[Samba] 3.5.6 : WINBINDD: cli_negprot failed: NT_STATUS_ACCESS_DENIED with Active Directory

David Touzeau david at touzeau.eu
Wed Sep 7 15:24:08 MDT 2011 

Le mercredi 07 septembre 2011 à 13:33 -0500, Dale Schroeder a écrit :
> On 09/07/2011 4:45 AM, David Touzeau wrote: 
> > Dear
> > 
> > Have connected SAMBA to an Active Directory server
> > The getent did not show any user and winbindd claim :
> > 
> > [2011/09/07 11:33:29.417355,  1]
> > libsmb/cliconnect.c:1769(cli_negprot_done)
> >   cli_negprot: SMB signing is mandatory and the server doesn't support
> > it.
> > [2011/09/07 11:33:29.417444,  1]
> > winbindd/winbindd_cm.c:856(cm_prepare_connection)
> >   cli_negprot failed: NT_STATUS_ACCESS_DENIED
> > [2011/09/07 11:33:29.696520,  1]
> > libsmb/cliconnect.c:1769(cli_negprot_done)
> >   cli_negprot: SMB signing is mandatory and the server doesn't support
> > it.
> > [2011/09/07 11:33:29.696599,  1]
> > winbindd/winbindd_cm.c:856(cm_prepare_connection)
> >   cli_negprot failed: NT_STATUS_ACCESS_DENIED
> > [2011/09/07 11:33:30.068625,  1]
> > libsmb/cliconnect.c:1769(cli_negprot_done)
> >   cli_negprot: SMB signing is mandatory and the server doesn't support
> > it.
> > [2011/09/07 11:33:30.068706,  1]
> > winbindd/winbindd_cm.c:856(cm_prepare_connection)
> >   cli_negprot failed: NT_STATUS_ACCESS_DENIED
> > 
> > How can i fix this issue ?
> 
> If I'm reading this error message correctly, you either need to turn
> on server signing on the AD machine, or turn off server signing on the
> Samba machine.
>         server signing = Disabled
> 
> Dale
> > 
> > here it is the smb.conf
> > 
> > [global]
> > 	workgroup = USGPEOPLEFR
> > 	netbios name = onesys-samba
> > 	server string = %h server
> > 	disable netbios =no
> > 	strict allocate = No
> > 	strict locking = Auto
> > 	sync always = No
> > 	getwd cache = Yes
> > 	max protocol = NT1
> > 	name resolve order =host lmhosts wins bcast
> > 	dns proxy = No
> > 	wins support = Yes
> > 	min protocol = NT1
> > 	remote announce = 10.7.61.255/USGPEOPLEFR
> > 
> > 	syslog = 3
> > 	log level = 1
> > 	log file = /var/log/samba/log.%m
> > 	debug timestamp = yes
> > 	follow symlinks = yes
> > 	wide links = yes
> > 	unix extensions = no
> > 
> > 	usershare allow guests = no
> > 	usershare max shares = 100
> > 	usershare owner only = true
> > 	usershare path=/var/lib/samba/usershares/data
> > 	guest account = nobody
> > 	map to guest = Bad Password
> > 	template homedir = /home/%U
> > 	template shell = /bin/false
> > 	enable privileges = yes
> > 	os level = 40
> > 	ldap passwd sync = no
> > 
> > 
> > 	security = ADS
> > 	realm = USGPEOPLEFR.INT
> > 	idmap config USGPEOPLEFR:backend	= rid
> > 	idmap config USGPEOPLEFR:read only= yes
> > 	idmap config USGPEOPLEFR:range	= 100000 - 199999
> > 	idmap config USGPEOPLEFR:base_rid	= 0
> > 	idmap gid = 70000 - 99999
> > 	idmap uid = 70000 - 99999
> > 	encrypt passwords = Yes
> > 	client ntlmv2 auth = Yes
> > 	client lanman auth = No
> > 	winbind normalize names = Yes
> > 	winbind separator = /
> > 	winbind use default domain = No
> > 	winbind enum users = Yes
> > 	winbind enum groups = Yes
> > 	winbind nested groups = Yes
> > 	winbind nss info = rfc2307
> > 	winbind offline logon = true
> > 	winbind cache time = 5
> > 	winbind refresh tickets = true
> > 	kerberos method = system keytab
> > 	allow trusted domains = Yes
> > 	server signing = mandatory
> > 	client signing = mandatory
> > 	lm announce = No
> > 	ntlm auth = No
> > 	lanman auth = No
> > 	preferred master = No
> > 	printing = bsd
> > 	nt acl support=yes
> > 	map acl inherit=yes
> > 	acl check permissions=yes
> > 	inherit permissions=no
> > 	inherit acls=yes
> > 	acl map full control=yes
> > 	dos filemode=yes
> > 	force unknown acl user = no
> > 
> > 
> > # LDAP settings -----------------------------------
> > 	ldap delete dn = no
> > 	passdb backend = ldapsam:ldap://127.0.0.1:389
> > 	ldap admin dn = cn=admin,dc=usgpeoplefr,dc=int
> > 	ldap suffix = dc=usgpeoplefr,dc=int
> > 	ldap group suffix = dc=organizations
> > 	ldap user suffix =  dc=organizations
> > 	ldap machine suffix = ou=Computer,dc=samba,dc=organizations
> > 	ldap delete dn = yes
> > 	ldap ssl  = off
> > 	ldap idmap suffix =
> > ou=idmap,dc=samba,dc=organizations,dc=usgpeoplefr,dc=int
> > 
> > 	logon path =""
> > 	logon home =""
> > 	logon drive = ""
> > 	socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
> > SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
> > 	case sensitive = No
> > 	default case = lower
> > 	preserve case = yes
> > 	short preserve case = yes
> > 	wins support = Yes
> > 	time server = yes
> > 	msdfs root = no
> > 	host msdfs = no
> > 
Thanks 

I set it to "server signing = auto" and it's working like charm !!

More information about the samba mailing list