Issue with OmniOS and non-domain machines

[scrummie02]

hello all, I have an OmniOS NAS on a domain. I have domain machines on the domain mapping drives just fine. I can also browse to a share using \\server\share.

The issue is non-domain machines. There are some Linux boxes that need to mount the SMB shares and can't. They get a permission denied -13 error. Thing is, I can mount windows servers just fine using the mount.cifs command. Using the exact same syntax the SMB shares mount. When I try the same for the OmniOS server it can't mount. I can't even browse to \\server\share from non-domain windows machines. I'd expect it to be browseable but ask for credentials like Windows servers usually do but it simply refuses to connect. Is there a setting somewhere in Napp-it I'm missing?

 

[manxam]

I use the following to mount smb shares on OmniOS in a domain from a non-joined linux system after creating an appropriate domain user account:

mount.cifs -o,credentials=/root/.domaincred,iocharset=utf8,gid=plex,dir_mode=0775,file_mode=0664 //server/Movies /mnt/Movies

The .domaincred file (600 root/root):

username=plex
password=password
domain=mydomain

 

[martin11062013]

Hi,

try sec=ntlm, the default security mode ntlmssp isn't supported
mount -t cifs -o username=myuser,domain=MYDOMAIN.COM,sec=ntlm //mynas/share /mnt/share

regards
Martin

 

[scrummie02]

Hi,

try sec=ntlm, the default security mode ntlmssp isn't supported
mount -t cifs -o username=myuser,domain=MYDOMAIN.COM,sec=ntlm //mynas/share /mnt/share

regards
Martin

WINRAR...

That was it. I had tried the other post above before I posted here. In any case, this is the solution. Thanks in advance!

 

[manxam]

Can someone explain this please? I have about a dozen linux guests all connecting to my domain joined omnios/napp-it instance WITHOUT "sec=ntlm" without an issue. All connections work and I can read and write to these shares as if they were on the domain.

Is this a change in later versions of CIFS or earlier versions of OmniOS?

 

[martin11062013]

what linux client versions are you using when mounting the smb share?
in my fedora25 "man mount.cifs" says: sec= .... The default in mainline kernel versions prior to v3.8 was sec=ntlm. In v3.8, the default was changed to sec=ntlmssp.

i think the problem is the smb server on OmniOS
on solaris smb server there is a option "server_lmauth_level", this option isn't available in the OmniOS version I'm using

 

[gea]

You can set lmauth_level,
see napp-it menu Services > SMB > Properties

 

[martin11062013]

lmauth_level is set to 4
is this setting relevant for client and server mode?
connection to server 2008 AD is working but mounting share with linux only works with "sec=ntlm"
which level should be set to get ntlmv2 working?

 

[manxam]

My OmniOS install is also set to level 4, is domain joined, and every linux client is running kernel 3.13.xx (and the man files for mount.cifs mention the change in 3.8+ as does yours). I have never had to set sec manually. Very strange.

 

[Bronko]

lmauth_level is set to 4
is this setting relevant for client and server mode?

illumos: manual page: smb.4

lmauth_level

           Specifies the LAN Manager (LM) authentication level. The LM
           compatibility level controls the type of user authentication to use
           in workgroup mode or domain mode. The default value is 3.

           The following describes the behavior at each level.

           2
                        In Windows workgroup mode, the Solaris CIFS server
                        accepts LM, NTLM, LMv2, and NTLMv2 requests. In domain
                        mode, the SMB redirector on the Solaris CIFS server
                        sends NTLM requests.


           3
                        In Windows workgroup mode, the Solaris CIFS server
                        accepts LM, NTLM, LMv2, and NTLMv2 requests. In domain
                        mode, the SMB redirector on the Solaris CIFS server
                        sends LMv2 and NTLMv2 requests.


           4
                        In Windows workgroup mode, the Solaris CIFS server
                        accepts NTLM, LMv2, and NTLMv2 requests. In domain mode,
                        the SMB redirector on the Solaris CIFS server sends LMv2
                        and NTLMv2 requests.


           5
                        In Windows workgroup mode, the Solaris CIFS server
                        accepts LMv2 and NTLMv2 requests. In domain mode, the
                        SMB redirector on the Solaris CIFS server sends LMv2 and
                        NTLMv2 requests.

 

[martin11062013]

I did some testing with my Fedora25 - ntlmv2 is working if I don't write the FQDN - damn!
mount -t cifs -o username=myuser,domain=MYDOMAIN.COM,sec=ntlm //mynas/share /mnt/share #working
mount -t cifs -o username=myuser,domain=MYDOMAIN,sec=ntlm //mynas/share /mnt/share #working
mount -t cifs -o username=myuser,domain=MYDOMAIN.COM,sec=ntlmv2 //mynas/share /mnt/share #not working
mount -t cifs -o username=myuser,domain=MYDOMAIN,sec=ntlmv2 //mynas/share /mnt/share #working

also found the kernel parameter which is responsible for security negotiation and packet signing
https://www.kernel.org/doc/readme/Documentation-filesystems-cifs-README
when setting the flag to 0x04004 I can mount without the sec parameter
echo 0x04004 > /proc/fs/cifs/SecurityFlags
mount -t cifs -o username=myuser,domain=MYDOMAIN //mynas/share /mnt/share

 

[manxam]

I did some testing with my Fedora25 - ntlmv2 is working if I don't write the FQDN - damn!

That explains it. In my example above (that i use internally), I specify the netbios domain name and not the full domain name.

Head scratching complete..