Re: when mounting CIFS on linux

cheese123 · ‎2025-01-03

after mounting a CIFS share on a linux system (rhel8, fully patched) i sometimes get:

CIFS: VFS: sign fail cmd 0x8 message id 0x107ebf
CIFS: VFS: \\FILER\SHARE SMB signature verification returned error = -13

the mount seems to work, but i dont know if this is true for every access.

there exists an KB article at https://kb.netapp.com/on-prem/ontap/da/NAS/NAS-KBs/SAMBA_Client_returns_SMB_signature_verification_error

where i'm advised to use nfs instead.

seriously?

CIFS and NFS are NOT interchangeable. eg. complex permission sets dont translate from one to another.

there seems to be an old KB at https://www.suse.com/support/kb/doc/?id=000020670

where suse recommended to upgrade from 9.5.P13 to ontap 9.5P14

maybe just a similar error, and not the same. hopefully not the same 🙂

I dont have any clue which bug/feature was fixed in 9.5.P14

parisi · ‎2025-01-03

"sign fail" sounds like your domain controller or CIFS server requires SMB signing and the Linux SMB client either doesn't support it or can't perform signing properly. A packet capture would likely show that.

I would start down that path. Workarounds would be to disable signing (perhaps via smb.conf?) or to try using krb5 as a mount option in the SMB mount, as shown here:

Mounting ONTAP CIFS/SMB shares with Linux – Guidelines and tips | Why Is The Internet Broken?

If the Linux client is not domain joined, I would suggest doing that as well.

cedric_renauld · ‎2025-01-04

Hello

Your Linux is the only client for this share ?

I think your SVM is registered in an AD ... have you patched this AD last month ?

You can cehck this KB: https://kb.netapp.com/Support_Bulletins/Customer_Bulletins/SU530

And the SMB version you use in the linux client, but be aware, the first ONTAP patch version is 9.7Pxx ...

Mabt try to see wich type of connection you have on the SVM :

vserver cifs session show -node <node_name> -vserver <vserver_name> -fields auth-mechanism

https://kb.netapp.com/on-prem/ontap/OHW/OHW-KBs/How_Authentication_Mechanism_of_established_CIFS_session_can_be_identified

cheese123

this SVM is domain joined and has mostly MS-clients and some linux-clients. only the linux-clients seem to have those failure-messages, but i have to admit: i dont know what windlws-event would be the correct one to search for.

ontap is currently on 9.13.1P8. AD got patched, as we always patch every month.

connection is with NTLMv2

node vserver session-id connection-id auth-mechanism 
------ ------------- ------------------- ------------- -------------- 
M1I-B1 M1I_P_NASCIFS 5801762219961510814 1680822000 NTLMv2

ChLokesh

Hello,

The KB you are referring to is only suggesting you a workaround.

- The error message "CIFS: VFS: \FILER\SHARE SMB signature verification returned error = -13" indicates that there is an issue with the SMB (Server Message Block) protocol's signature verification process.

- This typically happens when there is a mismatch or problem with the security signatures used to authenticate.
- SMB signing can be configured to be required, enabled, or disabled. Please ensure that the settings on both the client and the server match.
- Since you are using a Linux client, check the /etc/samba/smb.conf configuration file for any settings related to SMB signing. You might need to adjust the client signing and server signing parameters.

- As a temporary measure, you can disable SMB signing to see if the issue is related to the signing process. Note that this reduces security, so it should only be used for troubleshooting purposes.

Cheers!