Ubuntu – mount cifs share on terminal fails (using password or kerberos krb5 ticket)

cifscommand linekerberosmountsamba

HOST: Kubuntu 16.04.3 LTS

LOCALHOST: Kubuntu 17.10

I'm not able anymore to mount a cifs share on a terminal:

mount -t cifs -o user=USER,domain=DOMAIN //HOST/share /mnt/tmp
Password for USER@//HOST/share:  *************
mount error(5): Input/output error
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

In syslog I found the error messages when attempting:

Status code returned 0xc000005e STATUS_NO_LOGON_SERVERS
CIFS VFS: Send error in SessSetup = -5
CIFS VFS: cifs_mount failed w/return code = -5

I'm sure this is a working share with sufficient permissions for that user. I can start dolphin and open smb://HOST/share without any problems!

My system is in an Active Directory environment (realm, sssd) and I also tried to mount using a kerberos ticket but faild:

mount -t cifs -o user=USER,domain=DOMAIN,cruid=USER,sec=krb5 //HOST/Share /mnt/tmp
mount error(2): No such file or directory
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

In syslog I found this error messages when attempting:

CIFS VFS: Send error in SessSetup = -2
CIFS VFS: cifs_mount failed w/return code = -2

SSO via kerberos is working! Using smb://HOST/share on dolphin I can open the share without a password.

Also I can login to the share using

smbclient -U USER //HOST/share

and I can list files there using 'ls'.

I found someone in with the same error in the internet but he could solve it by uninstalling winbind. Unfortunately I have no winbind installed on both machines and so this is not a fix for me. Someone else needed to add the workgroup name, which is not working for me too.
Also I found to use a different smb version for mounting. Unfortunately it always fails with "cifs_mount faild w/return code = -5" (vers=1.0, vers=2.0, vers=2.1, vers=3.0, vers=3.1.1).

I could reproduce this error between two clients with both LTS or latest release 16.04<->16.04 and 17.10<->17.10.

Interesting:
mounting is working if I mount a Windows share and not a linux samba share!

What is the reason for cifs_mount error -5?

Thanks!

Best Answer

I recommend you use fstab for mounting.

Try to check the logs to troubleshoot the causes of your problem, try this command to display the list of files which could display the mount logs:

grep -e mount -e ext4 -lR /var/log 2> /dev/null

For me, the mount logs were in /var/log/syslog it may be different for you.

Now you need two terminal tabs open, enter the command on one tab: sudo tail -f /var/log/syslog

And on the second tab, try to mount the system with the following command:

mount -t cifs -o user=USER,domain=DOMAIN,cruid=USER,sec=krb5 //HOST/Share /mnt/tmp

If you go back to your first tab you should be able to see some log errors. For me the errors were(for you it may be different):

   kernel: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
   kernel: CIFS VFS: protocol revalidation - security settings mismatch
   kernel: CIFS VFS: session ffff90a6a2959000 has no tcon available for a dfs referral request
   kernel: CIFS VFS: cifs_mount failed w/return code = -5

Depending on your error logs, you may be able to get away with adding vers=1.0 to your mount command and this could work but it is the less secure version of smb. Otherwise, you could workout what the solution is based on the error you get.

What you could also try is configure the Samba server inside /etc/samba/smb.conf similar to this (it works for me):

[username]
   comment = Username's developer directory
   read only = no
   locking = no
   path = /var/www/username
   guest ok = no
   writeable = yes

Then on the client, add the following line to /etc/fstab

//server/username /mountpoint cifs vers=1.0,username=username,iocharset=utf8,uid=your_profile_uid_on_the_server 0 0

Use sudo mount /mountpint See how this goes, hopefully this information will be useful to you.

Use automount + multiuser option of mount.cifs

You can achieve this using automount and the multiuser option for mount.cifs. Install the required packages:

sudo apt install autofs keyutils cifs-utils

The following example assumes that the cifs server exports a share that is named after the user that is accessing it. Normally that would be suitable for home directories.

Add this to your /etc/auto.master:

/cifs /etc/auto.cifs

In /etc/auto.cifs put this:

*   -fstype=cifs,multiuser,cruid=${UID},sec=krb5    ://server.domain/&

Make sure to replace server.domain by your file server. You could also use a fixed share this way. Just replace the * by a fixed name and also the &.

An important detail in the above configuration is the cruid=${UID}. It will make the kernel look for a kerberos ticket in the context of the user accessing the share. Otherwise it would be trying roots ticket cache.

Finally reload automount:

sudo service autofs reload

If you have a kerberos ticket, it will mount the file system /cifs/$USER on first access. That means you need to explicitly type e. g. cd /cifs/myuser or a similar action in a GUI file browser. To avoid this you could place symbolic links pointing to this from somewhere else and tell users to access those.

If you are using a fixed share (not using * and &) of course you would have to type cd /cifs/sharename.

Subsequent access by other users to the same share will be using their permissions, made possible by the multiuser option. No additional mount will be made but the existing one reused.

From mount.cifs(8):

   multiuser
       Map user accesses to individual credentials when accessing
       the server. By default, CIFS mounts only use a single set of
       user credentials (the mount credentials) when accessing a
       share. With this option, the client instead creates a new
       session with the server using the user's credentials whenever
       a new user accesses the mount. Further accesses by that user
       will also use those credentials. Because the kernel cannot
       prompt for passwords, multiuser mounts are limited to mounts
       using sec= options that don't require passwords.

It is also possible to add the required automount maps to an LDAP server for central management, but this is probably beyond the scope of this answer.

In your question you asked for the mount to be mounted as root on boot. Technically this is done here in form of a place holder mount for autofs. Practically the real mount is only done on first access by a user.

We are using this setup for ~100 clients at my workplace for accessing quite a big lustre file system and it works reliably.

Ubuntu – Cannot mount samba network share

I ran into a similar problem where mount using cifs produced the -22 error. The share aught to be mountable as I was able to access it using smbclient.

Based on this bug report: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1772148, I tried installing the 'keyutils' package and that fixed it for me. It could be that your old computer has this package but the new one doesn't for whatever reason.

Best Answer

Related Solutions

Ubuntu – CIFS mounts and Kerberos – permissions on access or best practice

Use automount + multiuser option of mount.cifs

Ubuntu – Cannot mount samba network share

Related Question