The mount -t cifs command fails to mount an AD share if the AD server requires NTLMv2 with "Extended Security"
This document (7015602) is provided subject to the disclaimer at the end of this document.
At the server console the following command fails when pointed to an AD server that requires NTLMv2 authentication:
mount - t cifs //<server>/<share> /mnt/Shared -o username=<username>,password=<password>
Additionally this command which adds the sec=ntlmv2 option also fails:
mount - t cifs //<server>/<share> /mnt/Shared -o sec=ntlmv2,username=<username>,password=<password>
The error is the /var/log/messages file includes this:
kernel: [1034154.505426] CIFS VFS_mount failed w/return code = -13
Adding the security option for ntlmssp works.
mount - t cifs //<server>/<share> /mnt/Shared -o sec=ntlmssp,username=<username>,password=<password>
Another solution would be to change the AD server to allow ntlmv2 without "extended security".
Microsoft has a Hotfix for this issue which can be found here:
Here is a quote from that Microsoft document.
"This problem occurs because of an additional security check in Windows Server 2008 and in Windows Vista. This problem is limited to clients that use NTLMv2 authentication without extended security."
This document simply addresses the mismatch in authentication mechanisms.
There may also be an issue with "signatures" which is a separate issue.
In other words after making sure that the authentication matches you might still need to make sure that signature requirements align.
For example, if you want to access a resource on a Windows server and that server requires signatures, then your client must provide signatures to gain access.
- Document ID:7015602
- Creation Date: 27-Aug-2014
- Modified Date:03-Mar-2020
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: email@example.com