SUSE Support

Here When You Need Us

The mount -t cifs command fails to mount an AD share if the AD server requires NTLMv2 with "Extended Security"

This document (7015602) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)

Situation

SLES11 SP3
kernel 3.0.101-0.31

At the server console the following command fails when pointed to an AD server that requires NTLMv2 authentication:

mount - t cifs //<server>/<share> /mnt/Shared -o username=<username>,password=<password>

Additionally this command which adds the sec=ntlmv2 option also fails:

mount - t cifs //<server>/<share> /mnt/Shared -o sec=ntlmv2,username=<username>,password=<password>

The error is the /var/log/messages file includes this:
kernel: [1034154.505426] CIFS VFS_mount failed w/return code = -13

Adding the security option for ntlmssp works.

mount - t cifs //<server>/<share> /mnt/Shared -o sec=ntlmssp,username=<username>,password=<password>

Resolution

The mount command has multiple options to use in order to be able to provide the AD server with what it needs for authentication.  Using the ntlmssp option is a solution in this case.

Another solution would be to change the AD server to allow ntlmv2 without "extended security".

Microsoft has a Hotfix for this issue which can be found here:
http://support.microsoft.com/kb/957441/en-us

Here is a quote from that Microsoft document.
"This problem occurs because of an additional security check in Windows Server 2008 and in Windows Vista. This problem is limited to clients that use NTLMv2 authentication without extended security."

Cause


Additional Information

The 3.9 kernel's mount command (which at the writing of this document is not shipping yet with SLES) has set as the default security option ntlmssp.  So in the future there will be no need to change the mount command to use ntlmssp.

Note:
This document simply addresses the mismatch in authentication mechanisms.
There may also be an issue with "signatures" which is a separate issue.
In other words after making sure that the authentication matches you might still need to make sure that signature requirements align.
For example, if you want to access a resource on a Windows server and that server requires signatures, then your client must provide signatures to gain access.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7015602
  • Creation Date: 27-Aug-2014
  • Modified Date:14-Oct-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.