[Samba] smbpasswd stops working post-upgrade

J Martin Rushton martinsworkmachine at gmail.com
Fri Jun 3 08:16:18 UTC 2016 

Mathias

Thanks for your reply.  I'm afraid I mixed up my machines, they are 5.11 
ones (we also have 6.7 and 7.2 machines, hence my mutterings about 6.8). 
  The Samba version is the one distributed with CentOS and both are 
about a month and a half old.

We don't use LDAP (at the moment), so is the "client ldap sasl wrapping 
= sign" relevant?  Furthermore, the problem is demonstrable on a single 
machine, so the client and server sides of smbclient or smbpassword 
ought to be identical.

I'd love to move the whole Samba side onto a 6.7 machine, but we are 
having reliability problems with other software.

Martin

On 02/06/16 13:13, mathias dufresne wrote:
> "cli_negprot: SMB signing is mandatory and the server doesn't support it"
>
> Should mean that your Samba is too old for your clients.
>
> See badlocks bug to better view of your issue.
>
> See man smb.conf looking for "sign" into it.
> I believe - but I'm not sure - that the option you are looking for are:
>          client ldap sasl wrapping = sign
>          client use spnego = yes
> to be set on server side.
>
> And you could face to the need to get a newer Samba version as the bug
> is recent, as its solution, and neither your samba nor your redhat are
> recent.
>
> Sometimes upgrades are required ;)
>
> 2016-06-01 15:29 GMT+02:00 J Martin Rushton
> <martinsworkmachine at gmail.com <mailto:martinsworkmachine at gmail.com>>:
>
>     Background
>
>     I have a network of machines behind an air-gap, therefore upgrades
>     are a tedious business normally performed four times per year.  The
>     systems run various versions of CentOS and I use the Samba that is
>     distributed with CentOS.  Last weekend I updated the 5.7 machines
>     with updates to 18 April 2016, not the current 5.8.  Those of my
>     users who run Windows boxes (Windows 7 Enterprise) map Samba shares
>     on my machines to a drive letter on their PCs. In order to do this
>     they need to keep their Samba passwords updated. Samba passwords are
>     held in /etc/samba/passdb.tdb.
>
>     Problem
>
>     Users are reporting that password setting fails. This seems to be a
>     fairly solid issue (see below).  Attempting to use "smbpasswd" or
>     "smbclient -L YYYY" fails with an error "cli_negprot: SMB signing is
>     mandatory and the server doesn't support it" which I've not seen
>     before.  smbpasswd the incoreectly states that the password has been
>     changed, which it hasn't.
>
>     In the transcript below I show the basic command (as seen by the
>     users), smbclient used to find the error, versions and finally a -D3
>     which confirms the error.  All work was done on the local machine.
>     XXXX is my username YYYY is the machine's simple name. IP addresses
>     have been stripped of meaningful information but were consistent. No
>     other network problems are apparent.
>
>     I'm sure there is a simple tweak required to the smb.conf file
>     (which has not been changed), can anyone tell be what to tweak?
>
>     Regards,
>     Martin
>
>     Transcript
>
>     $ smbpasswd
>     Old SMB password:
>     New SMB password:
>     Retype new SMB password:
>     machine 127.0.0.1 rejected the negotiate protocol. Error was :
>     NT_STATUS_ACCESS_DENIED.
>     Password changed for user XXXX
>
>     $ smbclient -L YYYY
>     Enter XXXX's password:
>     cli_negprot: SMB signing is mandatory and the server doesn't support it.
>     protocol negotiation failed: NT_STATUS_ACCESS_DENIED
>
>     $ smbclient -V
>     Version 3.6.23-12.el5_11
>     $ uname -a
>     Linux YYYY 2.6.18-409.el5 #1 SMP Tue Mar 15 18:13:50 EDT 2016 x86_64
>     x86_64 x86_64 GNU/Linux
>
>     $ smbpasswd -D3
>     added interface ib0 ip=:::::%ib0 bcast=::ffff:ffff:ffff:ffff%ib0
>     netmask=ffff:ffff:ffff:ffff::
>     added interface eth2 ip=:::::%eth2 bcast=::ffff:ffff:ffff:ffff%eth2
>     netmask=ffff:ffff:ffff:ffff::
>     added interface eth1 ip=:::::fe%eth1
>     bcast=::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
>     added interface ib0 ip=... bcast=...255 netmask=255.255.255.0
>     added interface eth1 ip=... bcast=...255 netmask=255.255.255.0
>     added interface eth2 ip=... bcast=...255 netmask=255.255.255.0
>     Old SMB password:
>     New SMB password:
>     Retype new SMB password:
>     Connecting to 127.0.0.1 at port 445
>     cli_negprot: SMB signing is mandatory and the server doesn't support it.
>     machine 127.0.0.1 rejected the negotiate protocol. Error was :
>     NT_STATUS_ACCESS_DENIED.
>     Password changed for user XXXX
>
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list