[Samba] 3.5.6 : WINBINDD: cli_negprot failed: NT_STATUS_ACCESS_DENIED with Active Directory

David Touzeau david at touzeau.eu
Wed Sep 7 03:45:17 MDT 2011 

Dear

Have connected SAMBA to an Active Directory server
The getent did not show any user and winbindd claim :

[2011/09/07 11:33:29.417355,  1]
libsmb/cliconnect.c:1769(cli_negprot_done)
  cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:29.417444,  1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
  cli_negprot failed: NT_STATUS_ACCESS_DENIED
[2011/09/07 11:33:29.696520,  1]
libsmb/cliconnect.c:1769(cli_negprot_done)
  cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:29.696599,  1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
  cli_negprot failed: NT_STATUS_ACCESS_DENIED
[2011/09/07 11:33:30.068625,  1]
libsmb/cliconnect.c:1769(cli_negprot_done)
  cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:30.068706,  1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
  cli_negprot failed: NT_STATUS_ACCESS_DENIED

How can i fix this issue ?

here it is the smb.conf

[global]
	workgroup = USGPEOPLEFR
	netbios name = onesys-samba
	server string = %h server
	disable netbios =no
	strict allocate = No
	strict locking = Auto
	sync always = No
	getwd cache = Yes
	max protocol = NT1
	name resolve order =host lmhosts wins bcast
	dns proxy = No
	wins support = Yes
	min protocol = NT1
	remote announce = 10.7.61.255/USGPEOPLEFR

	syslog = 3
	log level = 1
	log file = /var/log/samba/log.%m
	debug timestamp = yes
	follow symlinks = yes
	wide links = yes
	unix extensions = no

	usershare allow guests = no
	usershare max shares = 100
	usershare owner only = true
	usershare path=/var/lib/samba/usershares/data
	guest account = nobody
	map to guest = Bad Password
	template homedir = /home/%U
	template shell = /bin/false
	enable privileges = yes
	os level = 40
	ldap passwd sync = no


	security = ADS
	realm = USGPEOPLEFR.INT
	idmap config USGPEOPLEFR:backend	= rid
	idmap config USGPEOPLEFR:read only= yes
	idmap config USGPEOPLEFR:range	= 100000 - 199999
	idmap config USGPEOPLEFR:base_rid	= 0
	idmap gid = 70000 - 99999
	idmap uid = 70000 - 99999
	encrypt passwords = Yes
	client ntlmv2 auth = Yes
	client lanman auth = No
	winbind normalize names = Yes
	winbind separator = /
	winbind use default domain = No
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind nested groups = Yes
	winbind nss info = rfc2307
	winbind offline logon = true
	winbind cache time = 5
	winbind refresh tickets = true
	kerberos method = system keytab
	allow trusted domains = Yes
	server signing = mandatory
	client signing = mandatory
	lm announce = No
	ntlm auth = No
	lanman auth = No
	preferred master = No
	printing = bsd
	nt acl support=yes
	map acl inherit=yes
	acl check permissions=yes
	inherit permissions=no
	inherit acls=yes
	acl map full control=yes
	dos filemode=yes
	force unknown acl user = no


# LDAP settings -----------------------------------
	ldap delete dn = no
	passdb backend = ldapsam:ldap://127.0.0.1:389
	ldap admin dn = cn=admin,dc=usgpeoplefr,dc=int
	ldap suffix = dc=usgpeoplefr,dc=int
	ldap group suffix = dc=organizations
	ldap user suffix =  dc=organizations
	ldap machine suffix = ou=Computer,dc=samba,dc=organizations
	ldap delete dn = yes
	ldap ssl  = off
	ldap idmap suffix =
ou=idmap,dc=samba,dc=organizations,dc=usgpeoplefr,dc=int

	logon path =""
	logon home =""
	logon drive = ""
	socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
	case sensitive = No
	default case = lower
	preserve case = yes
	short preserve case = yes
	wins support = Yes
	time server = yes
	msdfs root = no
	host msdfs = no

More information about the samba mailing list