[Samba] 3.5.6 : WINBINDD: cli_negprot failed: NT_STATUS_ACCESS_DENIED with Active Directory
David Touzeau
david at touzeau.eu
Wed Sep 7 15:24:08 MDT 2011
Le mercredi 07 septembre 2011 à 13:33 -0500, Dale Schroeder a écrit :
> On 09/07/2011 4:45 AM, David Touzeau wrote:
> > Dear
> >
> > Have connected SAMBA to an Active Directory server
> > The getent did not show any user and winbindd claim :
> >
> > [2011/09/07 11:33:29.417355, 1]
> > libsmb/cliconnect.c:1769(cli_negprot_done)
> > cli_negprot: SMB signing is mandatory and the server doesn't support
> > it.
> > [2011/09/07 11:33:29.417444, 1]
> > winbindd/winbindd_cm.c:856(cm_prepare_connection)
> > cli_negprot failed: NT_STATUS_ACCESS_DENIED
> > [2011/09/07 11:33:29.696520, 1]
> > libsmb/cliconnect.c:1769(cli_negprot_done)
> > cli_negprot: SMB signing is mandatory and the server doesn't support
> > it.
> > [2011/09/07 11:33:29.696599, 1]
> > winbindd/winbindd_cm.c:856(cm_prepare_connection)
> > cli_negprot failed: NT_STATUS_ACCESS_DENIED
> > [2011/09/07 11:33:30.068625, 1]
> > libsmb/cliconnect.c:1769(cli_negprot_done)
> > cli_negprot: SMB signing is mandatory and the server doesn't support
> > it.
> > [2011/09/07 11:33:30.068706, 1]
> > winbindd/winbindd_cm.c:856(cm_prepare_connection)
> > cli_negprot failed: NT_STATUS_ACCESS_DENIED
> >
> > How can i fix this issue ?
>
> If I'm reading this error message correctly, you either need to turn
> on server signing on the AD machine, or turn off server signing on the
> Samba machine.
> server signing = Disabled
>
> Dale
> >
> > here it is the smb.conf
> >
> > [global]
> > workgroup = USGPEOPLEFR
> > netbios name = onesys-samba
> > server string = %h server
> > disable netbios =no
> > strict allocate = No
> > strict locking = Auto
> > sync always = No
> > getwd cache = Yes
> > max protocol = NT1
> > name resolve order =host lmhosts wins bcast
> > dns proxy = No
> > wins support = Yes
> > min protocol = NT1
> > remote announce = 10.7.61.255/USGPEOPLEFR
> >
> > syslog = 3
> > log level = 1
> > log file = /var/log/samba/log.%m
> > debug timestamp = yes
> > follow symlinks = yes
> > wide links = yes
> > unix extensions = no
> >
> > usershare allow guests = no
> > usershare max shares = 100
> > usershare owner only = true
> > usershare path=/var/lib/samba/usershares/data
> > guest account = nobody
> > map to guest = Bad Password
> > template homedir = /home/%U
> > template shell = /bin/false
> > enable privileges = yes
> > os level = 40
> > ldap passwd sync = no
> >
> >
> > security = ADS
> > realm = USGPEOPLEFR.INT
> > idmap config USGPEOPLEFR:backend = rid
> > idmap config USGPEOPLEFR:read only= yes
> > idmap config USGPEOPLEFR:range = 100000 - 199999
> > idmap config USGPEOPLEFR:base_rid = 0
> > idmap gid = 70000 - 99999
> > idmap uid = 70000 - 99999
> > encrypt passwords = Yes
> > client ntlmv2 auth = Yes
> > client lanman auth = No
> > winbind normalize names = Yes
> > winbind separator = /
> > winbind use default domain = No
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > winbind nested groups = Yes
> > winbind nss info = rfc2307
> > winbind offline logon = true
> > winbind cache time = 5
> > winbind refresh tickets = true
> > kerberos method = system keytab
> > allow trusted domains = Yes
> > server signing = mandatory
> > client signing = mandatory
> > lm announce = No
> > ntlm auth = No
> > lanman auth = No
> > preferred master = No
> > printing = bsd
> > nt acl support=yes
> > map acl inherit=yes
> > acl check permissions=yes
> > inherit permissions=no
> > inherit acls=yes
> > acl map full control=yes
> > dos filemode=yes
> > force unknown acl user = no
> >
> >
> > # LDAP settings -----------------------------------
> > ldap delete dn = no
> > passdb backend = ldapsam:ldap://127.0.0.1:389
> > ldap admin dn = cn=admin,dc=usgpeoplefr,dc=int
> > ldap suffix = dc=usgpeoplefr,dc=int
> > ldap group suffix = dc=organizations
> > ldap user suffix = dc=organizations
> > ldap machine suffix = ou=Computer,dc=samba,dc=organizations
> > ldap delete dn = yes
> > ldap ssl = off
> > ldap idmap suffix =
> > ou=idmap,dc=samba,dc=organizations,dc=usgpeoplefr,dc=int
> >
> > logon path =""
> > logon home =""
> > logon drive = ""
> > socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
> > SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
> > case sensitive = No
> > default case = lower
> > preserve case = yes
> > short preserve case = yes
> > wins support = Yes
> > time server = yes
> > msdfs root = no
> > host msdfs = no
> >
Thanks
I set it to "server signing = auto" and it's working like charm !!
More information about the samba
mailing list