CIFS mount fails with error "mount error(2): No such file or directory"

This document (000021162) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15
Federal Information Processing Standard (FIPS)
CIFS

Situation

Mounting a CIFS share fails with this error

# mount.cifs -o sec=ntlmssp //smb-server/sambagroup /cifstest/ -vvvv
Password for root@//smb-server/sambagroup:  ******
mount error(2): No such file or directory
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

Following errors are observed in the kernel log messages (dmesg)

# dmesg -T
[Wed Aug  9 06:00:04 2023] alg: hmac(md5) (hmac(md5-generic)) is disabled due to FIPS
[Wed Aug  9 06:00:04 2023] CIFS: VFS: Could not allocate shash TFM 'hmac(md5)'
[Wed Aug  9 06:00:04 2023] CIFS: VFS: Error -2 during NTLMSSP authentication
[Wed Aug  9 06:00:04 2023] CIFS: VFS: \\smb-server Send error in SessSetup = -2
[Wed Aug  9 06:00:04 2023] CIFS: VFS: cifs_mount failed w/return code = -2
[Wed Aug  9 07:17:33 2023] CIFS: Attempting to mount \\smb-server\sambagroup
[..]

FIPS is enabled

# sysctl -a | grep fips
crypto.fips_enabled = 1

# cat /proc/cmdline
BOOT_IMAGE=/vmlinuz-5.14.21-150400.24.46-default root=UUID=c3c2cc2a-84f7-4495-9816-f8e2df8155e0 boot=/dev/sda3 USE_BY_UUID_DEVICE_NAMES=1 earlyprintk=ttyS0 console=ttyS0 rootdelay=300 net.ifnames=0 dis_ucode_ldr scsi_mod.use_blk_mq=1 multipath=off fips=1

Resolution

There are two options. Either disable FIPS, so CIFS will be allowed to use NTLMSSP security, or convert to using Kerberos authentication, which is considered secure enough to be compliant with FIPS.

Option 1: Disable FIPS to mount the CIFS share successfully.

To disable FIPS,
- Change the sysctl value of crypto.fips_enabled to 0
- Also, modify the GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub file and remove the parameter fips=1
It is required to recreate the grub file and initrd image after making changes to grub command line

o Recreate grub file:
# grub2-mkconfig -o /boot/grub2/grub.cfg

o Recreate initrd image:
# mkinitrd

Warning: FIPS maybe needed for specific applications. Please ensure the same before disabling FIPS.

Option 2: Convert to using Kerberos security for the cifs mounts. Kerberos is a large and complex undertaking, so the steps will not be covered here.

Cause

The mount fails because FIPS is enabled on the cifs-client system. NTLMSSP authentication requires MD5 hashing algorithm which is disabled when the system is made FIPS compliant. In other words, use of MD4/MD5 is not approved by FIPS. https://documentation.suse.com/ja-jp/sles/15-SP4/html/SLES-all/cha-security-fips.html Hence, disabling the FIPS enables the use of MD5 and subsequently the CIFS share can be mounted successfully with NTLMSSP authentication

Additional Information

For more information, please refer to:

FIPS non-approved algorithms: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp2355.pdf
NTLMSSP protocol: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b38c36ed-2804-4868-a9ff-8dd3182128e4
SUSE statements on FIPS compliance: https://documentation.suse.com/ja-jp/sles/15-SP4/html/SLES-all/cha-security-fips.html

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

Document ID:000021162
Creation Date: 10-Aug-2023
Modified Date:10-Aug-2023
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com