Samba – cifs mount alternately sends wrong passwd

cifsdebian-jessienetappsamba

short version:

the NETAPP logs show that from our client (debian 8.7, cifs=2:6.4-1) machine the login fails alternatively. I.e. it is like one time it sends the good password, and then some wrong password, then again the good one, then again the wrong, etc (see logs at the end of long description).

Could this be related to the fact that there are 2 IP that resolve to our share?

long version:

Our IT has setup a netapp CIFS share that uses AD passwd authentication (say //storage.example.domain/share/sub/directory.

To mount it on a debian 8 machine we have to use nodfs option to make it recognize the share in the subdirectory, this is a workaround I found here

so the mount options in /etc/fstab are like this:

//storage.example.domain/share/sub/directory /local/path cifs auto,username=user,password=pass,domain=EXAMPLE.DOMAIN,uid=localUserId,gid=localUserGid,nodfs,rw

we have to set uid and gid to a local group/user because we want to give linux users (which are not the same as AD users) a group RW access to the resource (should we do this in another manner?).

Now the share runs on 2 machines (so storage.example.domain resolves to 2 ips, e.g. 10.0.0.x and 10.0.0.y).

When mounting the share using the FQDN as in our /etc/fstab config, there was already a problem:

if the round-robin DNS switches the IP during the mount, it will cause a no such file or directory issue. I have noticed that cifs first resolves the IP, then it sets it as additional mount option, and then tries to mount it using again the FQDN. At this point, if the rr-dns has switched, it will crash because it tries e.g. to access with option -o addr=10.0.0.x but the fqdn storage.example.domain points to addr=10.0.0.y.

So in practice to mount it, we have to hope that the DNS does not switch during the mount. If this does not occur, it works and the share is mounted.

Now the new problem is that when we try to write big files to the share (>1GB) the mount point crashes with the following errors:

root@client.example.domain kernel~# cat /var/log/syslog    
[...]
Apr 13 06:39:42 client.example.domain kernel: [85341.844209] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
Apr 13 06:39:42 client.example.domain kernel: [85341.844219] CIFS VFS: Send error in SessSetup = -13
Apr 13 06:39:42 client.example.domain kernel: [85341.844728] CIFS VFS: cifs_mount failed w/return code = -13
Apr 13 07:09:42 client.example.domain kernel: [87140.888509] Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE
Apr 13 07:09:42 client.example.domain kernel: [87140.888515] CIFS VFS: Send error in SessSetup = -13
Apr 13 07:09:42 client.example.domain kernel: [87140.888833] CIFS VFS: cifs_mount failed w/return code = -13
Apr 13 07:17:52 client.example.domain kernel: [87629.897198] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:52 client.example.domain kernel: [87629.897583] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:52 client.example.domain kernel: [87629.897887] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:52 client.example.domain kernel: [87629.898176] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:52 client.example.domain kernel: [87629.898881] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:52 client.example.domain kernel: [87629.899642] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:52 client.example.domain kernel: [87629.899945] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:52 client.example.domain kernel: [87629.900294] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:52 client.example.domain kernel: [87629.901437] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:52 client.example.domain kernel: [87629.901962] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:57 client.example.domain kernel: [87634.897772] cifs_vfs_err: 19718 callbacks suppressed
Apr 13 07:17:57 client.example.domain kernel: [87634.897776] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:57 client.example.domain kernel: [87634.898019] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:57 client.example.domain kernel: [87634.898201] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:57 client.example.domain kernel: [87634.898414] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:57 client.example.domain kernel: [87634.898597] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:57 client.example.domain kernel: [87634.898762] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:57 client.example.domain kernel: [87634.898929] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:57 client.example.domain kernel: [87634.899115] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:57 client.example.domain kernel: [87634.899309] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:17:57 client.example.domain kernel: [87634.899474] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:18:03 client.example.domain kernel: [87641.528425] cifs_vfs_err: 15111 callbacks suppressed
Apr 13 07:18:03 client.example.domain kernel: [87641.528428] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:18:03 client.example.domain kernel: [87641.529016] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:18:03 client.example.domain kernel: [87641.529310] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:18:03 client.example.domain kernel: [87641.529591] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:18:03 client.example.domain kernel: [87641.529926] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:18:03 client.example.domain kernel: [87641.530197] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:18:03 client.example.domain kernel: [87641.530469] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:18:03 client.example.domain kernel: [87641.530741] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:18:03 client.example.domain kernel: [87641.531038] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:18:03 client.example.domain kernel: [87641.531295] CIFS VFS: SMB signature verification returned error = -13
Apr 13 07:18:09 client.example.domain kernel: [87646.632693] cifs_vfs_err: 128 callbacks suppressed
[...]

logs on netapp side:

10:53:00               Login successful
10:51:02               Login failed (user name correct but the password is wrong)
10:50:31               Login successful
10:50:12               Login failed (user name correct but the password is wrong)
10:49:34               Login successful
10:48:15               Login failed (user name correct but the password is wrong)

I really can't figure how to solve this, and as I do not have access to AD, or Netapp, it is really a blackbox. Does anyone have an idea of what I could do, or what I could ask our IT to do?

Best Answer

I finally found the problem.

It was that in ontap configuration there was the following :option cifs.smb2.signing.required on. We had to turn it to option cifs.smb2.signing.required off.

As we found on ontap official documentation.

Related Topic