* Mounting share on NetApp using SMB 3.1.1 and encryption
@ 2021-02-19 20:57 Till Dörges
2021-02-22 10:17 ` Aurélien Aptel
0 siblings, 1 reply; 3+ messages in thread
From: Till Dörges @ 2021-02-19 20:57 UTC (permalink / raw)
To: linux-cifs
Hello everyone,
I'm trying to connect a Linux client to a NetApp server.
The server is running OnTap 9.7P6.
On the client I use:
--- snip ---
smbclnt:~ # modinfo cifs | egrep '^version'
version: 2.22
smbclnt:~ # mount.cifs -V
mount.cifs version: 6.9
smbclnt:~ # uname -a
Linux smbclnt 5.3.18-lp152.63-default #1 SMP Mon Feb 1 17:31:55 UTC 2021 (98caa86)
x86_64 x86_64 x86_64 GNU/Linux
--- snap ---
Unfortunately it's not working out of the box.
According to the admins the server requires SMB 3.1.1 and encryption.
Moreover they say the server only offers a limited set of ciphers (i.e.
DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384).
Apart from the security requirements the server uses DFS and nested name spaces.
I don't have access to the server and Linux client knowledge is limited. So I'm
somewhat stuck with trial and error.
My current understanding is that for "SMB 3.1.1 and encryption" I have to pass
options "seal,vers=3.1.1" to mount.cifs.
I'm not sure what the make of the required ciphers though. I'm guessing that's only
needed for doing LDAP over SSL (LDAPS).
But it seems that's nothing mount.cifs actually has to use?
(Quickly skimming through the source of cifs.ko I only found the symbols
SMB2_ENCRYPTION_AES128_CCM, SMB2_ENCRYPTION_AES128_GCM.)
So before digging any further, I'm wondering whether this should generally work with
options "seal,vers=3.1.1", what to make of the ciphers requirement.
Thanks and regards -- Till
--
Dipl.-Inform. Till Dörges doerges@pre-sense.de
PRESENSE Technologies GmbH Nagelsweg 41, D-20097 HH
Geschäftsführer/Managing Directors AG Hamburg, HRB 107844
Till Dörges, Jürgen Sander USt-IdNr.: DE263765024
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Mounting share on NetApp using SMB 3.1.1 and encryption
2021-02-19 20:57 Mounting share on NetApp using SMB 3.1.1 and encryption Till Dörges
@ 2021-02-22 10:17 ` Aurélien Aptel
[not found] ` <CAH2r5msGOKUYRiBS8vk79a+zJK4ijRU8rQAneEU-gW3EvjSNZg@mail.gmail.com>
0 siblings, 1 reply; 3+ messages in thread
From: Aurélien Aptel @ 2021-02-22 10:17 UTC (permalink / raw)
To: Till Dörges, linux-cifs
Till Dörges <doerges@pre-sense.de> writes:
> Apart from the security requirements the server uses DFS and nested name spaces.
The nested namespace might be problematic. DFS is tricky.
> So before digging any further, I'm wondering whether this should generally work with
> options "seal,vers=3.1.1", what to make of the ciphers requirement.
I think by default the client will only show support for up to 3.0
unless you ask it to.
So apart from the version, encryption and ciphers should be
auto-negotiated during the connection establishement: the client sends
its feature support, the server replies with its requirement. If the
requirements cannot be met the client will fail.
I believe you should only have to put vers=3.1.1. By putting seal you
are asking the client to make encryption a requirement instead of
letting the server decide.
If you are having issues connecting please refer to the wiki on
reporting cifs.ko bugs for instructions on how to debug things further:
https://wiki.samba.org/index.php/Bug_Reporting#cifs.ko
Cheers,
--
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Mounting share on NetApp using SMB 3.1.1 and encryption
[not found] ` <CAH2r5mtL4Q-2g2Mrchz7Y=hXXypMj6R298wjhdO6+o4XUzGBOg@mail.gmail.com>
@ 2021-02-22 17:02 ` Till Dörges
0 siblings, 0 replies; 3+ messages in thread
From: Till Dörges @ 2021-02-22 17:02 UTC (permalink / raw)
To: Steve French, Aurélien Aptel; +Cc: linux-cifs
Hello everyone,
@Aurélien, Steve:
Thanks for your answers.
Am 22.02.21 um 11:17 schrieb Aurélien Aptel:
> The nested namespace might be problematic. DFS is tricky.
Am 22.02.21 um 17:45 schrieb Steve French:
> LinuxCIFSKernel - SambaWiki
> <https://wiki.samba.org/index.php/LinuxCIFSKernel#Changes_by_release>
>
> for list of when features went in, although many distros backport these
> features to older kernels.
There's been progress. A simple test case (no DFS/nested NS) works fine with 3.1.1
and encryption.
So currently it looks like DFS and/or NS might in deed be the problem.
Since I'm not exactly sure how much has been added/backported to the cifs.ko I'm
using (it reports as version 2.22), I'll try a recent vanilla Linux Kernel.
For version 2.28 the changelog states "Various DFS (global namespace) fixes." Maybe
that already does it.
And if that doesn't work I'll proceed according to
https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting
Thanks again and regards -- Till
--
Dipl.-Inform. Till Dörges doerges@pre-sense.de
PRESENSE Technologies GmbH Nagelsweg 41, D-20097 HH
Geschäftsführer/Managing Directors AG Hamburg, HRB 107844
Till Dörges, Jürgen Sander USt-IdNr.: DE263765024
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-02-22 17:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-19 20:57 Mounting share on NetApp using SMB 3.1.1 and encryption Till Dörges
2021-02-22 10:17 ` Aurélien Aptel
[not found] ` <CAH2r5msGOKUYRiBS8vk79a+zJK4ijRU8rQAneEU-gW3EvjSNZg@mail.gmail.com>
[not found] ` <CAH2r5mtL4Q-2g2Mrchz7Y=hXXypMj6R298wjhdO6+o4XUzGBOg@mail.gmail.com>
2021-02-22 17:02 ` Till Dörges
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).