Web lists-archives.com

[Samba] Fwd: mounting a windows share on a linux client using mount.cifs with encryption




Hello everyone,

I'm trying to mount a CIFS share served by Windows 10 Samba with encryption.

On the Windows server side, I made a regular share and told Windows via
Powershell command
Set-SmbServerConfiguration -EncryptData 1
to encrypt the data if possible, and via
Set-SmbServerConfiguration -RejectUnencryptedAccess 1
to reject unencrypted connections instead of negotiating an unencrypted
connection.

I then proceed to connect on Linux client side via
mount -t cifs //192.168.1.176/Share /mnt -o username=user,seal
Expectation: after being prompted to enter the password, the mount
should be active.
Actual result: after entering the correct password, i get "mount
error(13): Permission denied".

However, if I turn off the rule to only accept encrypted access, then
use the same command without the "seal" option, it works as expected.

I attached tcpdumps of both attempts.
Linux client versions tested are OpenSUSE Leap 42.3 with latest Patches
and Kernel 4.4.165-81-default as well as OpenSUSE Leap 15 with latest
Patches and Kernel Version 4.12.14-lp150.12.28-default.
Windows Server is Windows 10 Professional 64 bit Build 10240, also
tested with Windows 10 Professional 64 bit Version 1809 Build 17763.95.
Mount.cifs version is 6.5.

I also tried smbclient, but as long as Windows is told to reject
unencrypted access, it won't even list the shares. Once I tell windows
to accept unencrypted access, it works fine - however encryption is
absolutely needed, just working w/o crypto's not an option.

Is my sealed mounting command wrong, or is this simply impossible?
Any hints would be greatly appreciated.

Regards,
René

-- 
René Bräuer                                braeuer@xxxxxxxxxxxx
PRESENSE Technologies GmbH            Sachsenstr. 5, D-20097 HH
Geschäftsführer/Managing Directors       AG Hamburg, HRB 107844
Till Dörges, Jürgen Sander               USt-IdNr.: DE263765024


Attachment: signature.asc
Description: OpenPGP digital signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba