Network and Storage Protocols

CIFS: SMB2 on Linux clients?

karstenrink
15,949 Views

Hi all;

 

we're trying (and failing) to mount a NetApp CIFS share on Linux boxes in SMB2 mode. Situation so far:

 

* Mounting the NetApp CIFS share using SMB2 works well on Windows 7 clients, so I assume the NetApp has SMB2 correctly enabled.

* Mounting CIFS shares exposed by a Windows 2012 file server using SMB2 or even SMB3 works well on these Linux boxes so I assume these machines are generally able to speak to a SMB2+ server.

* However, mounting the NetApp CIFS share on the Linux machines using any "newer" version of SMB reproducibly fails:

 

kaleid:~$ sudo mount -t cifs -o vers=2.0,nodfs,credentials=/home/kristian/bin/filer,uid=kr,gid=kr //192.168.1.249/data /mnt
mount error(95): Operation not supported

[  967.925655] CIFS VFS: cifs_mount failed w/return code = -95
[  972.198283] CIFS VFS: cifs_read_super: get root inode failed

 

Known problem? Any idea how to work around this? System is a FAS2020 running OnTAP 7.3.7P3.

TIA and all the best,

Kristian

10 REPLIES 10

tux
13,531 Views

Hi,

 

have you ever found a solution for this behaviour. I get the same. I was able to get a connection with smbclient but not with mount.cifs and the kernel cifs module

Allison_McWaters
12,435 Views

I need some further information to help you with this. The type of Linux client, the version, the kernel version, etc.

I'd also like to know the serial number of the filer in question.

I'd also like to see packet captures attempting the access to the cifs share.

I'd also like to know the name of the cifs share.

I'd also like to know the ip address of the client attempting to access the cifs share as well as what IP address on the filer it's attempting to access.

 

There's a lot of variables here that could be causing problems so I apologize about all the questions.

pgc
11,810 Views

 

Dear NetApp.

 

I also get the exact error message as well  using different versions of samba when attempting to access the NetApp specifying smb 2.0 (or greater). What is the solution to this?

 

thank you

Ontapforrum
11,743 Views

Hi,

 

SMB 3.0 (newer versions)only available in cDot/ONTAP (Precisely cDOT 8.2 and later). Hence, it is not going to work with Data ontap 7-mode (as SMB server, 7-mode OS version doesn't matter, SMB 3.0 is never introduced in 7-mode and will never be b'cos the code development is stopped, cDOT/ONTAP is the only way forward wrt SMB3.0 support).

 

If you want NetApp (as SMB Server) to serve SMB3.0 version to clients, then you must be on cDOT/ONTAP and client must also support the higher version (For them to negotiate).

 

To verify max SMB versions supported on your 7-mode Data Ontap, simplest way is to run this command:
7-mode> options cifs.smb

 

Check the SMB2.0 support on your ontap version, this option must be enabled:
filer> cifs.smb2.enable on

 

Note: When this option is enabled, the Filer uses SMB 2.0, provided client also supports SMB 2.0

 

You can try this command from Linux host to mount CIFS shares hosted on NetApp 7-mode:
[root@redhat /]# mount -t cifs -o username=Administrator,password=<password>,domain=ABC.COM //192.x.x.x/share1 /mnt/smb

 

Once the command is successful, go to /mnt/smb and check if you are able to see shares.

 

Then, on the filer side:

filer> cifs sessions -t [This command will tell you which SMB version is currently negotiated]

 

Note: Also, check the smb version running on your client and the default client smb version mentioned in the smb.conf file.

 

Thanks!

pgc
11,711 Views

Hi NetApp support,

 

Thanks for quick response!  I will check this out first thing next week.

 

Stay tuned,

pgc

pgc
11,679 Views

 

cifs.smb2.enable is set to "on".  will changing the protocol mode make a difference? ... from unix (default setting) to "mixed"?

 

thanks

 

pgc
11,676 Views

Looking at a wireshark trace, I see that the client is attempting to negotiate a session using smb v2.0 but the netapp is returning errors, starting with this. I am assuming this there is some setting on the netapp that is not configured correctly. I mean, it's smb version 2, which has been around for ever. the last error msg is "not supported" ???

 

Frame 3: 366 bytes on wire (2928 bits), 366 bytes captured (2928 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 172.22.0.21, Dst: 172.22.17.76
Transmission Control Protocol, Src Port: 445, Dst Port: 44682, Seq: 222, Ack: 231, Len: 298
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
ProtocolId: 0xfe534d42
Header Length: 64
Credit Charge: 0
NT Status: STATUS_MORE_PROCESSING_REQUIRED (0xc0000016)
Command: Session Setup (1)
Credits granted: 1
Flags: 0x00000001, Response
Chain Offset: 0x00000000
Message ID: Unknown (1)
Process Id: 0x00000785
Tree Id: 0x00000000
Session Id: 0x0000000000085b8c
Signature: 00000000000000000000000000000000
Session Setup Response (0x01)
StructureSize: 0x0009
0000 0000 0000 100. = Fixed Part Length: 4
.... .... .... ...1 = Dynamic Part: True
Session Flags: 0x0000
.... .... .... ...0 = Guest: False
.... .... .... ..0. = Null: False
.... .... .... .0.. = Encrypt: False
Blob Offset: 0x00000048
Blob Length: 222
Security Blob: 4e544c4d5353500002000000160016003000000005028960…
NTLM Secure Service Provider

 

and this:

 

Frame 11: 145 bytes on wire (1160 bits), 145 bytes captured (1160 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 172.22.0.21, Dst: 172.22.17.76
Transmission Control Protocol, Src Port: 445, Dst Port: 44682, Seq: 1226, Ack: 1595, Len: 77
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
ProtocolId: 0xfe534d42
Header Length: 64
Credit Charge: 0
NT Status: STATUS_NOT_FOUND (0xc0000225)
Command: Ioctl (11)
Credits granted: 2
Flags: 0x00000001, Response
Chain Offset: 0x00000000
Message ID: Unknown (9)
Process Id: 0x00000785
Tree Id: 0x00000040
Session Id: 0x0000000000085b8c
Signature: 00000000000000000000000000000000
Ioctl Response (0x0b)
StructureSize: 0x0009
0000 0000 0000 100. = Fixed Part Length: 4
.... .... .... ...1 = Dynamic Part: True
Error Context Count: 0
Reserved: 0x00
Byte Count: 0
Error Data: 00

 

finally, this error ... not supported.

 

Frame 17: 145 bytes on wire (1160 bits), 145 bytes captured (1160 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 172.22.0.21, Dst: 172.22.17.76
Transmission Control Protocol, Src Port: 445, Dst Port: 44682, Seq: 2027, Ack: 2283, Len: 77
NetBIOS Session Service
SMB2 (Server Message Block Protocol version 2)
SMB2 Header
ProtocolId: 0xfe534d42
Header Length: 64
Credit Charge: 0
NT Status: STATUS_NOT_SUPPORTED (0xc00000bb)
Command: GetInfo (16)
Credits granted: 2
Flags: 0x00000001, Response
Chain Offset: 0x00000000
Message ID: Unknown (15)
Process Id: 0x00000785
Tree Id: 0x00000041
Session Id: 0x0000000000085b8c
Signature: 00000000000000000000000000000000
GetInfo Response (0x10)
StructureSize: 0x0009
0000 0000 0000 100. = Fixed Part Length: 4
.... .... .... ...1 = Dynamic Part: True
Error Context Count: 0
Reserved: 0x00
Byte Count: 0
Error Data: 00

 

 

Ontapforrum
11,645 Views

Thanks for sharing your test details.

 

I also tested different 'linux kernels' as SMBclient (samba/cifs-utils) with NetApp 7-mode & cDOT CIFS shares on redhat/centos 5.x/6.x/7.x:

 

There is a BUG:
https://access.redhat.com/solutions/1178753

 

According to the bug, SMB Dialect = 2 is not supported as 'client' on certain(most) linux kernels, but it is supported as 'SMB server' on redhat/centos 5.x/6.x/7.x and so on.

 

Cause: B'cos NetApp Storage is acting as 'SMB server' and 'Linux Host (kernels)' as SMBclient, it can only negotiate to SMB1, according to the BUG.

 

In order to negotiate SMB2.1 or higher protcols use cDOT/ONTAP.


Tests results:

Tried to mount 7-mode using Redhat7/centos7 without specifiying any dialect and met with error.

 

Error:
mount error(22): Invalid argument
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

 

Error is not very useful, if you google, you will see number of hits, asking to change min protocol versions etc on smb.conf file, however they aren't applicable, b'cos we are using linux as SMB client and not as SMB Server.

 

To get more useful info, try to read the kernel or "messages" log:
[root@redhatcentos7 ~]# tail -f /var/log/messages [This is more useful, as seen below]

Linux kernel version: redhatcentos7 3.10.0-1062.el7.x86_64
Error: Apr 13 20:32:39 redhatcentos7 kernel: Default dialect has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.

 

Therefore, if you wish to have CIFS shares accessible from Linux kernel versions 3.10.x or later then, you are limited to use dialect 1.0.

 

To mount 1.0 on redhat7 from NetApp 7-mode, try following command:
[root@redhatcentos7 ~]# mount -t cifs -o vers=1.0,username=Administrator,password=xxxxx,domain=TEST.COM //192.168.0.5/vol_test /mnt/7mode

 

Please note: This is specific to linux clients, in this kernel version the minimal supported dialect is 2.1 which apparently was rejected by 7-mode. Hence, had to be mounted via 1.0.


Recommendations based on testing:
From linux clients (as SMB Clients) works with dialect 1.0 with 7-mode.
From linux clients (as SMB Clients) works with 2.0,2.1 or higher 3.0 with cDOT/ONTAP

 

To mount:

 

7-mode SMB Server shares:
mount -t cifs -o vers=1.0,username=Administrator,password=xxx,domain=TEST.COM //192.168.0.5/vol_test /mnt/7mode

 

cDOT/ONTAP SMB Server shares:
mount -t cifs -o vers=2.0,username=Administrator,password=xxx,domain=TEST.COM //192.168.0.7/fin /cdot
mount -t cifs -o vers=2.1,username=Administrator,password=xxx,domain=TEST.COM //192.168.0.7/fin /cdot
mount -t cifs -o vers=3.0,username=Administrator,password=xxx,domain=TEST.COM //192.168.0.7/fin /cdot


To check SMB dialects:
7-mode:
filer> cifs sessions -t

 

cDOT/ONTAP
::> cifs session show -vserver <vserver> -fields protocol-version,address


Thanks!

pgc
11,634 Views

 

>In order to negotiate SMB2.1 or higher protcols use "cDOT"/ONTAP.

 

Sorry but I'm not well versed with NetApp's OS versioning ... can you tell me which ONTAP version that references? 8.4? 9.0?  I want to make sure that I make the correct recommendation.

 

thanks for your excellent support,

Paul

Ontapforrum
11,098 Views


You're welcome.

For your information, I will try to keep it simple.

 

7-mode [Which is known as HA Pair, non-clustered] : Is available until 8.2.x only, end of journey for 7-mode NetApp OS. [Data ONTAP 8.3 and later do not include a 7-Mode version]. This 7-mode version supports only SMB2.0 & 2.1 dialects. However, certain versions of "Linux" (Not Windows) as 'SMB Client' can only negotiate SMB1.0. Hence, if even if 7-mode is capable of negotiating SMB2.0/2.1, client fails to connect as we observed in the logs previously.

 

Cluster Data ONTAP: Until 8.3.x was called cluster Data ONTAP [Cluster-Mode], however since 9.x it is renamed to simply 'ONTAP'. Hence, what I had mentioned as 'cDOT/ONTAP', I was basically referring to 'Clustered Ontap', which we now call 'ONTAP'. In cDOT, since cDOT 8.2, higher SMB dialects are supported such as SMB2.0,2.1,3.0. I mean cDOT 8.2 and not 7-mode 8.2, and there is no 8.4 in either.


Following Linux 'kernel' as SMB Client and ONTAP 9.x as SMB Server works with SMB Dialects 1.0,2.0,2.1 & 3.0. Please note, I haven't tested all the kernels, but this was minimum Centos7 that I downloaded and tested and it seems to work.
[root@redhatcentos7 ~]# uname -a
Linux redhatcentos7 3.10.0-1062.el7.x86_64


Output from my 9.1P13 NetApp Simulator:
::> cifs session show -fields protocol-version,address
node vserver session-id connection-id address protocol-version
--------- ------- ---------- ------------- ------------- ----------------
cdot91-01 cifs 14047853137675419654
2157827681 192.168.0.39 SMB1
cdot91-01 cifs 14047853137675419656
2157827683 192.168.0.39 SMB2
cdot91-01 cifs 14047853137675419652
2157827677 192.168.0.39 SMB2_1
cdot91-01 cifs 14047853137675419654
2157827681 192.168.0.39 SMB3

Thanks!

Public