Sample Header Ad - 728x90

Linux SMB Client Failed to Connect to SMB Server Forcing AES-256?

2 votes
0 answers
1208 views
fedora encryption smb smbclient
I'm trying to connect to SMB share on my TrueNAS from my Fedora. It works well until I decided to enable encryption of SMB data. I put following in the service config on TrueNAS (global settings) 
unix extensions = yes
server signing = required
client smb encrypt = required
server smb3 encryption algorithms = -AES-128-GCM -AES-128-CCM
and following in the particular SMB share (per-share settings) 
server smb encrypt = required
Then, I tried to mount the SMB share by 
sudo mount -t smb3 -o cred=,uid=1000,gid=1000,mfsymlinks ///NAS /mnt/NAS
and, boom, mount error(13): Permission denied. In dmesg, it says 
[112496.066462] CIFS: Attempting to mount ///NAS
[112496.085283] CIFS: VFS: sign fail cmd 0x3 message id 0x3
[112496.085287] CIFS: VFS: \\ SMB signature verification returned error = -13
[112496.085290] CIFS: VFS: \\ failed to connect to IPC (rc=-13)
[112496.085294] CIFS: VFS: session 00000000639775cf has no tcon available for a dfs referral request
[112496.085480] CIFS: VFS: sign fail cmd 0x3 message id 0x4
[112496.085481] CIFS: VFS: \\ SMB signature verification returned error = -13
[112496.085684] CIFS: VFS: sign fail cmd 0x2 message id 0x5
[112496.085687] CIFS: VFS: \\ SMB signature verification returned error = -13
[112496.085690] CIFS: VFS: \\ __cifs_put_smb_ses: Session Logoff failure rc=-13
[112496.085700] CIFS: VFS: cifs_mount failed w/return code = -13
If I remove the line forcing AES-256 (disallowing AES-128): 
server smb3 encryption algorithms = -AES-128-GCM -AES-128-CCM
the mount command will work fine. However, even if I keep the forcing AES-256 config, I can still connect to my SMB share from Finder on macOS and iOS, and from Dolphin on KDE (I use fedora with KDE). So, does smbclient in cli not support AES-256 encryption at all? Or can I turn something on and make the mount work totally fine? Btw, smbclient --version gives Version 4.19.4. --- Update: Following is the verbose output of mount as suggested by comment. 
$ sudo mount -t smb3 --verbose -o cred=,uid=1000,gid=1000,mfsymlinks ///NAS /mnt/NAS
mount.smb3 kernel mount options: ip=,unc=\\\NAS,mfsymlinks,uid=1000,gid=1000,user=,pass=********
mount error(13): Permission denied
Refer to the mount.smb3(8) manual page (e.g. man mount.smb3) and kernel log messages (dmesg)
--- Update: Tried different sec options: * krb5/krb5i: * mount verbose outputs: 
$ sudo mount -t smb3 --verbose -o cred=,uid=1000,gid=1000,mfsymlinks,sec= ///NAS /mnt/NAS
        mount.smb3 kernel mount options: ip=,unc=\\\NAS,mfsymlinks,sec=,uid=1000,gid=1000,user=,pass=********
        mount.smb3 kernel mount options: ip=,unc=\\\NAS,mfsymlinks,sec=,uid=1000,cruid=1000,gid=1000,user=,pass=********
        mount error(126): Required key not available
        Refer to the mount.smb3(8) manual page (e.g. man mount.smb3) and kernel log messages (dmesg)
* dmesg outputs: 
[190212.841620] CIFS: Attempting to mount ///NAS
        [190212.851741] CIFS: VFS: unknown or missing server auth type, use krb5
        [190212.861466] CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
        [190212.861472] CIFS: VFS: \\ Send error in SessSetup = -126
        [190212.861487] CIFS: VFS: cifs_mount failed w/return code = -126
* ntlm/ntlmi: * mount verbose outputs: 
$ sudo mount -t smb3 --verbose -o cred=,uid=1000,gid=1000,mfsymlinks,sec= ///NAS /mnt/NAS
        mount.smb3 kernel mount options: ip=,unc=\\\NAS,mfsymlinks,sec=ntlm,uid=1000,gid=1000,user=,pass=********
        mount error(22): Invalid argument
        Refer to the mount.smb3(8) manual page (e.g. man mount.smb3) and kernel log messages (dmesg)
* dmesg outputs: 
[190683.752148] bad security option: 

        [190683.752170] CIFS: VFS: bad security option:
* ntlmv2/ntlmv2i/ntlmssp/ntlmsspi: These four options makes no difference in mount verbose output or dmesg compared with not specifying any sec option. --- Update: Tried cifs with specifying vers option: * vers=2.0: * mount output: 
mount.cifs kernel mount options: ip=,unc=\\\NAS,mfsymlinks,vers=2.0,uid=1000,gid=1000,user=,pass=********
        mount error(13): Permission denied
        Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
* dmesg: 
[281141.068174] CIFS: Attempting to mount ///NAS
        [281141.085261] CIFS: VFS: \\ smb2_calc_signature: Could not find session
        [281141.085286] CIFS: VFS: \\ __cifs_put_smb_ses: Session Logoff failure rc=-2
        [281141.085298] CIFS: VFS: cifs_mount failed w/return code = -13
* vers=1.0: * mount output: 
mount.cifs kernel mount options: ip=,unc=\\\NAS,mfsymlinks,vers=1.0,uid=1000,gid=1000,user=,pass=********
        mount error(95): Operation not supported
        Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
I removed mfsymlinks (which is not supported in SMB1.0?) but the output is the same. * demsg: 
[281295.220579] Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers

        [281295.220601] CIFS: VFS: Use of the less secure dialect vers=1.0 is not recommended unless required for access to very old servers
        [281295.220609] CIFS: Attempting to mount ///NAS
        [281295.231815] CIFS: VFS: cifs_mount failed w/return code = -95
Asked by citrate (151 rep)
Jan 15, 2024, 08:48 PM
Last activity: Jan 17, 2024, 07:37 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "fedora"
More questions tagged "encryption"
More questions tagged "smb"
Footer Ad - 728x90