From owner-freebsd-fs@FreeBSD.ORG Mon Jan 9 15:07:19 2006 Return-Path: X-Original-To: freebsd-fs@freebsd.org Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 980E716A41F for ; Mon, 9 Jan 2006 15:07:19 +0000 (GMT) (envelope-from snezhko@indorsoft.ru) Received: from indor.net.tomline.ru (indor.net.tomline.ru [213.183.100.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id C207543D45 for ; Mon, 9 Jan 2006 15:07:17 +0000 (GMT) (envelope-from snezhko@indorsoft.ru) Received: from SNEZHKO by indorsoft.ru (MDaemon.PRO.v7.2.2.R) with ESMTP id md50000043424.msg for ; Mon, 09 Jan 2006 21:07:04 +0600 X-AntiVirus: Checked by Dr.Web [version: 4.32b, engine: 4.32b, virus records: 132805, updated: 29.12.2005] To: freebsd-fs@freebsd.org From: Victor Snezhko Date: Mon, 09 Jan 2006 21:06:57 +0600 Message-ID: User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (windows-nt) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Processed: indor.net.tomline.ru, Mon, 09 Jan 2006 21:07:04 +0600 (not processed: spam filter disabled) X-Return-Path: snezhko@indorsoft.ru X-MDaemon-Deliver-To: freebsd-fs@freebsd.org X-VVS-Spam: false Subject: mount_smbfs, windows 2003 domain shares and NETSMBCRYPTO X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jan 2006 15:07:19 -0000 Hello, Recently I wanted to mount a windows share to my freebsd(-current) box. Windows share resides on a machine that is a part of domain, domain controller is Windows 2003 machine. I used # mount_smbfs -W MYDOMAIN //domain_user@SERVER/share mountpoint and got "Authentication error" (password was right) Surprisingly, when I tried to google a bit for a reason, I didn't find any decent solution. Most pages suggest turning off digital signing on the domain controller, and others contain whining about the fact that modifying DC's settings is not allowed for security reasons. Only here: http://www.opennet.ru/tips/info/585.shtml I saw recommendation(in Russian) to recompile a kernel with those kernel options: options NETSMB #SMB/CIFS requester options NETSMBCRYPTO #encrypted password support for SMB options LIBMCHAIN #mbuf management library options LIBICONV options SMBFS I was dumb enough to ignore it, (and it's outdated anyway, as at least LIBMCHAIN and LIBICONV can be loaded (and are loaded) as a modules by need). I went to dig into sources and found that option NETSMBCRYPTO is a solution. On my -current box it is the only option that needs to be added to make things work. Hope this message will be more helpful than bullshit about turning off signing on DC (it works, but it's just not right). Couple of questions: 1) Would it be right to include this hint to a mount_smbfs manpage? I could prepare a patch and send it to the doc@ maillist. 2) Is there a reason for this option not being in GENERIC? It's absence makes mount_smbfs in conjunction with default kernel more and more useless (as time passes and more domain controllers jump to windows 2003). -- WBR, Victor V. Snezhko E-mail: snezhko@indorsoft.ru