Backup to windows SMB credential issue (Nethserver v7)

v7
backup

(Jason) #1

NethServer Version: 7.4.1708
Module: Backup

Hi everyone. first and foremost thanks for the Nethserver project! I have used it to successfully migrate a friend off of exchange to an open-source solution that has most of the same functionality they needed (and in some cases, more ;))

So here’s my problem. I migrated from Nethserver 6 to 7 (to new hardware so it was a messy migration but it’s complete at this point). The backup on the old server worked flawlessly backing up to a windows server (using a local credential and complex password) credential was in the format of USERNAME: .\backupuser and PASSWORD: blah%blah&blah% (there are 2 percentage signs and a single $ sign)

This worked before. On the new Nethserver I enter the same credentials and I get a mount failure (invalid permissions (13). I then mounted the volume manually on the nethserver by escaping the characters (blah%blah$blah%) and the mount succeeded. I entered that in as the new password in the password field but it still doesn’t mount successfully ( same error).

Does anyone have any recommendations? or thoughts?


(Matthieu Gaillet) #2

Hi,

Welcome aboard. First of all, did you try with a password without ´special’ characters ?


(Jason) #3

I believe I had but to be thorough I will test it now.


(Jason) #4

Okay. So I tested the backup with an account that had a simple password (Password123-).

Failed again with a mount permission error(13).
Checked the eventlogs on the windows box (witch is on a separate domain across a wan link) and it shows the user account failed to login but it seems that the .\ didn’t force the account to use the local db instead of the domain auth.

So maybe it’s not the password being the problem but how the account is presented? Again, I tested manually mounting it using mount -t cifs \server\share /mount/mountpath/ -o username=demouser,password=Password123-,domain=.\ and that worked.


(Jason) #5

Just want to point out that I had actually escaped the .\ but it seems the html formatting cleared that O.o


(Giacomo Sanchietti) #6

AFAIK it should work.

@nrauso did you encounter similar problems?


(Markus Neuberger) #7

I tried to backup to a Windows Server 2016 DC now and it worked just without “.”. You may also try if it works with local hostname like WINDOWSSERVER\backupuser.


(Nicola) #8

I had a similar problem but in a completely different scenario.
I solved the issue using the advice reported in this post: https://www.centos.org/forums/viewtopic.php?t=58549#p247236

You can give it a try, your situation seem different though.


(Jason) #9

Hi guys. So i Did some more testing.

Firstly, mrmarkuz, having the account on the DC kinda negates what I’m trying to achieve here. The server I’m backing up to is in a seperate domain but the account is local to that server.
I have tried with just the username, servername\username and .\username. none seem to work.
Manually mounting does work, And the old server’s backup (NS6) still works too.

What changed in the backup script that could cause this?

For now I’m going to add an account into my other domain and see if that works, although that will only be a temporary solution as i don’t use like having cross domain accounts.


(Matthieu Gaillet) #10

Here is the code snippet that actually mounts the smb share :

/bin/mount -t cifs "//$smbhost/$smbshare" $mntdir -o credentials=$tmp,nounix

As far as I can see there is no change between v6 & v7 from that point of view.

Ref : https://github.com/NethServer/nethserver-backup-data/blob/master/root/etc/e-smith/events/actions/mount-cifs


(Markus Neuberger) #11

I tested it now with Windows Server 2016 joined to another domain and you are right. It worked with local domain, it worked with no AD at all but it didn’t work as member.

Thanks to @nrauso, sec=ntlm did the trick in my tests.

So this worked for me:

mount -t cifs //192.168.1.121/backup /mnt/backup/ -o sec=ntlm,username=Administrator,password=SeCrEt1$%

Workaround till we have a better solution:

Edit /etc/e-smith/events/actions/mount-cifs and add “sec=ntlm” at line 66 to change it from

$err = qx(/bin/mount -t cifs "//$smbhost/$smbshare" $mntdir -o credentials=$tmp,nounix 2>&1);

to

$err = qx(/bin/mount -t cifs "//$smbhost/$smbshare" $mntdir -o sec=ntlm,credentials=$tmp,nounix 2>&1);

Now the backup should work.

As I’ve read this is a kind of compatibility mode for older devices as ntlmssp is the new default. The question is: Why does Windows Server needs NTLM when joined another domain but I think that’s another MS feature :smiley:
The difference between NS6 and NS7 in this case is just a change in samba default behaviour so it’s not directly NS related.

Source:

https://ubuntuforums.org/showthread.php?t=2230952


(Jason) #12

Hey everyone.

thanks for the help! It’s been awesome. I’m going to make the changes to the template file as detailed.

The other thing I might add is that this domain is a vanilla domain so it’s pretty default. Might explain why it’s still accepting NTLM. I might try as a future test to modify the NTLM acceptance policy on all the systems to drop ntlm instead of allowing it.


(Nicola) #13

Yes, that’s exactly the workaround I took.
Nice shot @mrmarkuz, as always! :wink:


(Nicola) #14

There is another thing you should consider.
From the man of mount.cifs:

 sec=
           ...

           The default in mainline kernel versions prior to v3.8 was sec=ntlm. In v3.8, the default was changed to sec=ntlmssp.

Maybe this change could have contributed to the issue.