CIFS mount fails with error "mount error(2): No such file or directory"
This document (000021162) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 15
Federal Information Processing Standard (FIPS)
CIFS
Situation
- Mounting a CIFS share fails with this error
# mount.cifs -o sec=ntlmssp //smb-server/sambagroup /cifstest/ -vvvv Password for root@//smb-server/sambagroup: ****** mount error(2): No such file or directory Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
- Following errors are observed in the kernel log messages (dmesg)
# dmesg -T [Wed Aug 9 06:00:04 2023] alg: hmac(md5) (hmac(md5-generic)) is disabled due to FIPS [Wed Aug 9 06:00:04 2023] CIFS: VFS: Could not allocate shash TFM 'hmac(md5)' [Wed Aug 9 06:00:04 2023] CIFS: VFS: Error -2 during NTLMSSP authentication [Wed Aug 9 06:00:04 2023] CIFS: VFS: \\smb-server Send error in SessSetup = -2 [Wed Aug 9 06:00:04 2023] CIFS: VFS: cifs_mount failed w/return code = -2 [Wed Aug 9 07:17:33 2023] CIFS: Attempting to mount \\smb-server\sambagroup [..]
- FIPS is enabled
# sysctl -a | grep fips crypto.fips_enabled = 1 # cat /proc/cmdline BOOT_IMAGE=/vmlinuz-5.14.21-150400.24.46-default root=UUID=c3c2cc2a-84f7-4495-9816-f8e2df8155e0 boot=/dev/sda3 USE_BY_UUID_DEVICE_NAMES=1 earlyprintk=ttyS0 console=ttyS0 rootdelay=300 net.ifnames=0 dis_ucode_ldr scsi_mod.use_blk_mq=1 multipath=off fips=1
Resolution
Option 1: Disable FIPS to mount the CIFS share successfully.
- To disable FIPS,
- Change the sysctl value of crypto.fips_enabled to 0
- Also, modify the GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub file and remove the parameter fips=1
- It is required to recreate the grub file and initrd image after making changes to grub command line
o Recreate grub file: # grub2-mkconfig -o /boot/grub2/grub.cfg o Recreate initrd image: # mkinitrd
- Warning: FIPS maybe needed for specific applications. Please ensure the same before disabling FIPS.
Option 2: Convert to using Kerberos security for the cifs mounts. Kerberos is a large and complex undertaking, so the steps will not be covered here.
Cause
Additional Information
- FIPS non-approved algorithms: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2355.pdf
- NTLMSSP protocol: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b38c36ed-2804-4868-a9ff-8dd3182128e4
- SUSE statements on FIPS compliance: https://documentation.suse.com/ja-jp/sles/15-SP4/html/SLES-all/cha-security-fips.html
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021162
- Creation Date: 09-Aug-2023
- Modified Date:10-Aug-2023
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com