Mounting share on NetApp using SMB 3.1.1 and encryption

Mounting share on NetApp using SMB 3.1.1 and encryption

[Till Dörges]

Hello everyone,

I'm trying to connect a Linux client to a NetApp server.

The server is running OnTap 9.7P6.

On the client I use:

--- snip ---
smbclnt:~ # modinfo cifs | egrep '^version'
version:        2.22
smbclnt:~ # mount.cifs -V
mount.cifs version: 6.9
smbclnt:~ # uname -a
Linux smbclnt 5.3.18-lp152.63-default #1 SMP Mon Feb 1 17:31:55 UTC 2021 (98caa86) 
x86_64 x86_64 x86_64 GNU/Linux
--- snap ---


Unfortunately it's not working out of the box.


According to the admins the server requires SMB 3.1.1 and encryption.

Moreover they say the server only offers a limited set of ciphers (i.e. 
DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 
ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384).


Apart from the security requirements the server uses DFS and nested name spaces.


I don't have access to the server and Linux client knowledge is limited. So I'm 
somewhat stuck with trial and error.


My current understanding is that for "SMB 3.1.1 and encryption" I have to pass 
options "seal,vers=3.1.1" to mount.cifs.


I'm not sure what the make of the required ciphers though. I'm guessing that's only 
needed for doing LDAP over SSL (LDAPS).

But it seems that's nothing mount.cifs actually has to use?

(Quickly skimming through the source of cifs.ko I only found the symbols
SMB2_ENCRYPTION_AES128_CCM, SMB2_ENCRYPTION_AES128_GCM.)


So before digging any further, I'm wondering whether this should generally work with 
options "seal,vers=3.1.1", what to make of the ciphers requirement.


Thanks and regards -- Till
-- 
Dipl.-Inform. Till Dörges                  doerges@pre-sense.de

PRESENSE Technologies GmbH             Nagelsweg 41, D-20097 HH
Geschäftsführer/Managing Directors       AG Hamburg, HRB 107844
Till Dörges, Jürgen Sander               USt-IdNr.: DE263765024

Re: Mounting share on NetApp using SMB 3.1.1 and encryption

[Aurélien Aptel]

Till Dörges <doerges@pre-sense.de> writes:
> Apart from the security requirements the server uses DFS and nested name spaces.

The nested namespace might be problematic. DFS is tricky.

> So before digging any further, I'm wondering whether this should generally work with 
> options "seal,vers=3.1.1", what to make of the ciphers requirement.

I think by default the client will only show support for up to 3.0
unless you ask it to.
So apart from the version, encryption and ciphers should be
auto-negotiated during the connection establishement: the client sends
its feature support, the server replies with its requirement. If the
requirements cannot be met the client will fail.

I believe you should only have to put vers=3.1.1. By putting seal you
are asking the client to make encryption a requirement instead of
letting the server decide.

If you are having issues connecting please refer to the wiki on
reporting cifs.ko bugs for instructions on how to debug things further:

https://wiki.samba.org/index.php/Bug_Reporting#cifs.ko

Cheers,
-- 
Aurélien Aptel / SUSE Labs Samba Team
GPG: 1839 CB5F 9F5B FB9B AA97  8C99 03C8 A49B 521B D5D3
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, DE
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 247165 (AG München)

Re: Mounting share on NetApp using SMB 3.1.1 and encryption

[Till Dörges]

Hello everyone,


@Aurélien, Steve:

Thanks for your answers.


Am 22.02.21 um 11:17 schrieb Aurélien Aptel:

> The nested namespace might be problematic. DFS is tricky.


Am 22.02.21 um 17:45 schrieb Steve French:

> LinuxCIFSKernel - SambaWiki
> <https://wiki.samba.org/index.php/LinuxCIFSKernel#Changes_by_release>
> 
> for list of when features went in, although many distros backport these
> features to older kernels.


There's been progress. A simple test case (no DFS/nested NS) works fine with 3.1.1 
and encryption.

So currently it looks like DFS and/or NS might in deed be the problem.


Since I'm not exactly sure how much has been added/backported to the cifs.ko I'm 
using (it reports as version 2.22), I'll try a recent vanilla Linux Kernel.

For version 2.28 the changelog states "Various DFS (global namespace) fixes." Maybe 
that already does it.


And if that doesn't work I'll proceed according to 
https://wiki.samba.org/index.php/LinuxCIFS_troubleshooting


Thanks again and regards -- Till
-- 
Dipl.-Inform. Till Dörges                  doerges@pre-sense.de

PRESENSE Technologies GmbH             Nagelsweg 41, D-20097 HH
Geschäftsführer/Managing Directors       AG Hamburg, HRB 107844
Till Dörges, Jürgen Sander               USt-IdNr.: DE263765024