[Samba] smbpasswd stops working post-upgrade

mathias dufresne infractory at gmail.com
Thu Jun 2 12:13:35 UTC 2016 

"cli_negprot: SMB signing is mandatory and the server doesn't support it"

Should mean that your Samba is too old for your clients.

See badlocks bug to better view of your issue.

See man smb.conf looking for "sign" into it.
I believe - but I'm not sure - that the option you are looking for are:
        client ldap sasl wrapping = sign
        client use spnego = yes
to be set on server side.

And you could face to the need to get a newer Samba version as the bug is
recent, as its solution, and neither your samba nor your redhat are recent.

Sometimes upgrades are required ;)

2016-06-01 15:29 GMT+02:00 J Martin Rushton <martinsworkmachine at gmail.com>:

> Background
>
> I have a network of machines behind an air-gap, therefore upgrades are a
> tedious business normally performed four times per year.  The systems run
> various versions of CentOS and I use the Samba that is distributed with
> CentOS.  Last weekend I updated the 5.7 machines with updates to 18 April
> 2016, not the current 5.8.  Those of my users who run Windows boxes
> (Windows 7 Enterprise) map Samba shares on my machines to a drive letter on
> their PCs. In order to do this they need to keep their Samba passwords
> updated. Samba passwords are held in /etc/samba/passdb.tdb.
>
> Problem
>
> Users are reporting that password setting fails. This seems to be a fairly
> solid issue (see below).  Attempting to use "smbpasswd" or "smbclient -L
> YYYY" fails with an error "cli_negprot: SMB signing is mandatory and the
> server doesn't support it" which I've not seen before.  smbpasswd the
> incoreectly states that the password has been changed, which it hasn't.
>
> In the transcript below I show the basic command (as seen by the users),
> smbclient used to find the error, versions and finally a -D3 which confirms
> the error.  All work was done on the local machine. XXXX is my username
> YYYY is the machine's simple name. IP addresses have been stripped of
> meaningful information but were consistent. No other network problems are
> apparent.
>
> I'm sure there is a simple tweak required to the smb.conf file (which has
> not been changed), can anyone tell be what to tweak?
>
> Regards,
> Martin
>
> Transcript
>
> $ smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> machine 127.0.0.1 rejected the negotiate protocol. Error was :
> NT_STATUS_ACCESS_DENIED.
> Password changed for user XXXX
>
> $ smbclient -L YYYY
> Enter XXXX's password:
> cli_negprot: SMB signing is mandatory and the server doesn't support it.
> protocol negotiation failed: NT_STATUS_ACCESS_DENIED
>
> $ smbclient -V
> Version 3.6.23-12.el5_11
> $ uname -a
> Linux YYYY 2.6.18-409.el5 #1 SMP Tue Mar 15 18:13:50 EDT 2016 x86_64
> x86_64 x86_64 GNU/Linux
>
> $ smbpasswd -D3
> added interface ib0 ip=:::::%ib0 bcast=::ffff:ffff:ffff:ffff%ib0
> netmask=ffff:ffff:ffff:ffff::
> added interface eth2 ip=:::::%eth2 bcast=::ffff:ffff:ffff:ffff%eth2
> netmask=ffff:ffff:ffff:ffff::
> added interface eth1 ip=:::::fe%eth1 bcast=::ffff:ffff:ffff:ffff%eth1
> netmask=ffff:ffff:ffff:ffff::
> added interface ib0 ip=... bcast=...255 netmask=255.255.255.0
> added interface eth1 ip=... bcast=...255 netmask=255.255.255.0
> added interface eth2 ip=... bcast=...255 netmask=255.255.255.0
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Connecting to 127.0.0.1 at port 445
> cli_negprot: SMB signing is mandatory and the server doesn't support it.
> machine 127.0.0.1 rejected the negotiate protocol. Error was :
> NT_STATUS_ACCESS_DENIED.
> Password changed for user XXXX
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list