Discussion:
[Samba] 3.5.6 : WINBINDD: cli_negprot failed: NT_STATUS_ACCESS_DENIED with Active Directory
David Touzeau
2011-09-07 09:45:17 UTC
Permalink
Dear

Have connected SAMBA to an Active Directory server
The getent did not show any user and winbindd claim :

[2011/09/07 11:33:29.417355, 1]
libsmb/cliconnect.c:1769(cli_negprot_done)
cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:29.417444, 1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
cli_negprot failed: NT_STATUS_ACCESS_DENIED
[2011/09/07 11:33:29.696520, 1]
libsmb/cliconnect.c:1769(cli_negprot_done)
cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:29.696599, 1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
cli_negprot failed: NT_STATUS_ACCESS_DENIED
[2011/09/07 11:33:30.068625, 1]
libsmb/cliconnect.c:1769(cli_negprot_done)
cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:30.068706, 1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
cli_negprot failed: NT_STATUS_ACCESS_DENIED

How can i fix this issue ?

here it is the smb.conf

[global]
workgroup = USGPEOPLEFR
netbios name = onesys-samba
server string = %h server
disable netbios =no
strict allocate = No
strict locking = Auto
sync always = No
getwd cache = Yes
max protocol = NT1
name resolve order =host lmhosts wins bcast
dns proxy = No
wins support = Yes
min protocol = NT1
remote announce = 10.7.61.255/USGPEOPLEFR

syslog = 3
log level = 1
log file = /var/log/samba/log.%m
debug timestamp = yes
follow symlinks = yes
wide links = yes
unix extensions = no

usershare allow guests = no
usershare max shares = 100
usershare owner only = true
usershare path=/var/lib/samba/usershares/data
guest account = nobody
map to guest = Bad Password
template homedir = /home/%U
template shell = /bin/false
enable privileges = yes
os level = 40
ldap passwd sync = no


security = ADS
realm = USGPEOPLEFR.INT
idmap config USGPEOPLEFR:backend = rid
idmap config USGPEOPLEFR:read only= yes
idmap config USGPEOPLEFR:range = 100000 - 199999
idmap config USGPEOPLEFR:base_rid = 0
idmap gid = 70000 - 99999
idmap uid = 70000 - 99999
encrypt passwords = Yes
client ntlmv2 auth = Yes
client lanman auth = No
winbind normalize names = Yes
winbind separator = /
winbind use default domain = No
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind nss info = rfc2307
winbind offline logon = true
winbind cache time = 5
winbind refresh tickets = true
kerberos method = system keytab
allow trusted domains = Yes
server signing = mandatory
client signing = mandatory
lm announce = No
ntlm auth = No
lanman auth = No
preferred master = No
printing = bsd
nt acl support=yes
map acl inherit=yes
acl check permissions=yes
inherit permissions=no
inherit acls=yes
acl map full control=yes
dos filemode=yes
force unknown acl user = no


# LDAP settings -----------------------------------
ldap delete dn = no
passdb backend = ldapsam:ldap://127.0.0.1:389
ldap admin dn = cn=admin,dc=usgpeoplefr,dc=int
ldap suffix = dc=usgpeoplefr,dc=int
ldap group suffix = dc=organizations
ldap user suffix = dc=organizations
ldap machine suffix = ou=Computer,dc=samba,dc=organizations
ldap delete dn = yes
ldap ssl = off
ldap idmap suffix =
ou=idmap,dc=samba,dc=organizations,dc=usgpeoplefr,dc=int

logon path =""
logon home =""
logon drive = ""
socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
case sensitive = No
default case = lower
preserve case = yes
short preserve case = yes
wins support = Yes
time server = yes
msdfs root = no
host msdfs = no
Dale Schroeder
2011-09-07 18:33:06 UTC
Permalink
Post by David Touzeau
Dear
Have connected SAMBA to an Active Directory server
[2011/09/07 11:33:29.417355, 1]
libsmb/cliconnect.c:1769(cli_negprot_done)
cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:29.417444, 1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
cli_negprot failed: NT_STATUS_ACCESS_DENIED
[2011/09/07 11:33:29.696520, 1]
libsmb/cliconnect.c:1769(cli_negprot_done)
cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:29.696599, 1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
cli_negprot failed: NT_STATUS_ACCESS_DENIED
[2011/09/07 11:33:30.068625, 1]
libsmb/cliconnect.c:1769(cli_negprot_done)
cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:30.068706, 1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
cli_negprot failed: NT_STATUS_ACCESS_DENIED
How can i fix this issue ?
If I'm reading this error message correctly, you either need to turn on
server signing on the AD machine, or turn off server signing on the
Samba machine.
server signing = Disabled

Dale
Post by David Touzeau
here it is the smb.conf
[global]
workgroup = USGPEOPLEFR
netbios name = onesys-samba
server string = %h server
disable netbios =no
strict allocate = No
strict locking = Auto
sync always = No
getwd cache = Yes
max protocol = NT1
name resolve order =host lmhosts wins bcast
dns proxy = No
wins support = Yes
min protocol = NT1
remote announce = 10.7.61.255/USGPEOPLEFR
syslog = 3
log level = 1
log file = /var/log/samba/log.%m
debug timestamp = yes
follow symlinks = yes
wide links = yes
unix extensions = no
usershare allow guests = no
usershare max shares = 100
usershare owner only = true
usershare path=/var/lib/samba/usershares/data
guest account = nobody
map to guest = Bad Password
template homedir = /home/%U
template shell = /bin/false
enable privileges = yes
os level = 40
ldap passwd sync = no
security = ADS
realm = USGPEOPLEFR.INT
idmap config USGPEOPLEFR:backend = rid
idmap config USGPEOPLEFR:read only= yes
idmap config USGPEOPLEFR:range = 100000 - 199999
idmap config USGPEOPLEFR:base_rid = 0
idmap gid = 70000 - 99999
idmap uid = 70000 - 99999
encrypt passwords = Yes
client ntlmv2 auth = Yes
client lanman auth = No
winbind normalize names = Yes
winbind separator = /
winbind use default domain = No
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind nss info = rfc2307
winbind offline logon = true
winbind cache time = 5
winbind refresh tickets = true
kerberos method = system keytab
allow trusted domains = Yes
*server signing = mandatory*
client signing = mandatory
lm announce = No
ntlm auth = No
lanman auth = No
preferred master = No
printing = bsd
nt acl support=yes
map acl inherit=yes
acl check permissions=yes
inherit permissions=no
inherit acls=yes
acl map full control=yes
dos filemode=yes
force unknown acl user = no
# LDAP settings -----------------------------------
ldap delete dn = no
passdb backend = ldapsam:ldap://127.0.0.1:389
ldap admin dn = cn=admin,dc=usgpeoplefr,dc=int
ldap suffix = dc=usgpeoplefr,dc=int
ldap group suffix = dc=organizations
ldap user suffix = dc=organizations
ldap machine suffix = ou=Computer,dc=samba,dc=organizations
ldap delete dn = yes
ldap ssl = off
ldap idmap suffix =
ou=idmap,dc=samba,dc=organizations,dc=usgpeoplefr,dc=int
logon path =""
logon home =""
logon drive = ""
socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
case sensitive = No
default case = lower
preserve case = yes
short preserve case = yes
wins support = Yes
time server = yes
msdfs root = no
host msdfs = no
David Touzeau
2011-09-07 21:24:08 UTC
Permalink
Post by Dale Schroeder
Post by David Touzeau
Dear
Have connected SAMBA to an Active Directory server
[2011/09/07 11:33:29.417355, 1]
libsmb/cliconnect.c:1769(cli_negprot_done)
cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:29.417444, 1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
cli_negprot failed: NT_STATUS_ACCESS_DENIED
[2011/09/07 11:33:29.696520, 1]
libsmb/cliconnect.c:1769(cli_negprot_done)
cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:29.696599, 1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
cli_negprot failed: NT_STATUS_ACCESS_DENIED
[2011/09/07 11:33:30.068625, 1]
libsmb/cliconnect.c:1769(cli_negprot_done)
cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:30.068706, 1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
cli_negprot failed: NT_STATUS_ACCESS_DENIED
How can i fix this issue ?
If I'm reading this error message correctly, you either need to turn
on server signing on the AD machine, or turn off server signing on the
Samba machine.
server signing = Disabled
Dale
Post by David Touzeau
here it is the smb.conf
[global]
workgroup = USGPEOPLEFR
netbios name = onesys-samba
server string = %h server
disable netbios =no
strict allocate = No
strict locking = Auto
sync always = No
getwd cache = Yes
max protocol = NT1
name resolve order =host lmhosts wins bcast
dns proxy = No
wins support = Yes
min protocol = NT1
remote announce = 10.7.61.255/USGPEOPLEFR
syslog = 3
log level = 1
log file = /var/log/samba/log.%m
debug timestamp = yes
follow symlinks = yes
wide links = yes
unix extensions = no
usershare allow guests = no
usershare max shares = 100
usershare owner only = true
usershare path=/var/lib/samba/usershares/data
guest account = nobody
map to guest = Bad Password
template homedir = /home/%U
template shell = /bin/false
enable privileges = yes
os level = 40
ldap passwd sync = no
security = ADS
realm = USGPEOPLEFR.INT
idmap config USGPEOPLEFR:backend = rid
idmap config USGPEOPLEFR:read only= yes
idmap config USGPEOPLEFR:range = 100000 - 199999
idmap config USGPEOPLEFR:base_rid = 0
idmap gid = 70000 - 99999
idmap uid = 70000 - 99999
encrypt passwords = Yes
client ntlmv2 auth = Yes
client lanman auth = No
winbind normalize names = Yes
winbind separator = /
winbind use default domain = No
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
winbind nss info = rfc2307
winbind offline logon = true
winbind cache time = 5
winbind refresh tickets = true
kerberos method = system keytab
allow trusted domains = Yes
server signing = mandatory
client signing = mandatory
lm announce = No
ntlm auth = No
lanman auth = No
preferred master = No
printing = bsd
nt acl support=yes
map acl inherit=yes
acl check permissions=yes
inherit permissions=no
inherit acls=yes
acl map full control=yes
dos filemode=yes
force unknown acl user = no
# LDAP settings -----------------------------------
ldap delete dn = no
passdb backend = ldapsam:ldap://127.0.0.1:389
ldap admin dn = cn=admin,dc=usgpeoplefr,dc=int
ldap suffix = dc=usgpeoplefr,dc=int
ldap group suffix = dc=organizations
ldap user suffix = dc=organizations
ldap machine suffix = ou=Computer,dc=samba,dc=organizations
ldap delete dn = yes
ldap ssl = off
ldap idmap suffix =
ou=idmap,dc=samba,dc=organizations,dc=usgpeoplefr,dc=int
logon path =""
logon home =""
logon drive = ""
socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
case sensitive = No
default case = lower
preserve case = yes
short preserve case = yes
wins support = Yes
time server = yes
msdfs root = no
host msdfs = no
Thanks

I set it to "server signing = auto" and it's working like charm !!
Loading...