René Bräuer
2019-Jan-07 14:58 UTC
[Samba] Fwd: mounting a windows share on a linux client using mount.cifs with encryption
Hello everyone, I'm trying to mount a CIFS share served by Windows 10 Samba with encryption. On the Windows server side, I made a regular share and told Windows via Powershell command Set-SmbServerConfiguration -EncryptData 1 to encrypt the data if possible, and via Set-SmbServerConfiguration -RejectUnencryptedAccess 1 to reject unencrypted connections instead of negotiating an unencrypted connection. I then proceed to connect on Linux client side via mount -t cifs //192.168.1.176/Share /mnt -o username=user,seal Expectation: after being prompted to enter the password, the mount should be active. Actual result: after entering the correct password, i get "mount error(13): Permission denied". However, if I turn off the rule to only accept encrypted access, then use the same command without the "seal" option, it works as expected. I attached tcpdumps of both attempts. Linux client versions tested are OpenSUSE Leap 42.3 with latest Patches and Kernel 4.4.165-81-default as well as OpenSUSE Leap 15 with latest Patches and Kernel Version 4.12.14-lp150.12.28-default. Windows Server is Windows 10 Professional 64 bit Build 10240, also tested with Windows 10 Professional 64 bit Version 1809 Build 17763.95. Mount.cifs version is 6.5. I also tried smbclient, but as long as Windows is told to reject unencrypted access, it won't even list the shares. Once I tell windows to accept unencrypted access, it works fine - however encryption is absolutely needed, just working w/o crypto's not an option. Is my sealed mounting command wrong, or is this simply impossible? Any hints would be greatly appreciated. Regards, René -- René Bräuer braeuer at pre-sense.de PRESENSE Technologies GmbH Sachsenstr. 5, D-20097 HH Geschäftsführer/Managing Directors AG Hamburg, HRB 107844 Till Dörges, Jürgen Sander USt-IdNr.: DE263765024 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20190107/a7ebc0a9/signature.sig>
René Bräuer
2019-Jan-07 15:21 UTC
[Samba] Fwd: mounting a windows share on a linux client using mount.cifs with encryption
I'm terribly sorry for the double-post, but it seems there was a problem with the attachments the first time around. Here goes the second attempt. Am 07.01.19 um 15:58 schrieb René Bräuer via samba:> Hello everyone, > > I'm trying to mount a CIFS share served by Windows 10 Samba with encryption. > > On the Windows server side, I made a regular share and told Windows via > Powershell command > Set-SmbServerConfiguration -EncryptData 1 > to encrypt the data if possible, and via > Set-SmbServerConfiguration -RejectUnencryptedAccess 1 > to reject unencrypted connections instead of negotiating an unencrypted > connection. > > I then proceed to connect on Linux client side via > mount -t cifs //192.168.1.176/Share /mnt -o username=user,seal > Expectation: after being prompted to enter the password, the mount > should be active. > Actual result: after entering the correct password, i get "mount > error(13): Permission denied". > > However, if I turn off the rule to only accept encrypted access, then > use the same command without the "seal" option, it works as expected. > > I attached tcpdumps of both attempts. > Linux client versions tested are OpenSUSE Leap 42.3 with latest Patches > and Kernel 4.4.165-81-default as well as OpenSUSE Leap 15 with latest > Patches and Kernel Version 4.12.14-lp150.12.28-default. > Windows Server is Windows 10 Professional 64 bit Build 10240, also > tested with Windows 10 Professional 64 bit Version 1809 Build 17763.95. > Mount.cifs version is 6.5. > > I also tried smbclient, but as long as Windows is told to reject > unencrypted access, it won't even list the shares. Once I tell windows > to accept unencrypted access, it works fine - however encryption is > absolutely needed, just working w/o crypto's not an option. > > Is my sealed mounting command wrong, or is this simply impossible? > Any hints would be greatly appreciated. > > Regards, > René > >-- René Bräuer braeuer at pre-sense.de PRESENSE Technologies GmbH Sachsenstr. 5, D-20097 HH Geschäftsführer/Managing Directors AG Hamburg, HRB 107844 Till Dörges, Jürgen Sander USt-IdNr.: DE263765024 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20190107/0e3d3587/signature.sig>
Rowland Penny
2019-Jan-07 15:33 UTC
[Samba] Fwd: mounting a windows share on a linux client using mount.cifs with encryption
On Mon, 7 Jan 2019 16:21:19 +0100 René Bräuer via samba <samba at lists.samba.org> wrote:> I'm terribly sorry for the double-post, but it seems there was a > problem with the attachments the first time around. > Here goes the second attempt. >No, there wasn't a problem, this list strips any attachments. I don't think this is a Samba problem, I think you need to add 'vers=3.0' and use a kernel >= 4.11 (or one that has had encryption backported) Rowland
Aurélien Aptel
2019-Jan-07 16:34 UTC
[Samba] Fwd: mounting a windows share on a linux client using mount.cifs with encryption
René Bräuer via samba <samba at lists.samba.org> writes:> Hello everyone, > > I'm trying to mount a CIFS share served by Windows 10 Samba with encryption.Which kernel and distro are you using? You may have to use the vers=3.0 mount option as the default for the linux client was SMB1 until recently and encryption was only added in SMB3. Additionally encryption can be set or enforced per session or per share (via Set-SmbShare [1]). 1: https://www.rootusers.com/enable-smb-encryption-on-smb-shares/ Cheers, -- Aurélien Aptel / SUSE Labs Samba Team GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3 SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
Apparently Analagous Threads
- Fwd: mounting a windows share on a linux client using mount.cifs with encryption
- MCollective discovery - we did not discover any nodes
- mount.cifs with "sec=ntlmv2" fails ("mount error(22): Invalid argument")
- [Bug 90626] New: HP ZBook 15 nouveau driver hangup for kernel >= 3.19
- Online Backup fails