NT4 PDC via 'samba-tool domain
>>> classicupgrade' to an AD DC ?
>>>
>>>> Now I am able to access the shares from the windows boxes added
to the
>>> CCDC
>>>> domain, but when I try to mount a cifs share form a linux box,
then I
>> get
>>>> the following error:
>>>>
>>>>
>>>> mount.cifs -o
>>>>
>
username=mariopio,domain=CCDC //seadog.mul.ie.ibm.com/scrap/4mario
/media/>>>> Password:
>>>> mount error(13): Permission denied
>>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>>>
>>>> form dmesg I can see the following error:
>>>>
>>>> CIFS VFS: cifs_mount failed w/return code = -13
>>>>
>>> Your user is not known.
>>>
>>>> the smb.conf of the file server is the following:
>>>>
>>>>
>>>> root at seadog:/etc/samba# cat smb.conf
>>>> [global]
>>>>
>>>> write cache size = 131072
>>>>
>>>> vfs objects = full_audit
>>>> full_audit:prefix = %u,%I,%m,%S
>>>> # removed this, so we only log failures.
>>>> # however will keep it here commented it out for
future
>> reference
>>>> #full_audit:success = mkdir rename unlink rmdir open
chown
> chmod
>>>> connect readlink
>>>> full_audit:failure = mkdir rename unlink rmdir open
chown
> chmod
>>>> connect readlink
>>>> full_audit:facility = local7
>>>> full_audit:priority = NOTICE
>>>>
>>>>
>>>> server string = CSI Samba Server
>>>> workgroup = CCDC
>>>> netbios name = SEADOG
>>>> realm = CCDC.LAN
>>>> security = ads
>>>> #security = domain
>>>> wins server = 9.161.96.220
>>>> server signing = mandatory
>>>> password server = 9.161.96.220
>>> password server shouldn't be set, let samba find it itself.
>>>
>>>> map untrusted to domain = yes
>>>>
>>>> wins support = no
>>>> wins proxy = no
>>>> dns proxy = no
>>>> name resolve order = wins host bcast
>>>>
>>>> winbind use default domain = yes
>>>>
>>>> winbind uid = 10000-20000
>>>> winbind gid = 10000-20000
>>>> winbind cache time = 15
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>>
>>>> # This is needed, a fake home folder so that users
are able
to>> ftp
>>>> # this folder is empty but exists, do a getent passwd
to see
>> what
>>> I
>>>> mean
>>>> template homedir = /home/winbind
>>>>
>>>> local master = no
>>>> domain master = no
>>>>
>>>> # To o with ACL mapping to windows
>>>> #
>>>> dos filemode = Yes
>>>> acl group control = Yes
>>>> acl map full control = Yes
>>>> map acl inherit = Yes
>>>>
>>>> guest account = nobody
>>>> invalid users = root daemon bin sys sync games man lp
mail
> news
>>> uucp
>>>> proxy www-data backup list irc gnats Debian-exim sshd ntpd
>>>>
>>>> log file = /var/log/samba/log.%m
>>>> log level = 3
>>>>
>>>> max log size = 2000
>>>> syslog = 0
>>>>
>>>> # using these options copied from clearcase.
>>>> # back in the day we did research these to death
>>>> #
>>>> # socket options = SO_RCVBUF=8192 SO_SNDBUF=8192
SO_KEEPALIVE
>>>> IPTOS_LOWDELAY TCP_NODELAY
>>>> socket options = SO_RCVBUF=262144 SO_SNDBUF=262144
> SO_KEEPALIVE
>>>> IPTOS_LOWDELAY TCP_NODELAY
>>>>
>>>> # This disables print options
>>>> # we are not a print server
>>>> #
>>>> load printers = No
>>>> disable spoolss = Yes
>>>>
>>>> smb ports = 139
>>>>
>>>> # every mount from the SAN has a lost+found folder
>>>> # to avoid user confusion, have set this to hidden
>>>> #
>>>> hide files = /lost+found/
>>>>
>>>> aio read size = 1
>>>> aio write size = 1
>>>> follow symlinks = no
>>>>
>>>>
>>>>
>>>> [scrap]
>>>> comment = ICS - CSI general scrap Area
>>>> path = /export/ICS/CSI/scrap
>>>> valid users = @"Domain Users"
>>>> force create mode = 750
>>>> force directory mode = 740
>>>> writeable = Yes
>>>> browseable = Yes
>>>>
>>>>
>>>>
>>>>
>>>> note that on this fileserver nothing was touched during the
>>> classiupgrade,
>>>> a part the following parameters of the smb.conf
>>> Well, it probably should have been :-)
>>>
>>>> realm = CCDC.LAN
>>>> security = ads
>>>> wins server = 9.161.96.220
>>>>
>>>> password server = 9.161.96.220
>>>>
>>>>
>>>>
>>>> I have tried already different Linux machine with different
> distribution
>>>> and I always get the same error, I have also tried to add the
parameter>>>> "sec=ntlm or ntlmi " but hasn't changed much.
>>>>
>>>> Note that for some historical reason, this file server has NOT
a
> kerbero
>>>> workstation installation and was joined to the CCDC domain
using net
> rpc
>>>> join instead of net ads join, could this be a problem?
>>> It would seem the domain has been upgraded to AD and your
fileserver
may>>> require joining to the new domain, but it is more likely to be
something>>> to do with the winbindd changes that came in with 4.2.0, see here:
>>>
>>> https://www.samba.org/samba/history/samba-4.2.0.html
>>>
>>> Rowland
>>>
>>>> any help is much appreciated!!!!
>>>>
>>>>
>>>> thanks
>>>>
>
___________________________________________________________________________________________
>
>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone
& FAX:
+353>> 1
>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>> IBM Ireland Product Distribution Limited registered in Ireland
with
>>> number
>>>> 92815. Registered Office: IBM House, Shelbourne Road,
Ballsbridge,
>> Dublin
>>> 4
>>>> (Embedded image moved to file: pic44465.gif)
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mario Pio Russo
2015-Jul-15 14:10 UTC
[Samba] Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
OR
is there any way, or magical hidden parmeter in the smb.conf that allows to
enumerate the users in the Domain Users? tbh this has a huge impact on the
file share server as many directorys have "domain users" as group
___________________________________________________________________________________________
Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
(Embedded image moved to file: pic57028.gif)
From: Mario Pio Russo/Ireland/IBM at IBMIE
To: Rowland Penny <rowlandpenny241155 at gmail.com>
Cc: samba at lists.samba.org, samba <samba-bounces at lists.samba.org>
Date: 15/07/2015 13:48
Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box uisng
cifs command , error "CIFS VFS: cifs_mount failed w/return code
= -13"
Sent by: "samba" <samba-bounces at lists.samba.org>
ok, what do you suggest then? maybe changing the authentication to another
group like "domainusers" ?
___________________________________________________________________________________________
Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
(Embedded image moved to file: pic05703.gif)
From: Rowland Penny <rowlandpenny241155 at gmail.com>
To: samba at lists.samba.org
Date: 15/07/2015 12:49
Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box
uisng
cifs command , error "CIFS VFS: cifs_mount failed w/return code
= -13"
Sent by: "samba" <samba-bounces at lists.samba.org>
On 15/07/15 11:06, Mario Pio Russo wrote:> I have some more findings about this
>
> it looks like getent does not get the right information from the Domain
> Controller, in fact the domain user groups shows with NO member users:
>
> getent group | grep "domain users"
> domain users:x:10000:
> root at seadog:~#
>
>
> Now funny thing is that other folders for wwhich getent retrieves the
users> correctlly are mounted fine . any idea why I don t see the users in
getent?
Yes :-D
Oh, you want to know why :-)
Every user is a member of Domain Users and as such they are not shown as
being members in the AD object, this is why getent doesn't show them.
Rowland
>
> for example:
> root at seadog:~# getent group | grep "domain admins"
> domain admins:x:10001:ieu94629,ieu94243,ftp3-admin,administrator
>
> any idea?
>
>
___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with
number> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin
4>
> (Embedded image moved to file: pic03233.gif)
>
>
>
> From: Rowland Penny
<rowlandpenny241155 at gmail.com>> To: samba at lists.samba.org
> Date: 14/07/2015 20:00
> Subject: Re: [Samba] Samba3 shares cannot be mounted
on linux box
uisng> cifs command , error "CIFS VFS: cifs_mount failed
w/return
code> = -13"
> Sent by: "samba" <samba-bounces at lists.samba.org>
>
>
>
> On 14/07/15 19:27, Mario Pio Russo wrote:
>> well, I have configured the kdc client on the file server, joined the
>> domain using net ads join and it worked fine, again getnet group ,
getnet>> passwd , wbinfo -u they all works perfectlly fine
> Well, this sounds like samba is working correctly.
>
>> I am also able to browse the shares from any windows machine joined to
> the
>> CCDC domain, but I am still not able to do ANY mount.cifs, not even
form
>> linux boxes joined to the domain :-/
> Any error messages anywhere ?
> Also when you say 'browse', can you give a bit more info, how are
you
> 'browsing' and where are the shares, on the DC or somewhere else?
>
>> I have no idea what's happening.
>>
>> P.S. another thing I have noticed is that from windows machines, when I
> try
>> to do a network map to a share on the samba4, it gives
"Authentication
>> Failure", while it was working correctly before the migration.
> Well, that probably means what it says, for some reason, samba is not
> recognising either your users or their passwords,
>
> Rowland
>
>> I'm running short of ideas now, any help more than welcome!
>>
>
___________________________________________________________________________________________
>
>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX:
+353
1>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>> IBM Ireland Product Distribution Limited registered in Ireland with
> number
>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
Dublin> 4
>> (Embedded image moved to file: pic10279.gif)
>>
>>
>>
>> From: Rowland Penny
<rowlandpenny241155 at gmail.com>>> To:
samba at lists.samba.org>> Date: 14/07/2015 19:07
>> Subject: Re: [Samba] Samba3
shares cannot be mounted
on linux box> uisng
>> cifs command , error "CIFS VFS: cifs_mount failed
w/return
> code
>> = -13"
>> Sent by: "samba"
<samba-bounces at lists.samba.org>>>
>>
>>
>> On 14/07/15 18:19, Mario Pio Russo wrote:
>>> Thanks Rowland!
>>>
>>> few answers to your question:
>>>
>>> 1) I used the samba-tool domain classicupgrade to
"migrate" the domain
>> for
>>> the pdc to a new Ubuntu server with sernet-samba-4.2.2
>>>
>>> 2) on the DC, I have configured the service to use the old winbind,
as
>>> that's just enaugh for our domain and it looked more stable
during the
>> test
>>> phasethe smb.conf of the DC is the following:
>>>
>>> [global]
>>> workgroup = CCDC
>>> realm = CCDC.LAN
>>> netbios name = CCDC-SAMBA4-DC1
>>> server role = active directory domain controller
>>> idmap_ldb:use rfc2307 = yes
>>>
>>> server services = -winbindd +winbind
>> Remove these lines, they are not doing anything!
>>> dns forwarder = 9.0.138.50
>>> #server services = -winbindd +winbind
>>> idmap config CCDC:backend = ad
>>> idmap config CCDC:schema_mode = rfc2307
>>> idmap config CCDC:range = 10000-40000
>>>
>>>
>>> # Store UIDs/GIDs for all other domains (including local
>>> # accounts/groups of this server) in a tdb file
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-9999
>>>
>>> # Use home directory and shell information from AD
>>> winbind nss info = rfc2307
>> Ok, from here on no problems.
>>> tls enabled = yes
>>> tls keyfile = tls/myKey.pem
>>> tls certfile = tls/myCert.pem
>>> tls cafile >>>
>>> [netlogon]
>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /var/lib/samba/sysvol
>>> read only = No
>>>
>>> 3) I will remove the password server as you suggested , thanks
>>>
>>> 4) the server is present in the domain, and getent group and getent
>> passwd
>>> works correctlly, however it was NOT joined with net ads join, but
with
>> net
>>> rpc join, could this make the difference? as I am currentlly
thinking
of>>> removing the server from the domain, configure kerberos-workstation
and
>> try
>>> the net ads join, what do you think?
>> If getent is working, then there should be no reason to leave &
rejoin
>> the domain, but then again, there is no reason not to try it :-)
>>
>> Rowland
>>
>>> again thanks for the help
>>>
>>>
>>>
>>>
>
___________________________________________________________________________________________
>
>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone &
FAX: +353
> 1
>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>> IBM Ireland Product Distribution Limited registered in Ireland with
>> number
>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge,
> Dublin
>> 4
>>> (Embedded image moved to file: pic40897.gif)
>>>
>>>
>>>
>>> From:
Rowland Penny> <rowlandpenny241155 at gmail.com>
>>> To:
samba at lists.samba.org>>> Date:
14/07/2015 17:50>>> Subject:
Re: [Samba]
Samba3 shares cannot be mounted> on linux box
>> uisng
>>> cifs command , error "CIFS VFS: cifs_mount
failed
w/return>> code
>>> = -13"
>>> Sent by:
"samba"
<samba-bounces at lists.samba.org>>>>
>>>
>>>
>>> On 14/07/15 16:49, Mario Pio Russo wrote:
>>>> Good Day All
>>>>
>>>> I have a problem for our main fileserver base don samba 3.5.6
>>>>
>>>> Let's give a bit of pregress first. We had a samba 3.5.6
installation
>>> which
>>>> was acting as a PDC for our internal domian called CCDC. On a
sapearate>>>> machine, we had another installation of samba 3.5.6 to act just
as
file>>>> share server.
>>>>
>>>> All was working ok, till I upgraded the PDC form samba 3.5.6 to
samba
>>>> 4.2.2 , using the classicupgrade.
>>> Do you mean you upgraded an NT4 PDC via 'samba-tool domain
>>> classicupgrade' to an AD DC ?
>>>
>>>> Now I am able to access the shares from the windows boxes added
to the
>>> CCDC
>>>> domain, but when I try to mount a cifs share form a linux box,
then I
>> get
>>>> the following error:
>>>>
>>>>
>>>> mount.cifs -o
>>>>
>
username=mariopio,domain=CCDC //seadog.mul.ie.ibm.com/scrap/4mario
/media/>>>> Password:
>>>> mount error(13): Permission denied
>>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>>>
>>>> form dmesg I can see the following error:
>>>>
>>>> CIFS VFS: cifs_mount failed w/return code = -13
>>>>
>>> Your user is not known.
>>>
>>>> the smb.conf of the file server is the following:
>>>>
>>>>
>>>> root at seadog:/etc/samba# cat smb.conf
>>>> [global]
>>>>
>>>> write cache size = 131072
>>>>
>>>> vfs objects = full_audit
>>>> full_audit:prefix = %u,%I,%m,%S
>>>> # removed this, so we only log failures.
>>>> # however will keep it here commented it out for
future
>> reference
>>>> #full_audit:success = mkdir rename unlink rmdir open
chown
> chmod
>>>> connect readlink
>>>> full_audit:failure = mkdir rename unlink rmdir open
chown
> chmod
>>>> connect readlink
>>>> full_audit:facility = local7
>>>> full_audit:priority = NOTICE
>>>>
>>>>
>>>> server string = CSI Samba Server
>>>> workgroup = CCDC
>>>> netbios name = SEADOG
>>>> realm = CCDC.LAN
>>>> security = ads
>>>> #security = domain
>>>> wins server = 9.161.96.220
>>>> server signing = mandatory
>>>> password server = 9.161.96.220
>>> password server shouldn't be set, let samba find it itself.
>>>
>>>> map untrusted to domain = yes
>>>>
>>>> wins support = no
>>>> wins proxy = no
>>>> dns proxy = no
>>>> name resolve order = wins host bcast
>>>>
>>>> winbind use default domain = yes
>>>>
>>>> winbind uid = 10000-20000
>>>> winbind gid = 10000-20000
>>>> winbind cache time = 15
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>>>
>>>> # This is needed, a fake home folder so that users
are able
to>> ftp
>>>> # this folder is empty but exists, do a getent passwd
to see
>> what
>>> I
>>>> mean
>>>> template homedir = /home/winbind
>>>>
>>>> local master = no
>>>> domain master = no
>>>>
>>>> # To o with ACL mapping to windows
>>>> #
>>>> dos filemode = Yes
>>>> acl group control = Yes
>>>> acl map full control = Yes
>>>> map acl inherit = Yes
>>>>
>>>> guest account = nobody
>>>> invalid users = root daemon bin sys sync games man lp
mail
> news
>>> uucp
>>>> proxy www-data backup list irc gnats Debian-exim sshd ntpd
>>>>
>>>> log file = /var/log/samba/log.%m
>>>> log level = 3
>>>>
>>>> max log size = 2000
>>>> syslog = 0
>>>>
>>>> # using these options copied from clearcase.
>>>> # back in the day we did research these to death
>>>> #
>>>> # socket options = SO_RCVBUF=8192 SO_SNDBUF=8192
SO_KEEPALIVE
>>>> IPTOS_LOWDELAY TCP_NODELAY
>>>> socket options = SO_RCVBUF=262144 SO_SNDBUF=262144
> SO_KEEPALIVE
>>>> IPTOS_LOWDELAY TCP_NODELAY
>>>>
>>>> # This disables print options
>>>> # we are not a print server
>>>> #
>>>> load printers = No
>>>> disable spoolss = Yes
>>>>
>>>> smb ports = 139
>>>>
>>>> # every mount from the SAN has a lost+found folder
>>>> # to avoid user confusion, have set this to hidden
>>>> #
>>>> hide files = /lost+found/
>>>>
>>>> aio read size = 1
>>>> aio write size = 1
>>>> follow symlinks = no
>>>>
>>>>
>>>>
>>>> [scrap]
>>>> comment = ICS - CSI general scrap Area
>>>> path = /export/ICS/CSI/scrap
>>>> valid users = @"Domain Users"
>>>> force create mode = 750
>>>> force directory mode = 740
>>>> writeable = Yes
>>>> browseable = Yes
>>>>
>>>>
>>>>
>>>>
>>>> note that on this fileserver nothing was touched during the
>>> classiupgrade,
>>>> a part the following parameters of the smb.conf
>>> Well, it probably should have been :-)
>>>
>>>> realm = CCDC.LAN
>>>> security = ads
>>>> wins server = 9.161.96.220
>>>>
>>>> password server = 9.161.96.220
>>>>
>>>>
>>>>
>>>> I have tried already different Linux machine with different
> distribution
>>>> and I always get the same error, I have also tried to add the
parameter>>>> "sec=ntlm or ntlmi " but hasn't changed much.
>>>>
>>>> Note that for some historical reason, this file server has NOT
a
> kerbero
>>>> workstation installation and was joined to the CCDC domain
using net
> rpc
>>>> join instead of net ads join, could this be a problem?
>>> It would seem the domain has been upgraded to AD and your
fileserver
may>>> require joining to the new domain, but it is more likely to be
something>>> to do with the winbindd changes that came in with 4.2.0, see here:
>>>
>>> https://www.samba.org/samba/history/samba-4.2.0.html
>>>
>>> Rowland
>>>
>>>> any help is much appreciated!!!!
>>>>
>>>>
>>>> thanks
>>>>
>
___________________________________________________________________________________________
>
>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone
& FAX:
+353>> 1
>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com
>>>> IBM Ireland Product Distribution Limited registered in Ireland
with
>>> number
>>>> 92815. Registered Office: IBM House, Shelbourne Road,
Ballsbridge,
>> Dublin
>>> 4
>>>> (Embedded image moved to file: pic44465.gif)
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Jul-15 15:49 UTC
[Samba] Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
On 15/07/15 15:10, Mario Pio Russo wrote:> OR > > is there any way, or magical hidden parmeter in the smb.conf that allows to > enumerate the users in the Domain Users? tbh this has a huge impact on the > file share server as many directorys have "domain users" as groupI don't think you understand this at all :-) If a user is a member of an AD domain, then they are members of the Domain Users group, this is done via the ' primaryGroupID' attribute which should be set to '513' If you examine the 'Domain Users' object in AD, you will find that it doesn't show as having *any* users, yet every user is a member and windows recognises this. So when you upgrade the 'Domain Users' group to being a Unix group by giving it a 'gidNumber' attribute and samba on a Unix client is set up correctly, the Unix machine will also recognise this and allow members of the 'Domain Users' group access to a share, this will happen even if 'getent group Domain\ Users' show no members of the group. You should note that you may also use domain_users to reference the group.> ___________________________________________________________________________________________ > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 > > (Embedded image moved to file: pic03260.gif) > > > > From: Mario Pio Russo/Ireland/IBM at IBMIE > To: Rowland Penny <rowlandpenny241155 at gmail.com> > Cc: samba at lists.samba.org, samba <samba-bounces at lists.samba.org> > Date: 15/07/2015 13:48 > Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box uisng > cifs command , error "CIFS VFS: cifs_mount failed w/return code > = -13" > Sent by: "samba" <samba-bounces at lists.samba.org> > > > > ok, what do you suggest then? maybe changing the authentication to another > group like "domainusers" ? > ___________________________________________________________________________________________ > > > Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 > 815 2236, eMail: mariopiorusso at ie.ibm.com > IBM Ireland Product Distribution Limited registered in Ireland with number > 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4 > > (Embedded image moved to file: pic05703.gif) > > > > From: Rowland Penny <rowlandpenny241155 at gmail.com> > To: samba at lists.samba.org > Date: 15/07/2015 12:49 > Subject: Re: [Samba] Samba3 shares cannot be mounted on linux box > uisng > cifs command , error "CIFS VFS: cifs_mount failed w/return code > = -13" > Sent by: "samba" <samba-bounces at lists.samba.org> > > > > On 15/07/15 11:06, Mario Pio Russo wrote: >> I have some more findings about this >> >> it looks like getent does not get the right information from the Domain >> Controller, in fact the domain user groups shows with NO member users: >> >> getent group | grep "domain users" >> domain users:x:10000: >> root at seadog:~# >> >> >> Now funny thing is that other folders for wwhich getent retrieves the > users >> correctlly are mounted fine . any idea why I don t see the users in > getent? > > Yes :-D > > Oh, you want to know why :-) > > Every user is a member of Domain Users and as such they are not shown as > being members in the AD object, this is why getent doesn't show them. > > Rowland > >> for example: >> root at seadog:~# getent group | grep "domain admins" >> domain admins:x:10001:ieu94629,ieu94243,ftp3-admin,administrator >> >> any idea? >> >> > ___________________________________________________________________________________________ > > >> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1 >> 815 2236, eMail: mariopiorusso at ie.ibm.com >> IBM Ireland Product Distribution Limited registered in Ireland with > number >> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin > 4 >> (Embedded image moved to file: pic03233.gif) >> >> >> >> From: Rowland Penny > <rowlandpenny241155 at gmail.com> >> To: samba at lists.samba.org >> Date: 14/07/2015 20:00 >> Subject: Re: [Samba] Samba3 shares cannot be mounted > on linux box > uisng >> cifs command , error "CIFS VFS: cifs_mount failed w/return > code >> = -13" >> Sent by: "samba" <samba-bounces at lists.samba.org> >> >> >> >> On 14/07/15 19:27, Mario Pio Russo wrote: >>> well, I have configured the kdc client on the file server, joined the >>> domain using net ads join and it worked fine, again getnet group , > getnet >>> passwd , wbinfo -u they all works perfectlly fine >> Well, this sounds like samba is working correctly. >> >>> I am also able to browse the shares from any windows machine joined to >> the >>> CCDC domain, but I am still not able to do ANY mount.cifs, not even form >>> linux boxes joined to the domain :-/ >> Any error messages anywhere ? >> Also when you say 'browse', can you give a bit more info, how are you >> 'browsing' and where are the shares, on the DC or somewhere else? >> >>> I have no idea what's happening. >>> >>> P.S. another thing I have noticed is that from windows machines, when I >> try >>> to do a network map to a share on the samba4, it gives "Authentication >>> Failure", while it was working correctly before the migration. >> Well, that probably means what it says, for some reason, samba is not >> recognising either your users or their passwords, >> >> Rowland >> >>> I'm running short of ideas now, any help more than welcome! >>> > ___________________________________________________________________________________________ > > >>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 > 1 >>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>> IBM Ireland Product Distribution Limited registered in Ireland with >> number >>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, > Dublin >> 4 >>> (Embedded image moved to file: pic10279.gif) >>> >>> >>> >>> From: Rowland Penny > <rowlandpenny241155 at gmail.com> >>> To: > samba at lists.samba.org >>> Date: 14/07/2015 19:07 >>> Subject: Re: [Samba] Samba3 > shares cannot be mounted > on linux box >> uisng >>> cifs command , error "CIFS VFS: cifs_mount failed w/return >> code >>> = -13" >>> Sent by: "samba" > <samba-bounces at lists.samba.org> >>> >>> >>> On 14/07/15 18:19, Mario Pio Russo wrote: >>>> Thanks Rowland! >>>> >>>> few answers to your question: >>>> >>>> 1) I used the samba-tool domain classicupgrade to "migrate" the domain >>> for >>>> the pdc to a new Ubuntu server with sernet-samba-4.2.2 >>>> >>>> 2) on the DC, I have configured the service to use the old winbind, as >>>> that's just enaugh for our domain and it looked more stable during the >>> test >>>> phasethe smb.conf of the DC is the following: >>>> >>>> [global] >>>> workgroup = CCDC >>>> realm = CCDC.LAN >>>> netbios name = CCDC-SAMBA4-DC1 >>>> server role = active directory domain controller >>>> idmap_ldb:use rfc2307 = yes >>>> >>>> server services = -winbindd +winbind >>> Remove these lines, they are not doing anything! >>>> dns forwarder = 9.0.138.50 >>>> #server services = -winbindd +winbind >>>> idmap config CCDC:backend = ad >>>> idmap config CCDC:schema_mode = rfc2307 >>>> idmap config CCDC:range = 10000-40000 >>>> >>>> >>>> # Store UIDs/GIDs for all other domains (including local >>>> # accounts/groups of this server) in a tdb file >>>> idmap config *:backend = tdb >>>> idmap config *:range = 2000-9999 >>>> >>>> # Use home directory and shell information from AD >>>> winbind nss info = rfc2307 >>> Ok, from here on no problems. >>>> tls enabled = yes >>>> tls keyfile = tls/myKey.pem >>>> tls certfile = tls/myCert.pem >>>> tls cafile >>>> >>>> [netlogon] >>>> path = /var/lib/samba/sysvol/ccdc.lan/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /var/lib/samba/sysvol >>>> read only = No >>>> >>>> 3) I will remove the password server as you suggested , thanks >>>> >>>> 4) the server is present in the domain, and getent group and getent >>> passwd >>>> works correctlly, however it was NOT joined with net ads join, but with >>> net >>>> rpc join, could this make the difference? as I am currentlly thinking > of >>>> removing the server from the domain, configure kerberos-workstation and >>> try >>>> the net ads join, what do you think? >>> If getent is working, then there should be no reason to leave & rejoin >>> the domain, but then again, there is no reason not to try it :-) >>> >>> Rowland >>> >>>> again thanks for the help >>>> >>>> >>>> >>>> > ___________________________________________________________________________________________ > > >>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 >> 1 >>>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>>> IBM Ireland Product Distribution Limited registered in Ireland with >>> number >>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, >> Dublin >>> 4 >>>> (Embedded image moved to file: pic40897.gif) >>>> >>>> >>>> >>>> From: > Rowland Penny >> <rowlandpenny241155 at gmail.com> >>>> To: > samba at lists.samba.org >>>> Date: > 14/07/2015 17:50 >>>> Subject: > Re: [Samba] > Samba3 shares cannot be mounted >> on linux box >>> uisng >>>> cifs command , error "CIFS VFS: cifs_mount failed > w/return >>> code >>>> = -13" >>>> Sent by: > "samba" > <samba-bounces at lists.samba.org> >>>> >>>> >>>> On 14/07/15 16:49, Mario Pio Russo wrote: >>>>> Good Day All >>>>> >>>>> I have a problem for our main fileserver base don samba 3.5.6 >>>>> >>>>> Let's give a bit of pregress first. We had a samba 3.5.6 installation >>>> which >>>>> was acting as a PDC for our internal domian called CCDC. On a > sapearate >>>>> machine, we had another installation of samba 3.5.6 to act just as > file >>>>> share server. >>>>> >>>>> All was working ok, till I upgraded the PDC form samba 3.5.6 to samba >>>>> 4.2.2 , using the classicupgrade. >>>> Do you mean you upgraded an NT4 PDC via 'samba-tool domain >>>> classicupgrade' to an AD DC ? >>>> >>>>> Now I am able to access the shares from the windows boxes added to the >>>> CCDC >>>>> domain, but when I try to mount a cifs share form a linux box, then I >>> get >>>>> the following error: >>>>> >>>>> >>>>> mount.cifs -o >>>>> > username=mariopio,domain=CCDC //seadog.mul.ie.ibm.com/scrap/4mario /media/ >>>>> Password: >>>>> mount error(13): Permission denied >>>>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) >>>>> >>>>> form dmesg I can see the following error: >>>>> >>>>> CIFS VFS: cifs_mount failed w/return code = -13 >>>>> >>>> Your user is not known. >>>> >>>>> the smb.conf of the file server is the following: >>>>> >>>>> >>>>> root at seadog:/etc/samba# cat smb.conf >>>>> [global] >>>>> >>>>> write cache size = 131072 >>>>> >>>>> vfs objects = full_audit >>>>> full_audit:prefix = %u,%I,%m,%S >>>>> # removed this, so we only log failures. >>>>> # however will keep it here commented it out for future >>> reference >>>>> #full_audit:success = mkdir rename unlink rmdir open chown >> chmod >>>>> connect readlink >>>>> full_audit:failure = mkdir rename unlink rmdir open chown >> chmod >>>>> connect readlink >>>>> full_audit:facility = local7 >>>>> full_audit:priority = NOTICE >>>>> >>>>> >>>>> server string = CSI Samba Server >>>>> workgroup = CCDC >>>>> netbios name = SEADOG >>>>> realm = CCDC.LAN >>>>> security = ads >>>>> #security = domain >>>>> wins server = 9.161.96.220 >>>>> server signing = mandatory >>>>> password server = 9.161.96.220 >>>> password server shouldn't be set, let samba find it itself. >>>> >>>>> map untrusted to domain = yes >>>>> >>>>> wins support = no >>>>> wins proxy = no >>>>> dns proxy = no >>>>> name resolve order = wins host bcast >>>>> >>>>> winbind use default domain = yes >>>>> >>>>> winbind uid = 10000-20000 >>>>> winbind gid = 10000-20000 >>>>> winbind cache time = 15 >>>>> winbind enum users = yes >>>>> winbind enum groups = yes >>>>> >>>>> # This is needed, a fake home folder so that users are able > to >>> ftp >>>>> # this folder is empty but exists, do a getent passwd to see >>> what >>>> I >>>>> mean >>>>> template homedir = /home/winbind >>>>> >>>>> local master = no >>>>> domain master = no >>>>> >>>>> # To o with ACL mapping to windows >>>>> # >>>>> dos filemode = Yes >>>>> acl group control = Yes >>>>> acl map full control = Yes >>>>> map acl inherit = Yes >>>>> >>>>> guest account = nobody >>>>> invalid users = root daemon bin sys sync games man lp mail >> news >>>> uucp >>>>> proxy www-data backup list irc gnats Debian-exim sshd ntpd >>>>> >>>>> log file = /var/log/samba/log.%m >>>>> log level = 3 >>>>> >>>>> max log size = 2000 >>>>> syslog = 0 >>>>> >>>>> # using these options copied from clearcase. >>>>> # back in the day we did research these to death >>>>> # >>>>> # socket options = SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE >>>>> IPTOS_LOWDELAY TCP_NODELAY >>>>> socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 >> SO_KEEPALIVE >>>>> IPTOS_LOWDELAY TCP_NODELAY >>>>> >>>>> # This disables print options >>>>> # we are not a print server >>>>> # >>>>> load printers = No >>>>> disable spoolss = Yes >>>>> >>>>> smb ports = 139 >>>>> >>>>> # every mount from the SAN has a lost+found folder >>>>> # to avoid user confusion, have set this to hidden >>>>> # >>>>> hide files = /lost+found/ >>>>> >>>>> aio read size = 1 >>>>> aio write size = 1 >>>>> follow symlinks = no >>>>> >>>>> >>>>> >>>>> [scrap] >>>>> comment = ICS - CSI general scrap Area >>>>> path = /export/ICS/CSI/scrap >>>>> valid users = @"Domain Users" >>>>> force create mode = 750 >>>>> force directory mode = 740 >>>>> writeable = Yes >>>>> browseable = Yes >>>>> >>>>> >>>>> >>>>> >>>>> note that on this fileserver nothing was touched during the >>>> classiupgrade, >>>>> a part the following parameters of the smb.conf >>>> Well, it probably should have been :-) >>>> >>>>> realm = CCDC.LAN >>>>> security = ads >>>>> wins server = 9.161.96.220 >>>>> >>>>> password server = 9.161.96.220 >>>>> >>>>> >>>>> >>>>> I have tried already different Linux machine with different >> distribution >>>>> and I always get the same error, I have also tried to add the > parameter >>>>> "sec=ntlm or ntlmi " but hasn't changed much. >>>>> >>>>> Note that for some historical reason, this file server has NOT a >> kerbero >>>>> workstation installation and was joined to the CCDC domain using net >> rpc >>>>> join instead of net ads join, could this be a problem? >>>> It would seem the domain has been upgraded to AD and your fileserver > may >>>> require joining to the new domain, but it is more likely to be > something >>>> to do with the winbindd changes that came in with 4.2.0, see here: >>>> >>>> https://www.samba.org/samba/history/samba-4.2.0.html >>>> >>>> Rowland >>>> >>>>> any help is much appreciated!!!! >>>>> >>>>> >>>>> thanks >>>>> > ___________________________________________________________________________________________ > > >>>>> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: > +353 >>> 1 >>>>> 815 2236, eMail: mariopiorusso at ie.ibm.com >>>>> IBM Ireland Product Distribution Limited registered in Ireland with >>>> number >>>>> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, >>> Dublin >>>> 4 >>>>> (Embedded image moved to file: pic44465.gif) >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Possibly Parallel Threads
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"
- Samba3 shares cannot be mounted on linux box uisng cifs command , error "CIFS VFS: cifs_mount failed w/return code = -13"