I've found another interesting fact by searching the mount.cifs man page, quote:
sec=
Security mode. Allowed values are:
· none - attempt to connection as a null user (no name)
· krb5 - Use Kerberos version 5 authentication
· krb5i - Use Kerberos authentication and forcibly enable packet signing
· ntlm - Use NTLM password hashing
· ntlmi - Use NTLM password hashing and force packet signing
· ntlmv2 - Use NTLMv2 password hashing
· ntlmv2i - Use NTLMv2 password hashing and force packet signing
· ntlmssp - Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message
· ntlmsspi - Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message, and force packet signing
The default in mainline kernel versions prior to v3.8 was sec=ntlm. In v3.8, the default was changed to sec=ntlmssp.
If the server requires signing during protocol negotiation, then it may be enabled automatically. Packet signing may also be enabled automatically if it's enabled in /proc/fs/cifs/SecurityFlags.
With this in mind, if I go ahead and change the mount to use vers=3.0 again and add option sec=ntlmsspi it works like a charm, see below example:
I've found another interesting fact by searching the mount.cifs man page, quote:
sec=
Security mode. Allowed values are:
· none - attempt to connection as a null user (no name)
· krb5 - Use Kerberos version 5 authentication
· krb5i - Use Kerberos authentication and forcibly enable packet signing
· ntlm - Use NTLM password hashing
· ntlmi - Use NTLM password hashing and force packet signing
· ntlmv2 - Use NTLMv2 password hashing
· ntlmv2i - Use NTLMv2 password hashing and force packet signing
· ntlmssp - Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message
· ntlmsspi - Use NTLMv2 password hashing encapsulated in Raw NTLMSSP message, and force packet signing
The default in mainline kernel versions prior to v3.8 was sec=ntlm. In v3.8, the default was changed to sec=ntlmssp.
If the server requires signing during protocol negotiation, then it may be enabled automatically. Packet signing may also be enabled automatically if it's enabled in /proc/fs/ cifs/SecurityFl ags.
With this in mind, if I go ahead and change the mount to use vers=3.0 again and add option sec=ntlmsspi it works like a charm, see below example:
//x.y.z.w/share /mnt/share cifs vers=3. 0,iocharset= utf8,noperm, rw,uid= root,file_ mode=0660, dir_mode= 0770,credential s=/credentials. file,sec= ntlmsspi 0 0
Above fix works on both Xenial (using 4.4.0-98-generic) and Trusty (using 3.13.0-135-generic)