История изменений

Issue

We have a CIFS mount which currently appears to be working as expected, but we see the following error constantly:

kernel: CIFS VFS: SMB signature verification returned error = -13
kernel: CIFS VFS: SMB signature verification returned error = -13
kernel: CIFS VFS: SMB signature verification returned error = -13

Workaround

If a security flavor which does not require SMB signing is being used, then disable SMB signing at the server with the RequireSecuritySignature and EnableSecuritySignature REG_DWORDs as described in KB887429. Unmount and remount the CIFS client after this change, so that the connection is re-negotiated.

The krb5i, ntlmsspi, ntlmi, and ntlmv2i security flavors all require SMB signing to be enabled, so this workaround is not applicable if those flavors are in use.

Root Cause

This message relates to SMB signing, described by Microsoft at:

Overview of Server Message Block signing

The server is supposed to send a signature when we mount, then also send a secondary signature in each SMB operation, where the secondary signature is derived from the server signature plus the contents of the SMB operation. This way a client is able to verify that a SMB operation arrived unmodified from the server.

For some reason, that signature verification is failing.

https://access.redhat.com/solutions/2260781

Issue

We have a CIFS mount which currently appears to be working as expected, but we see the following error constantly:

kernel: CIFS VFS: SMB signature verification returned error = -13
kernel: CIFS VFS: SMB signature verification returned error = -13
kernel: CIFS VFS: SMB signature verification returned error = -13

Workaround

If a security flavor which does not require SMB signing is being used, then disable SMB signing at the server with the RequireSecuritySignature and EnableSecuritySignature REG_DWORDs as described in KB887429. Unmount and remount the CIFS client after this change, so that the connection is re-negotiated.

The krb5i, ntlmsspi, ntlmi, and ntlmv2i security flavors all require SMB signing to be enabled, so this workaround is not applicable if those flavors are in use. Root Cause

This message relates to SMB signing, described by Microsoft at:

Overview of Server Message Block signing

The server is supposed to send a signature when we mount, then also send a secondary signature in each SMB operation, where the secondary signature is derived from the server signature plus the contents of the SMB operation. This way a client is able to verify that a SMB operation arrived unmodified from the server.

For some reason, that signature verification is failing.

https://access.redhat.com/solutions/2260781