[Samba] 3.5.6 : WINBINDD: cli_negprot failed: NT_STATUS_ACCESS_DENIED with Active Directory

Wed Sep 7 12:33:06 MDT 2011

On 09/07/2011 4:45 AM, David Touzeau wrote:
> Dear
>
> Have connected SAMBA to an Active Directory server
> The getent did not show any user and winbindd claim :
>
> [2011/09/07 11:33:29.417355,  1]
> libsmb/cliconnect.c:1769(cli_negprot_done)
>    cli_negprot: SMB signing is mandatory and the server doesn't support
> it.
> [2011/09/07 11:33:29.417444,  1]
> winbindd/winbindd_cm.c:856(cm_prepare_connection)
>    cli_negprot failed: NT_STATUS_ACCESS_DENIED
> [2011/09/07 11:33:29.696520,  1]
> libsmb/cliconnect.c:1769(cli_negprot_done)
>    cli_negprot: SMB signing is mandatory and the server doesn't support
> it.
> [2011/09/07 11:33:29.696599,  1]
> winbindd/winbindd_cm.c:856(cm_prepare_connection)
>    cli_negprot failed: NT_STATUS_ACCESS_DENIED
> [2011/09/07 11:33:30.068625,  1]
> libsmb/cliconnect.c:1769(cli_negprot_done)
>    cli_negprot: SMB signing is mandatory and the server doesn't support
> it.
> [2011/09/07 11:33:30.068706,  1]
> winbindd/winbindd_cm.c:856(cm_prepare_connection)
>    cli_negprot failed: NT_STATUS_ACCESS_DENIED
>
> How can i fix this issue ?

If I'm reading this error message correctly, you either need to turn on 
server signing on the AD machine, or turn off server signing on the 
Samba machine.
         server signing = Disabled

Dale
>
> here it is the smb.conf
>
> [global]
> 	workgroup = USGPEOPLEFR
> 	netbios name = onesys-samba
> 	server string = %h server
> 	disable netbios =no
> 	strict allocate = No
> 	strict locking = Auto
> 	sync always = No
> 	getwd cache = Yes
> 	max protocol = NT1
> 	name resolve order =host lmhosts wins bcast
> 	dns proxy = No
> 	wins support = Yes
> 	min protocol = NT1
> 	remote announce = 10.7.61.255/USGPEOPLEFR
>
> 	syslog = 3
> 	log level = 1
> 	log file = /var/log/samba/log.%m
> 	debug timestamp = yes
> 	follow symlinks = yes
> 	wide links = yes
> 	unix extensions = no
>
> 	usershare allow guests = no
> 	usershare max shares = 100
> 	usershare owner only = true
> 	usershare path=/var/lib/samba/usershares/data
> 	guest account = nobody
> 	map to guest = Bad Password
> 	template homedir = /home/%U
> 	template shell = /bin/false
> 	enable privileges = yes
> 	os level = 40
> 	ldap passwd sync = no
>
>
> 	security = ADS
> 	realm = USGPEOPLEFR.INT
> 	idmap config USGPEOPLEFR:backend	= rid
> 	idmap config USGPEOPLEFR:read only= yes
> 	idmap config USGPEOPLEFR:range	= 100000 - 199999
> 	idmap config USGPEOPLEFR:base_rid	= 0
> 	idmap gid = 70000 - 99999
> 	idmap uid = 70000 - 99999
> 	encrypt passwords = Yes
> 	client ntlmv2 auth = Yes
> 	client lanman auth = No
> 	winbind normalize names = Yes
> 	winbind separator = /
> 	winbind use default domain = No
> 	winbind enum users = Yes
> 	winbind enum groups = Yes
> 	winbind nested groups = Yes
> 	winbind nss info = rfc2307
> 	winbind offline logon = true
> 	winbind cache time = 5
> 	winbind refresh tickets = true
> 	kerberos method = system keytab
> 	allow trusted domains = Yes
> 	*server signing = mandatory*
> 	client signing = mandatory
> 	lm announce = No
> 	ntlm auth = No
> 	lanman auth = No
> 	preferred master = No
> 	printing = bsd
> 	nt acl support=yes
> 	map acl inherit=yes
> 	acl check permissions=yes
> 	inherit permissions=no
> 	inherit acls=yes
> 	acl map full control=yes
> 	dos filemode=yes
> 	force unknown acl user = no
>
>
> # LDAP settings -----------------------------------
> 	ldap delete dn = no
> 	passdb backend = ldapsam:ldap://127.0.0.1:389
> 	ldap admin dn = cn=admin,dc=usgpeoplefr,dc=int
> 	ldap suffix = dc=usgpeoplefr,dc=int
> 	ldap group suffix = dc=organizations
> 	ldap user suffix =  dc=organizations
> 	ldap machine suffix = ou=Computer,dc=samba,dc=organizations
> 	ldap delete dn = yes
> 	ldap ssl  = off
> 	ldap idmap suffix =
> ou=idmap,dc=samba,dc=organizations,dc=usgpeoplefr,dc=int
>
> 	logon path =""
> 	logon home =""
> 	logon drive = ""
> 	socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
> SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
> 	case sensitive = No
> 	default case = lower
> 	preserve case = yes
> 	short preserve case = yes
> 	wins support = Yes
> 	time server = yes
> 	msdfs root = no
> 	host msdfs = no
>