Accessing a Windows 10 share via Ubuntu/CIFS over OpenVPN
up vote
0
down vote
favorite
Goal: To access Windows 10 file shares, from Linux, over a VPN.
In this context: "server" is a simple Windows 10 machine, and "client" is Ubuntu 18.
I have an OpenVPN tunnel setup, connection seems good, can connect, ping the server, portscan provides correct results, and I can manually establish a telnet connection to port 135.
I am trying to mount a folder on linux, to the windows share, using CIFS, something I have done many times before - but not to this particular windows machine admittedly.
I am effectively using: mount -t cifs //server/share /mnt/share but the result is always:
mount: /mnt/share: mount(2) system call failed: Connection refused.
dmesg/syslog show:
CIFS VFS: Error connecting to socket. Aborting
operation.
CIFS VFS: cifs_mount failed w/return code =
-111
I have tried nearly all the CIFS flags I can think of, including all security options. The actual current command I am using is:sudo mount -v -t cifs -o vers=3.1.1,username=myuser,pass=mypass,servern=WINDESKTOP,sec=ntlmssp //10.8.0.1/share /mnt/share
Windows firewall is turned off, the the share, and folder, have full permissions for the user account I am trying to use, as well as guest, anonymous login.
I installed an FTP server on the server just to triple check connectivity, works find.
Why isn't CIFS connecting? Is there any way on the windows server to see exactly what it is doing to the connection? And/or is there anyway to get greater debugging output from CIFS on Ubuntu?
Edit:
A nmap -Pn <host> portscan shows the following open ports:
PORT STATE SERVICE
135/tcp open msrpc
554/tcp open rtsp
2869/tcp open icslap
10243/tcp open unknown
linux networking windows-10 network-shares smb
asked yesterday
Mtl Dev
1518
add a comment |
up vote
0
down vote
favorite
Goal: To access Windows 10 file shares, from Linux, over a VPN.
In this context: "server" is a simple Windows 10 machine, and "client" is Ubuntu 18.
I have an OpenVPN tunnel setup, connection seems good, can connect, ping the server, portscan provides correct results, and I can manually establish a telnet connection to port 135.
I am trying to mount a folder on linux, to the windows share, using CIFS, something I have done many times before - but not to this particular windows machine admittedly.
I am effectively using: mount -t cifs //server/share /mnt/share but the result is always:
mount: /mnt/share: mount(2) system call failed: Connection refused.
dmesg/syslog show:
CIFS VFS: Error connecting to socket. Aborting
operation.
CIFS VFS: cifs_mount failed w/return code =
-111
I have tried nearly all the CIFS flags I can think of, including all security options. The actual current command I am using is:sudo mount -v -t cifs -o vers=3.1.1,username=myuser,pass=mypass,servern=WINDESKTOP,sec=ntlmssp //10.8.0.1/share /mnt/share
Windows firewall is turned off, the the share, and folder, have full permissions for the user account I am trying to use, as well as guest, anonymous login.
I installed an FTP server on the server just to triple check connectivity, works find.
Why isn't CIFS connecting? Is there any way on the windows server to see exactly what it is doing to the connection? And/or is there anyway to get greater debugging output from CIFS on Ubuntu?
Edit:
A nmap -Pn <host> portscan shows the following open ports:
PORT STATE SERVICE
135/tcp open msrpc
554/tcp open rtsp
2869/tcp open icslap
10243/tcp open unknown
linux networking windows-10 network-shares smb
asked yesterday
Mtl Dev
1518
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Goal: To access Windows 10 file shares, from Linux, over a VPN.
In this context: "server" is a simple Windows 10 machine, and "client" is Ubuntu 18.
I have an OpenVPN tunnel setup, connection seems good, can connect, ping the server, portscan provides correct results, and I can manually establish a telnet connection to port 135.
I am trying to mount a folder on linux, to the windows share, using CIFS, something I have done many times before - but not to this particular windows machine admittedly.
I am effectively using: mount -t cifs //server/share /mnt/share but the result is always:
mount: /mnt/share: mount(2) system call failed: Connection refused.
dmesg/syslog show:
CIFS VFS: Error connecting to socket. Aborting
operation.
CIFS VFS: cifs_mount failed w/return code =
-111
I have tried nearly all the CIFS flags I can think of, including all security options. The actual current command I am using is:sudo mount -v -t cifs -o vers=3.1.1,username=myuser,pass=mypass,servern=WINDESKTOP,sec=ntlmssp //10.8.0.1/share /mnt/share
Windows firewall is turned off, the the share, and folder, have full permissions for the user account I am trying to use, as well as guest, anonymous login.
I installed an FTP server on the server just to triple check connectivity, works find.
Why isn't CIFS connecting? Is there any way on the windows server to see exactly what it is doing to the connection? And/or is there anyway to get greater debugging output from CIFS on Ubuntu?
Edit:
A nmap -Pn <host> portscan shows the following open ports:
PORT STATE SERVICE
135/tcp open msrpc
554/tcp open rtsp
2869/tcp open icslap
10243/tcp open unknown
linux networking windows-10 network-shares smb
asked yesterday
Mtl Dev
1518
Goal: To access Windows 10 file shares, from Linux, over a VPN.
In this context: "server" is a simple Windows 10 machine, and "client" is Ubuntu 18.
I have an OpenVPN tunnel setup, connection seems good, can connect, ping the server, portscan provides correct results, and I can manually establish a telnet connection to port 135.
I am trying to mount a folder on linux, to the windows share, using CIFS, something I have done many times before - but not to this particular windows machine admittedly.
I am effectively using: mount -t cifs //server/share /mnt/share but the result is always:
mount: /mnt/share: mount(2) system call failed: Connection refused.
dmesg/syslog show:
CIFS VFS: Error connecting to socket. Aborting
operation.
CIFS VFS: cifs_mount failed w/return code =
-111
I have tried nearly all the CIFS flags I can think of, including all security options. The actual current command I am using is:sudo mount -v -t cifs -o vers=3.1.1,username=myuser,pass=mypass,servern=WINDESKTOP,sec=ntlmssp //10.8.0.1/share /mnt/share
Windows firewall is turned off, the the share, and folder, have full permissions for the user account I am trying to use, as well as guest, anonymous login.
I installed an FTP server on the server just to triple check connectivity, works find.
Why isn't CIFS connecting? Is there any way on the windows server to see exactly what it is doing to the connection? And/or is there anyway to get greater debugging output from CIFS on Ubuntu?
Edit:
A nmap -Pn <host> portscan shows the following open ports:
PORT STATE SERVICE
135/tcp open msrpc
554/tcp open rtsp
2869/tcp open icslap
10243/tcp open unknown
linux networking windows-10 network-shares smb
linux networking windows-10 network-shares smb
asked yesterday
Mtl Dev
1518
asked yesterday
Mtl Dev
1518
edited yesterday
asked yesterday
Mtl Dev
1518
asked yesterday
Mtl Dev
1518
asked yesterday
Mtl Dev
1518
1518
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
I can manually establish a telnet connection to port 135.
That's not the correct port (that's the RPC-EPMAP port). SMB runs on TCP port 445.
(You might also see port 139 for compatibility with old pre-Win2000 clients, which only supported SMB-over-NetBIOS. Those clients would also need NetBIOS datagram services on UDP 137–138.)
mount: /mnt/share: mount(2) system call failed: Connection refused
CIFS VFS: Error connecting to socket. Aborting operation.
CIFS VFS: cifs_mount failed w/return code = -111
"Connection refused" implies that the client received a TCP RST in response to its handshake attempt, which generally means either that the server isn't listening on that TCP port or that there's a firewall spoofing a RST in order to block the connection.
That's usually not a matter of protocol versions or security options, which are only negotiated after the TCP connection has been established.
Windows firewall is turned off
Why?
The Windows firewall is configurable: if you want to allow a protocol through it, you can create a rule to allow that protocol. (Or indeed just enable a predefined rule when it comes to allowing SMB or ICMP.)
Is there any way on the windows server to see exactly what it is doing to the connection? And/or is there anyway to get greater debugging output from CIFS on Ubuntu?
Install a packet capture tool such as Wireshark; start a capture on tun0 or the OpenVPN TAP adapter; look at what happens immediately before the TCP RST is generated.
Pay attention to whether both sides see the same packets, e.g. if the client actually receives a TCP RST, does the server show that it has sent one?
answered yesterday
grawity
227k35475535
1) Ah!I understand SMBv1 runs on ports 135..139, know I know SMBv2+ run on port 445....a port scan (see "Edit" in question shows the server is not listening on port 445...at least not on the VPN IP..I guess this is an issue to investigate...)
– Mtl Dev
yesterday
2) Windows Firewall just turned of temporarily during testing, to eliminate it as a possible cause.
– Mtl Dev
yesterday
Both SMBv1 (aka CIFS) and SMBv2+ use the same transport: TCP/445 for modern systems or TCP/139 for old NetBIOS-using systems. The other ports aren't actually SMB: TCP/135 is MS-RPC, and UDP/137-138 are miscellaneous NetBIOS services.
– grawity
yesterday
What nmap shows is exactly the same as what the cifs module is telling you. It cannot remotely obtain any extra information, and it doesn't know whether a port is "listening" – all it sees is whether the port has accepted the connection attempt. So you really have to check on the server itself, and/or on router firewalls along the way.
– grawity
yesterday
1
Ok, thanks! The server is listening (netstat -an) on 445 on it's regular IP, but 445 is not open on it's VPN IP. Manifestation of this: if I enter, on windows server,\serverIPor\127.0.0.1I can see the shares just fine, but if I enter `\serverVPNip` I can not see the shares, times out
– Mtl Dev
yesterday
|
show 5 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
I can manually establish a telnet connection to port 135.
That's not the correct port (that's the RPC-EPMAP port). SMB runs on TCP port 445.
(You might also see port 139 for compatibility with old pre-Win2000 clients, which only supported SMB-over-NetBIOS. Those clients would also need NetBIOS datagram services on UDP 137–138.)
mount: /mnt/share: mount(2) system call failed: Connection refused
CIFS VFS: Error connecting to socket. Aborting operation.
CIFS VFS: cifs_mount failed w/return code = -111
"Connection refused" implies that the client received a TCP RST in response to its handshake attempt, which generally means either that the server isn't listening on that TCP port or that there's a firewall spoofing a RST in order to block the connection.
That's usually not a matter of protocol versions or security options, which are only negotiated after the TCP connection has been established.
Windows firewall is turned off
Why?
The Windows firewall is configurable: if you want to allow a protocol through it, you can create a rule to allow that protocol. (Or indeed just enable a predefined rule when it comes to allowing SMB or ICMP.)
Is there any way on the windows server to see exactly what it is doing to the connection? And/or is there anyway to get greater debugging output from CIFS on Ubuntu?
Install a packet capture tool such as Wireshark; start a capture on tun0 or the OpenVPN TAP adapter; look at what happens immediately before the TCP RST is generated.
Pay attention to whether both sides see the same packets, e.g. if the client actually receives a TCP RST, does the server show that it has sent one?
answered yesterday
grawity
227k35475535
1) Ah!I understand SMBv1 runs on ports 135..139, know I know SMBv2+ run on port 445....a port scan (see "Edit" in question shows the server is not listening on port 445...at least not on the VPN IP..I guess this is an issue to investigate...)
– Mtl Dev
yesterday
2) Windows Firewall just turned of temporarily during testing, to eliminate it as a possible cause.
– Mtl Dev
yesterday
Both SMBv1 (aka CIFS) and SMBv2+ use the same transport: TCP/445 for modern systems or TCP/139 for old NetBIOS-using systems. The other ports aren't actually SMB: TCP/135 is MS-RPC, and UDP/137-138 are miscellaneous NetBIOS services.
– grawity
yesterday
What nmap shows is exactly the same as what the cifs module is telling you. It cannot remotely obtain any extra information, and it doesn't know whether a port is "listening" – all it sees is whether the port has accepted the connection attempt. So you really have to check on the server itself, and/or on router firewalls along the way.
– grawity
yesterday
1
Ok, thanks! The server is listening (netstat -an) on 445 on it's regular IP, but 445 is not open on it's VPN IP. Manifestation of this: if I enter, on windows server,\serverIPor\127.0.0.1I can see the shares just fine, but if I enter `\serverVPNip` I can not see the shares, times out
– Mtl Dev
yesterday
|
show 5 more comments
up vote
0
down vote
I can manually establish a telnet connection to port 135.
That's not the correct port (that's the RPC-EPMAP port). SMB runs on TCP port 445.
(You might also see port 139 for compatibility with old pre-Win2000 clients, which only supported SMB-over-NetBIOS. Those clients would also need NetBIOS datagram services on UDP 137–138.)
mount: /mnt/share: mount(2) system call failed: Connection refused
CIFS VFS: Error connecting to socket. Aborting operation.
CIFS VFS: cifs_mount failed w/return code = -111
"Connection refused" implies that the client received a TCP RST in response to its handshake attempt, which generally means either that the server isn't listening on that TCP port or that there's a firewall spoofing a RST in order to block the connection.
That's usually not a matter of protocol versions or security options, which are only negotiated after the TCP connection has been established.
Windows firewall is turned off
Why?
The Windows firewall is configurable: if you want to allow a protocol through it, you can create a rule to allow that protocol. (Or indeed just enable a predefined rule when it comes to allowing SMB or ICMP.)
Is there any way on the windows server to see exactly what it is doing to the connection? And/or is there anyway to get greater debugging output from CIFS on Ubuntu?
Install a packet capture tool such as Wireshark; start a capture on tun0 or the OpenVPN TAP adapter; look at what happens immediately before the TCP RST is generated.
Pay attention to whether both sides see the same packets, e.g. if the client actually receives a TCP RST, does the server show that it has sent one?
answered yesterday
grawity
227k35475535
1) Ah!I understand SMBv1 runs on ports 135..139, know I know SMBv2+ run on port 445....a port scan (see "Edit" in question shows the server is not listening on port 445...at least not on the VPN IP..I guess this is an issue to investigate...)
– Mtl Dev
yesterday
2) Windows Firewall just turned of temporarily during testing, to eliminate it as a possible cause.
– Mtl Dev
yesterday
Both SMBv1 (aka CIFS) and SMBv2+ use the same transport: TCP/445 for modern systems or TCP/139 for old NetBIOS-using systems. The other ports aren't actually SMB: TCP/135 is MS-RPC, and UDP/137-138 are miscellaneous NetBIOS services.
– grawity
yesterday
What nmap shows is exactly the same as what the cifs module is telling you. It cannot remotely obtain any extra information, and it doesn't know whether a port is "listening" – all it sees is whether the port has accepted the connection attempt. So you really have to check on the server itself, and/or on router firewalls along the way.
– grawity
yesterday
1
Ok, thanks! The server is listening (netstat -an) on 445 on it's regular IP, but 445 is not open on it's VPN IP. Manifestation of this: if I enter, on windows server,\serverIPor\127.0.0.1I can see the shares just fine, but if I enter `\serverVPNip` I can not see the shares, times out
– Mtl Dev
yesterday
|
show 5 more comments
up vote
0
down vote
up vote
0
down vote
I can manually establish a telnet connection to port 135.
That's not the correct port (that's the RPC-EPMAP port). SMB runs on TCP port 445.
(You might also see port 139 for compatibility with old pre-Win2000 clients, which only supported SMB-over-NetBIOS. Those clients would also need NetBIOS datagram services on UDP 137–138.)
mount: /mnt/share: mount(2) system call failed: Connection refused
CIFS VFS: Error connecting to socket. Aborting operation.
CIFS VFS: cifs_mount failed w/return code = -111
"Connection refused" implies that the client received a TCP RST in response to its handshake attempt, which generally means either that the server isn't listening on that TCP port or that there's a firewall spoofing a RST in order to block the connection.
That's usually not a matter of protocol versions or security options, which are only negotiated after the TCP connection has been established.
Windows firewall is turned off
Why?
The Windows firewall is configurable: if you want to allow a protocol through it, you can create a rule to allow that protocol. (Or indeed just enable a predefined rule when it comes to allowing SMB or ICMP.)
Is there any way on the windows server to see exactly what it is doing to the connection? And/or is there anyway to get greater debugging output from CIFS on Ubuntu?
Install a packet capture tool such as Wireshark; start a capture on tun0 or the OpenVPN TAP adapter; look at what happens immediately before the TCP RST is generated.
Pay attention to whether both sides see the same packets, e.g. if the client actually receives a TCP RST, does the server show that it has sent one?
answered yesterday
grawity
227k35475535
I can manually establish a telnet connection to port 135.
That's not the correct port (that's the RPC-EPMAP port). SMB runs on TCP port 445.
(You might also see port 139 for compatibility with old pre-Win2000 clients, which only supported SMB-over-NetBIOS. Those clients would also need NetBIOS datagram services on UDP 137–138.)
mount: /mnt/share: mount(2) system call failed: Connection refused
CIFS VFS: Error connecting to socket. Aborting operation.
CIFS VFS: cifs_mount failed w/return code = -111
"Connection refused" implies that the client received a TCP RST in response to its handshake attempt, which generally means either that the server isn't listening on that TCP port or that there's a firewall spoofing a RST in order to block the connection.
That's usually not a matter of protocol versions or security options, which are only negotiated after the TCP connection has been established.
Windows firewall is turned off
Why?
The Windows firewall is configurable: if you want to allow a protocol through it, you can create a rule to allow that protocol. (Or indeed just enable a predefined rule when it comes to allowing SMB or ICMP.)
Is there any way on the windows server to see exactly what it is doing to the connection? And/or is there anyway to get greater debugging output from CIFS on Ubuntu?
Install a packet capture tool such as Wireshark; start a capture on tun0 or the OpenVPN TAP adapter; look at what happens immediately before the TCP RST is generated.
Pay attention to whether both sides see the same packets, e.g. if the client actually receives a TCP RST, does the server show that it has sent one?
answered yesterday
grawity
227k35475535
edited yesterday
answered yesterday
grawity
227k35475535
answered yesterday
grawity
227k35475535
answered yesterday
grawity
227k35475535
227k35475535
1) Ah!I understand SMBv1 runs on ports 135..139, know I know SMBv2+ run on port 445....a port scan (see "Edit" in question shows the server is not listening on port 445...at least not on the VPN IP..I guess this is an issue to investigate...)
– Mtl Dev
yesterday
2) Windows Firewall just turned of temporarily during testing, to eliminate it as a possible cause.
– Mtl Dev
yesterday
Both SMBv1 (aka CIFS) and SMBv2+ use the same transport: TCP/445 for modern systems or TCP/139 for old NetBIOS-using systems. The other ports aren't actually SMB: TCP/135 is MS-RPC, and UDP/137-138 are miscellaneous NetBIOS services.
– grawity
yesterday
What nmap shows is exactly the same as what the cifs module is telling you. It cannot remotely obtain any extra information, and it doesn't know whether a port is "listening" – all it sees is whether the port has accepted the connection attempt. So you really have to check on the server itself, and/or on router firewalls along the way.
– grawity
yesterday
1
Ok, thanks! The server is listening (netstat -an) on 445 on it's regular IP, but 445 is not open on it's VPN IP. Manifestation of this: if I enter, on windows server,\serverIPor\127.0.0.1I can see the shares just fine, but if I enter `\serverVPNip` I can not see the shares, times out
– Mtl Dev
yesterday
|
show 5 more comments
1) Ah!I understand SMBv1 runs on ports 135..139, know I know SMBv2+ run on port 445....a port scan (see "Edit" in question shows the server is not listening on port 445...at least not on the VPN IP..I guess this is an issue to investigate...)
– Mtl Dev
yesterday
2) Windows Firewall just turned of temporarily during testing, to eliminate it as a possible cause.
– Mtl Dev
yesterday
Both SMBv1 (aka CIFS) and SMBv2+ use the same transport: TCP/445 for modern systems or TCP/139 for old NetBIOS-using systems. The other ports aren't actually SMB: TCP/135 is MS-RPC, and UDP/137-138 are miscellaneous NetBIOS services.
– grawity
yesterday
What nmap shows is exactly the same as what the cifs module is telling you. It cannot remotely obtain any extra information, and it doesn't know whether a port is "listening" – all it sees is whether the port has accepted the connection attempt. So you really have to check on the server itself, and/or on router firewalls along the way.
– grawity
yesterday
1
Ok, thanks! The server is listening (netstat -an) on 445 on it's regular IP, but 445 is not open on it's VPN IP. Manifestation of this: if I enter, on windows server,\serverIPor\127.0.0.1I can see the shares just fine, but if I enter `\serverVPNip` I can not see the shares, times out
– Mtl Dev
yesterday
1) Ah!I understand SMBv1 runs on ports 135..139, know I know SMBv2+ run on port 445....a port scan (see "Edit" in question shows the server is not listening on port 445...at least not on the VPN IP..I guess this is an issue to investigate...)
– Mtl Dev
yesterday
1) Ah!I understand SMBv1 runs on ports 135..139, know I know SMBv2+ run on port 445....a port scan (see "Edit" in question shows the server is not listening on port 445...at least not on the VPN IP..I guess this is an issue to investigate...)
– Mtl Dev
yesterday
2) Windows Firewall just turned of temporarily during testing, to eliminate it as a possible cause.
– Mtl Dev
yesterday
2) Windows Firewall just turned of temporarily during testing, to eliminate it as a possible cause.
– Mtl Dev
yesterday
Both SMBv1 (aka CIFS) and SMBv2+ use the same transport: TCP/445 for modern systems or TCP/139 for old NetBIOS-using systems. The other ports aren't actually SMB: TCP/135 is MS-RPC, and UDP/137-138 are miscellaneous NetBIOS services.
– grawity
yesterday
Both SMBv1 (aka CIFS) and SMBv2+ use the same transport: TCP/445 for modern systems or TCP/139 for old NetBIOS-using systems. The other ports aren't actually SMB: TCP/135 is MS-RPC, and UDP/137-138 are miscellaneous NetBIOS services.
– grawity
yesterday
What nmap shows is exactly the same as what the cifs module is telling you. It cannot remotely obtain any extra information, and it doesn't know whether a port is "listening" – all it sees is whether the port has accepted the connection attempt. So you really have to check on the server itself, and/or on router firewalls along the way.
– grawity
yesterday
What nmap shows is exactly the same as what the cifs module is telling you. It cannot remotely obtain any extra information, and it doesn't know whether a port is "listening" – all it sees is whether the port has accepted the connection attempt. So you really have to check on the server itself, and/or on router firewalls along the way.
– grawity
yesterday
1
1
Ok, thanks! The server is listening (
netstat -an) on 445 on it's regular IP, but 445 is not open on it's VPN IP. Manifestation of this: if I enter, on windows server, \serverIP or \127.0.0.1 I can see the shares just fine, but if I enter `\serverVPNip` I can not see the shares, times out– Mtl Dev
yesterday
Ok, thanks! The server is listening (
netstat -an) on 445 on it's regular IP, but 445 is not open on it's VPN IP. Manifestation of this: if I enter, on windows server, \serverIP or \127.0.0.1 I can see the shares just fine, but if I enter `\serverVPNip` I can not see the shares, times out– Mtl Dev
yesterday
|
show 5 more comments
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375545%2faccessing-a-windows-10-share-via-ubuntu-cifs-over-openvpn%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
