CIFS mount fails with error "mount error(2): No such file or directory"
This document (000021162) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 15
Federal Information Processing Standard (FIPS)
- Mounting a CIFS share fails with this error
# mount.cifs -o sec=ntlmssp //smb-server/sambagroup /cifstest/ -vvvv Password for root@//smb-server/sambagroup: ****** mount error(2): No such file or directory Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
- Following errors are observed in the kernel log messages (dmesg)
# dmesg -T [Wed Aug 9 06:00:04 2023] alg: hmac(md5) (hmac(md5-generic)) is disabled due to FIPS [Wed Aug 9 06:00:04 2023] CIFS: VFS: Could not allocate shash TFM 'hmac(md5)' [Wed Aug 9 06:00:04 2023] CIFS: VFS: Error -2 during NTLMSSP authentication [Wed Aug 9 06:00:04 2023] CIFS: VFS: \\smb-server Send error in SessSetup = -2 [Wed Aug 9 06:00:04 2023] CIFS: VFS: cifs_mount failed w/return code = -2 [Wed Aug 9 07:17:33 2023] CIFS: Attempting to mount \\smb-server\sambagroup [..]
- FIPS is enabled
# sysctl -a | grep fips crypto.fips_enabled = 1 # cat /proc/cmdline BOOT_IMAGE=/vmlinuz-5.14.21-150400.24.46-default root=UUID=c3c2cc2a-84f7-4495-9816-f8e2df8155e0 boot=/dev/sda3 USE_BY_UUID_DEVICE_NAMES=1 earlyprintk=ttyS0 console=ttyS0 rootdelay=300 net.ifnames=0 dis_ucode_ldr scsi_mod.use_blk_mq=1 multipath=off fips=1
Option 1: Disable FIPS to mount the CIFS share successfully.
- To disable FIPS,
- Change the sysctl value of crypto.fips_enabled to 0
- Also, modify the GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub file and remove the parameter fips=1
- It is required to recreate the grub file and initrd image after making changes to grub command line
o Recreate grub file: # grub2-mkconfig -o /boot/grub2/grub.cfg o Recreate initrd image: # mkinitrd
- Warning: FIPS maybe needed for specific applications. Please ensure the same before disabling FIPS.
Option 2: Convert to using Kerberos security for the cifs mounts. Kerberos is a large and complex undertaking, so the steps will not be covered here.
- FIPS non-approved algorithms: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2355.pdf
- NTLMSSP protocol: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b38c36ed-2804-4868-a9ff-8dd3182128e4
- SUSE statements on FIPS compliance: https://documentation.suse.com/ja-jp/sles/15-SP4/html/SLES-all/cha-security-fips.html
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021162
- Creation Date: 10-Aug-2023
- Modified Date:10-Aug-2023
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com