Bug in NetApp Filer SMB protocol implementation make CIFS share unmountable from Ubuntu

Bug #479272 reported by Etienne Goyer
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Fix Released
linux (Ubuntu)
Won't Fix

Bug Description

Reportedly, a bug in NetApp Filer SMB protocol implementation make it impossible to mount a CIFS share on such a server from Ubuntu using mount.cifs and the cifs kernel module when using Kerberos authentication. The problem is being discussed in upstream Samba bug tracker at:


The bug is triggered by trying to mount the CIFS share using a command such as:

    mount.cifs //netappfiler/share /mnt -o sec=krb5i

Note that using sec=krb5 does not work either. When using NTLM authentication (by not specifying a sec=... mount option), the mount works as expected.

This have been confirmed in jaunty so far on kernel 2.6.28-15-generic. We are in the process of testing on karmic, and on jaunty using mainline kernel.

We have logs, but the content are somewhat sensitive and would take great effort to sanitize. The important bit is that we have exactly the same error in dmesg as the snippet that is posted in the upstream Samba bug report linked above (dialect:2; negprot rc -5). If you need anything specific in term of log, please ask and I will get it for you.

affects: linux-meta (Ubuntu) → linux (Ubuntu)
Revision history for this message
Leann Ogasawara (leannogasawara) wrote :

Below is the patch posted to the upstream bug report which is basically a hack to work around the NetApp bug. Upstream even notes, "That doesn't quite look right... Just because the server supports extended security we can't assume that we're
actually using extended security. I think we'll need to do something different if we want to work around this netapp bug." With that said, I can build a jaunty test kernel for TESTING PURPOSES ONLY. This will not qualify for an SRU nor be supported going forward.

+++ cifssmb.c 2009-09-01 14:20:34.000000000 +0200
@@ -647,7 +647,8 @@
        if (pSMBr->EncryptionKeyLength == CIFS_CRYPTO_KEY_SIZE) {
                memcpy(server->cryptKey, pSMBr->u.EncryptionKey,
- } else if ((pSMBr->hdr.Flags2 & SMBFLG2_EXT_SEC)
+ } else if (((pSMBr->hdr.Flags2 & SMBFLG2_EXT_SEC)
+ || (server->capabilities & CAP_EXTENDED_SECURITY))
                        && (pSMBr->EncryptionKeyLength == 0)) {
                /* decode security blob */
        } else if (server->secMode & SECMODE_PW_ENCRYPT) {
@@ -657,7 +658,7 @@

        /* BB might be helpful to save off the domain of server here */

- if ((pSMBr->hdr.Flags2 & SMBFLG2_EXT_SEC) &&
+ if ((pSMBr->hdr.Flags2 & SMBFLG2_EXT_SEC) ||
                (server->capabilities & CAP_EXTENDED_SECURITY)) {
                count = pSMBr->ByteCount;
                if (count < 16) {

Changed in linux (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Etienne Goyer (etienne-goyer-outlands) wrote :

Understood. A kernel with the above patch applied would, at least, allow us to confirm that the bug is really where we think it is. We can then report our finding upstream to Samba, and collaborate to test a permanent solution.

Thanks a lot!

Revision history for this message
Leann Ogasawara (leannogasawara) wrote :
Revision history for this message
Etienne Goyer (etienne-goyer-outlands) wrote :

Leann, would it be too much to ask for a 32 bits build? Thanks! :)

Revision history for this message
Leann Ogasawara (leannogasawara) wrote :

Hi Etienne,

I've pushed i386 builds to http://people.canonical.com/~ogasawara/lp479272/i386/

Revision history for this message
Etienne Goyer (etienne-goyer-outlands) wrote :

Thanks Leann. The patch works, to a certain extent. We can now mount a share from the NetApp Filer, where we could not before. However, we had to use option "sec=krb5" with mount.cifs, where "sec=krb5i" (Kerberos authentication with packet signing) would be preferred and works with other kerberized CIFS server.

For the record, the command line used to mount a share from the NetApp Filer is:

    $ mount.cifs -o sec=krb5,file_mode=0600,dir_mode=0700 //fqdn-of-netapp-filer/sharename /home/user/mountpoint

Also for the record, we are using Likewise Open 5.0.3991.1 (package likewise-open5 5.0.3991.1-0ubuntu2).

Changed in samba:
status: Unknown → In Progress
Changed in samba:
importance: Unknown → Medium
Revision history for this message
roelof van der kleij (r-g-van-der-kleij) wrote :

I was just about to post a bug report on krb-5 when I spotted this bug report.

Is it certain this is a samba bug? We were hit by it too, And I stumbled over this thread on the MIT mailing list:


Ubuntu 10.04 and 10.10 are affected (krb 1.8.1) , but the Debian Wheezy 20110328 works with our Netapp (and uses krb 1.8.3).

Revision history for this message
roelof van der kleij (r-g-van-der-kleij) wrote :

I just tested Lucid with the kerberos version from Sam Hartman's PPA (1.9.0) and I cannot connect to the netapp cifs share with it, I still get KRB5KRB_AP_ERR_MODIFIED back from the netapp.
I then realized the samba version in Wheezy would have a number of netapp related workarounds applied, which is why it works there.

So, sorry for the noise :-(

Revision history for this message
Brad Figg (brad-figg) wrote : Unsupported series, setting status to "Won't Fix".

This bug was filed against a series that is no longer supported and so is being marked as Won't Fix. If this issue still exists in a supported series, please file a new bug.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: Triaged → Won't Fix
Changed in samba:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.