Unable To Mount Samba Share when FIPS is enabled
The Problem
Unable to mount Samba share. Attempting to create a mount for a samba share fails. However is accessible with smbclient. /var/log/messages have below errors:
Apr 3 22:29:53 localhost kernel: CIFS VFS: could not allocate crypto hmacmd5
Apr 3 22:29:53 localhost kernel: CIFS VFS: could not crypto alloc hmacmd5 rc -2
Apr 3 22:29:53 localhost kernel: CIFS VFS: Error -2 during NTLMSSP authentication
Apr 3 22:29:53 localhost kernel: CIFS VFS: Send error in SessSetup = -2
Apr 3 22:29:53 localhost kernel: CIFS VFS: cifs_mount failed w/return code = -2
The Solution
FIPS mode is enabled in the server. When FIPS mode is enabled, use of md4 and md5 will be disabled which in-turn disables ntlm, ntlmv2 or other authentication. When cifs mount uses these methods while mounting, it won’t work.
There are few known issues with Samba when fips is enabled as it disables some authentication modules which prevents users from mounting CIFS share.
$ cat sosreport-localhost/.../proc/cmdline
BOOT_IMAGE=/vmlinuz-4.1.12-124.18.6.el7uek.x86_64 root=/dev/mapper/vg_main-lv_root ro console=tty0 crashkernel=auto rd.lvm.lv=vg_main/lv_root rd.lvm.lv=vg_main/lv_swap LANG=en_US.UTF-8 printk.time=1 xen-blkfront.max_ring_page_order=4 xen-blkfront.max_indirect_segments=8 console=hvc0 console=ttyS0 numa=off xen-blkfront.max_queues=2 xen-netfront.max_queues=2 audit=1 boot=UUID=6da08585-e914-4989-a899-xxxxxxxxxxxxxx fips=1 <<<<<<<
Disable fips by removing the parameter from GRUB command line to successfully mount CIFS share.