Cannot mount Omnia filesystem on a Linux box

Pulling my hair out here.

I configured a simple network share to test this. Here is the config (though I did it with LuCI):

# cat /etc/samba/smb.conf
[global]
	netbios name = Cerberus 
	display charset = UTF-8
	interfaces = 127.0.0.1/8 lo 192.168.0.1/24 br-lan 
	server string = Guardian of the gateway
	unix charset = UTF-8
	workgroup = WORKGROUP
	browseable = yes
	deadtime = 30
	domain master = yes
	encrypt passwords = true
	enable core files = no
	guest account = nobody
	guest ok = yes
	invalid users = root
	local master = yes
	load printers = no
	map to guest = Bad User
	max protocol = SMB2
	min receivefile size = 16384
	null passwords = yes
	obey pam restrictions = yes
	os level = 20
	passdb backend = smbpasswd
	preferred master = yes
	printable = no
	security = user
	smb encrypt = disabled
	smb passwd file = /etc/samba/smbpasswd
	socket options = TCP_NODELAY IPTOS_LOWDELAY
	syslog = 2
	use sendfile = yes
	writeable = yes
	

[homes]
	comment     = Home Directories
	browsable   = no
	read only   = no
	create mode = 0750

[root]
	path = /
	valid users = root
	read only = no
	guest ok = no
	create mask = 0664
	directory mask = 0775

Yes, it’s not the best plan to expose a share of the root file system but I’m not looking for a security lesson I’m trying to achieve a result and will pare it down to what I think works best for me once the proof of concept is in place. Alas I can’t get that far.

From my desktop system (Linux MINT) I see this:

$ smbclient -L Cerberus
WARNING: The "syslog" option is deprecated
Enter bernd's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.25]

	Sharename       Type      Comment
	---------       ----      -------
	root            Disk      
	IPC$            IPC       IPC Service (Guardian of the gateway) Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.25]

	Server               Comment
	---------            -------
	CERBERUS             Guardian of the gateway

	Workgroup            Master
	---------            -------
	WORKGROUP            CERBERUS

Looks fine to me. But then:

$ ls -ld /media/Cerberus/
drwxr-xr-x 2 root root 4096 May  6 18:16 /media/Cerberus/
$ cat $HOME/bin/cerberus.auth 
username = root
password = ******
domain   = WORKGROUP
$ sudo mount -vt cifs //Cerberus/root -ocredentials=$HOME/bin/cerberus.auth /media/Cerberus
domain= WORKGROUP
mount.cifs kernel mount options: ip=192.168.0.1,unc=\\Cerberus\root,user= root,,domain= WORKGROUP,pass=********
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Permission denied? Yes the password in $HOME/bin/cerberus.auth is certifiably the same one I use to log in to LuCI and that I use to ssh to the router.

To add to my frustration:

$ dmesg
...
[429407.822678] CIFS VFS: cifs_mount failed w/return code = -13

Very helpful message, not!

Also:

$ tail /var/log/syslog
...
May  6 19:28:19 bigfoot kernel: [429735.004639] CIFS VFS: cifs_mount failed w/return code = -13

Repetitions of same.

On the router itself neither dmesg nor /var/log/messages contains any response to the attempted mount.

Given the Omnia can also work as a NAS, I should have hoped this was a triviality. What is not working here?

Appreciate any tips as to what I’m getting wrong here.

May first you do a global deny, then allow.
Maybe you comment it out in global and test again…

Brilliant! I was excited that you spotted that and embarrassed that I didn’t. Alas I tried removing the global config line but restarting samba saw it reappear. There’s an smb.conf.template file beside sb.conf in /etc/samba so I removed it there and sure enough now when I restart samba the config file is:

# cat /etc/samba/smb.conf
[global]
	netbios name = Cerberus 
	display charset = UTF-8
	interfaces = 127.0.0.1/8 lo 192.168.0.1/24 br-lan 
	server string = Guardian of the gateway
	unix charset = UTF-8
	workgroup = WORKGROUP
	browseable = yes
	deadtime = 30
	domain master = yes
	encrypt passwords = true
	enable core files = no
	guest account = nobody
	guest ok = yes
	local master = yes
	load printers = no
	map to guest = Bad User
	max protocol = SMB2
	min receivefile size = 16384
	null passwords = yes
	obey pam restrictions = yes
	os level = 20
	passdb backend = smbpasswd
	preferred master = yes
	printable = no
	security = user
	smb encrypt = disabled
	smb passwd file = /etc/samba/smbpasswd
	socket options = TCP_NODELAY IPTOS_LOWDELAY
	syslog = 2
	use sendfile = yes
	writeable = yes
	

[homes]
	comment     = Home Directories
	browsable   = no
	read only   = no
	create mode = 0750

[root]
	path = /
	valid users = root
	read only = no
	guest ok = no
	create mask = 0664
	directory mask = 0775

and alas I have exactly the same symptoms. That is I can see the share with smbclient -L, but not mount it (Permission denied).

So sad. I wish this were easier. Have written to Turris support as well in hope they can clarify. Half the problem is that I can’t see a deeper diagnostic, that identifies the source of the error, a log on the server for example that says the user is not valid or the password is not valid or what ever else it is concerned about in slightly finer grained detail than “Permission denied”.

I found this too:

But alas if I add:

valid users = someusers, somegroup
force user = root
force group = root
admin users = someusers, somegroup   
writeable = Yes

as per that suggestion and alas if restart samba these lines disappear! Though that section is not in the template file. Hmmmm. Some learning to do.

Did you do a smbpasswd -a root?

Yep. Ironically, tried that as well, just now, having found a hint elsewhere:

# cat /etc/samba/smbpasswd 
root:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:B7CF1AA940B437B7B966CE8CFB3A5A98:[U          ]:LCT-00000001:

Also found /etc/config/samba which seems to be used to regenerate /etc/samba/smb.conf when samba is restarted.

# cat /etc/config/samba 
config samba
	option workgroup 'WORKGROUP'
	option homes '1'
	option name 'Cerberus'
	option description 'Guardian of the gateway'

config sambashare
	option path '/'
	option users 'root'
	option read_only 'no'
	option guest_ok 'no'
	option name 'root'
	option create_mask '0664'
	option dir_mask '0775'

which has a different syntax again and I’ll have to work out what role it plays and how to use it I guess?

Well, we’ve found a workaround, thanks to Turris support staff. Still don’t understand why it doesn’t work, but here’s what was learned.

First, in the in the auth file if using one DO NOT put spaces around the =. This works:

$ cat $HOME/bin/cerberus.auth 
username=root
password=******
domain=WORKGROUP

Finally with that auth file, this mounts the share fine:

sudo mount -vt cifs //Cerberus/root -ocredentials=$HOME/bin/cerberus.auth /media/Cerberus

But another weird issue emerges. The share mounts fine and we can see all the folders on the Omnia in it. But contrary to the listed permissions we cannot see what is inside them, always permission denied.

Turris support found a workaround which works though we can’t claim to understanding why. Rather than sharing the / folder, I do this:

mkdir /root/admin_share
mount -o bind / /root/admin_share/

then share /root/admin_share and voila, now it mounts and I can see what’s in all the folders and edit config files with my desktop GUI editors and use a desktop file manager to navigate. Awesome!

Would be great to understand why sharing / exhibits such weird behaviour and sharing the self same thing with bind mount to elsewhere works fine. More to the point why Samba is so lame as to fail with no clear diagnostic path visible, clear message sin the server’s log files for example or such that explain what its issue is. Slap on the wrist to Samba here if I may be so presumptuous. Time consuming PITA to configure for such a simple wish it seems and no doubt, some gem of guru knowledge would explain what the issue is ;-).

In the end I dumped Samba altogether and used sshfs. Works like a dream. Much better. Fault free. No permissions issues.

A command like this:

sshfs -o IdentityFile=/home/me/.ssh/id_rsa root@myomnia.lan:/ /home/me/Mounts/Omnia

does the job for me.