Bug 7209

Summary: CIFS: mount error 13 = Permission denied
Product: File System Reporter: Terry Yoder (terry.yoder)
Component: CIFSAssignee: Steve French (sfrench)
Status: RESOLVED CODE_FIX    
Severity: normal CC: bunk
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.18 Subsystem:
Regression: --- Bisected commit-id:
Attachments: Wireshark trace of mounting a CIFS share 'the normal way'
Wireshark trace of mounting a CIFS share using the domain= option

Description Terry Yoder 2006-09-26 16:23:33 UTC 
Most recent kernel where this bug did not occur:
Distribution: 2.6.17.11
Hardware Environment: PC
Software Environment: 
Problem Description: mount from fstab

Steps to reproduce: create mount to XP Windows Share.  ENter into /etc/fstab.
Works in 2.6.17.11.  Permission Denied in 2.6.18.
Mount to other WIndows Server works.
Comment 1 Steve French 2006-10-26 09:29:49 UTC 
There was one report of the domain name not being specified on mount
automatically in 2.6.18 (we can not think of a reason why, since cifs has always
required a domain name to be specified on mount, not via smb.conf as with smbfs).

The one report that was vaguely similar, asserted that adding the
"domain=myserverdomainname" (to the list of mount options specified on the
client) worked.

Although that seems unlikely, could you try that?

Otherwise, let us try the usual and see if enabling debugging
"echo 1 > /proc/fs/cifs/cifsFYI"
before the mount (and looking at output of "dmesg" or equivalent)
shows whether the "session setup" (authentication) failed (server does not
understand the userid/password) or whether the "tree connection" or subsequent
stat failed (no access for that valid user to that directory on the server)
Comment 2 Terry Yoder 2006-10-26 09:59:21 UTC 
Adding domain=xx works.  This wasn't required in 2.6.17.
Note that I still don't have to set domain=xx for
mounting my Windows 2K3 site server.  Why does
that still work?  Anyway, I'm good to go, thanks.
Comment 3 Steve French 2006-10-27 09:15:47 UTC 
Any chance you could do a quick ethereal trace of mount from 2.6.17 client
(works) and mount from 2.6.18 client (fail) and mount from 2.6.18 client with
domain specified (works) - all to the same server?

Attaching an ethereal or tcpdump trace would allow me to see what is differing
on the wire between the two.

Presumably the reason that mounting to a Windows 2003 server would work (if it
is a domain contorller) is that it has a local copy of the user database and
thus can authenticate the user/password - while on the client (if it is
configured to be a member of the Windows 2003 domain) it has no local copy of
that user - and thus needs to know the correct domain name of the user in order
to authenticate it.
Comment 4 Erik van Pienbroek 2006-10-30 07:56:30 UTC 
I'm also encountering the mentioned problem.
I'm trying to mount an active directory share using the CIFS protocol, but
I keep getting a permission denied. The same setup using a kernel older than
2.6.18 doesn't show the problem.

Attached are 2 wireshark traces, both from a 2.6.18 kernel (I'll try
to create one from a 2.6.17 kernel also).
Comment 5 Erik van Pienbroek 2006-10-30 07:57:18 UTC 
Created attachment 9377 [details]
Wireshark trace of mounting a CIFS share 'the normal way'
Comment 6 Erik van Pienbroek 2006-10-30 07:57:54 UTC 
Created attachment 9378 [details]
Wireshark trace of mounting a CIFS share using the domain= option
Comment 7 Erik van Pienbroek 2006-10-30 08:03:51 UTC 
Here is some more debug info

Normal mount:
 fs/cifs/cifsfs.c: Devname: //FILE01/Users flags: 64 
 fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 36407 with uid: 0
 fs/cifs/connect.c: Username: epienbro 
 fs/cifs/connect.c: UNC: \\FILE01\Users ip: 145.48.129.26
 fs/cifs/connect.c: Socket created
 fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x7fffffff
 fs/cifs/connect.c: Demultiplex PID: 3500
 fs/cifs/connect.c: Existing smb sess not found
 fs/cifs/cifssmb.c: secFlags 0x7
 fs/cifs/transport.c: For smb_command 114
 fs/cifs/transport.c: Sending smb of length 67
 fs/cifs/connect.c: rfc1002 length 0x6d)
 fs/cifs/cifssmb.c: Dialect: 1
 fs/cifs/cifssmb.c: negprot rc 0
 fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0x1f3fd Time Zone: 65476
 fs/cifs/sess.c: sess setup type 1
 fs/cifs/transport.c: For smb_command 115
 fs/cifs/transport.c: Sending smb:  total_len 278
 fs/cifs/connect.c: rfc1002 length 0x27)
 fs/cifs/netmisc.c:  !!Mapping smb error code 5 to POSIX err -13 !!
 fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
 fs/cifs/sess.c: ssetup rc from sendrecv2 is -13
 fs/cifs/sess.c: ssetup freeing small buf db72c300
 CIFS VFS: Send error in SessSetup = -13
 fs/cifs/connect.c: No session or bad tcon
 fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 36407) rc = -13
 CIFS VFS: cifs_mount failed w/return code = -13

Mount using domain option:
 fs/cifs/cifsfs.c: Devname: //FILE01/Users flags: 64 
 fs/cifs/connect.c: CIFS VFS: in cifs_mount as Xid: 36408 with uid: 0
 fs/cifs/connect.c: Domain name set
 fs/cifs/connect.c: Username: epienbro 
 fs/cifs/connect.c: UNC: \\FILE01\Users ip: 145.48.129.26
 fs/cifs/connect.c: Socket created
 fs/cifs/connect.c: sndbuf 16384 rcvbuf 87380 rcvtimeo 0x7fffffff
 fs/cifs/connect.c: Demultiplex PID: 3506
 fs/cifs/connect.c: Existing smb sess not found
 fs/cifs/cifssmb.c: secFlags 0x7
 fs/cifs/transport.c: For smb_command 114
 fs/cifs/transport.c: Sending smb of length 67
 fs/cifs/connect.c: rfc1002 length 0x6d)
 fs/cifs/cifssmb.c: Dialect: 1
 fs/cifs/cifssmb.c: negprot rc 0
 fs/cifs/connect.c: Security Mode: 0x3 Capabilities: 0x1f3fd Time Zone: 65476
 fs/cifs/sess.c: sess setup type 1
 fs/cifs/transport.c: For smb_command 115
 fs/cifs/transport.c: Sending smb:  total_len 262
 fs/cifs/connect.c: rfc1002 length 0xbb)
 fs/cifs/misc.c: Null buffer passed to cifs_small_buf_release
 fs/cifs/sess.c: ssetup rc from sendrecv2 is 0
 fs/cifs/sess.c: UID = 63488 
 fs/cifs/sess.c: bleft 142
 fs/cifs/sess.c: words left: 0
 fs/cifs/sess.c: ssetup freeing small buf db72c700
 fs/cifs/connect.c: CIFS Session Established successfully
 fs/cifs/connect.c: file mode: 0x7f7  dir mode: 0x1ff
 fs/cifs/transport.c: For smb_command 117
 fs/cifs/transport.c: Sending smb of length 80
 fs/cifs/connect.c: rfc1002 length 0x42)
 fs/cifs/connect.c: Tcon flags: 0x0 
 fs/cifs/connect.c: CIFS Tcon rc = 0
 fs/cifs/cifssmb.c: In QFSDeviceInfo
 fs/cifs/transport.c: For smb_command 50
 fs/cifs/transport.c: Sending smb of length 68
 fs/cifs/connect.c: rfc1002 length 0x44)
 fs/cifs/cifssmb.c: In QFSAttributeInfo
 fs/cifs/transport.c: For smb_command 50
 fs/cifs/transport.c: Sending smb of length 68
 fs/cifs/connect.c: rfc1002 length 0x50)
 fs/cifs/connect.c: CIFS VFS: leaving cifs_mount (xid = 36408) rc = 0
 fs/cifs/inode.c: CIFS VFS: in cifs_read_inode as Xid: 36409 with uid: 0
 fs/cifs/inode.c: Getting info on 
 fs/cifs/transport.c: For smb_command 50
 fs/cifs/transport.c: Sending smb of length 74
 fs/cifs/connect.c: rfc1002 length 0x94)
 fs/cifs/inode.c: Old time 0
 fs/cifs/inode.c: New time 333059
 fs/cifs/inode.c: Directory inode
 fs/cifs/inode.c: CIFS VFS: in cifs_revalidate as Xid: 36410 with uid: 0
 fs/cifs/inode.c: Revalidate:  inode 0xc7a08d74 count 1 dentry: 0xd01389c4
d_time 0 jiffies 333313
 fs/cifs/inode.c: Getting info on 
 fs/cifs/transport.c: For smb_command 50
 fs/cifs/transport.c: Sending smb of length 74
 fs/cifs/connect.c: rfc1002 length 0x94)
 fs/cifs/inode.c: Old time 333059
 fs/cifs/inode.c: New time 333313
 fs/cifs/inode.c: Directory inode
 fs/cifs/inode.c: cifs_revalidate - inode unchanged
 fs/cifs/inode.c: CIFS VFS: leaving cifs_revalidate (xid = 36410) rc = 0
 fs/cifs/inode.c: CIFS VFS: in cifs_revalidate as Xid: 36411 with uid: 0
 fs/cifs/inode.c: Revalidate:  inode 0xc7a08d74 count 1 dentry: 0xd01389c4
d_time 0 jiffies 333316
 fs/cifs/inode.c: CIFS VFS: leaving cifs_revalidate (xid = 36411) rc = 0
 fs/cifs/inode.c: CIFS VFS: in cifs_revalidate as Xid: 36412 with uid: 0
 fs/cifs/inode.c: Revalidate:  inode 0xc7a08d74 count 1 dentry: 0xd01389c4
d_time 0 jiffies 333316
 fs/cifs/inode.c: CIFS VFS: leaving cifs_revalidate (xid = 36412) rc = 0
 fs/cifs/inode.c: CIFS VFS: in cifs_revalidate as Xid: 36413 with uid: 0
 fs/cifs/inode.c: Revalidate:  inode 0xc7a08d74 count 1 dentry: 0xd01389c4
d_time 0 jiffies 333316
 fs/cifs/inode.c: CIFS VFS: leaving cifs_revalidate (xid = 36413) rc = 0
 fs/cifs/inode.c: CIFS VFS: in cifs_revalidate as Xid: 36414 with uid: 0
 fs/cifs/inode.c: Revalidate:  inode 0xc7a08d74 count 1 dentry: 0xd01389c4
d_time 0 jiffies 333316
 fs/cifs/inode.c: CIFS VFS: leaving cifs_revalidate (xid = 36414) rc = 0
Comment 8 Steve French 2007-02-22 20:53:04 UTC 
The fix for not requiring "domain=" on the mount (in most cases) has been in the
kernel for a while now (certainly in 2.6.20).

The issue was that when cifs session setup was rewritten it "fixed" a bug in how
the domain name was setup - but had a sideeffect that the default domain name on
session setup was no longer sent as "null" (which the server would interpret as
"use my own [server's] domain to try to authenticate this user"), but as a default
(generic) domain name.

You should probably always specify the domain name on mount to be precise, but
I agreed that in most cases the server and client are in the same domain and
the better behavior is to send an empty domain rather than default/bogus domain
name when the user does not type this.
when the user specified
Comment 9 Steve French 2007-02-22 21:00:18 UTC 
Sorry this took so long to find this defect, it was reported in a different
bugzilla and fixed  back in early November.
http://master.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=6e659c63998881e8f4a842edbe86ac8c5cdaee41