samba - Sep 2011 - 3.5.6 : WINBINDD: cli_negprot failed: NT_STATUS_ACCESS_DENIED with Active Directory

Dear

Have connected SAMBA to an Active Directory server
The getent did not show any user and winbindd claim :

[2011/09/07 11:33:29.417355,  1]
libsmb/cliconnect.c:1769(cli_negprot_done)
  cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:29.417444,  1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
  cli_negprot failed: NT_STATUS_ACCESS_DENIED
[2011/09/07 11:33:29.696520,  1]
libsmb/cliconnect.c:1769(cli_negprot_done)
  cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:29.696599,  1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
  cli_negprot failed: NT_STATUS_ACCESS_DENIED
[2011/09/07 11:33:30.068625,  1]
libsmb/cliconnect.c:1769(cli_negprot_done)
  cli_negprot: SMB signing is mandatory and the server doesn't support
it.
[2011/09/07 11:33:30.068706,  1]
winbindd/winbindd_cm.c:856(cm_prepare_connection)
  cli_negprot failed: NT_STATUS_ACCESS_DENIED

How can i fix this issue ?

here it is the smb.conf

[global]
	workgroup = USGPEOPLEFR
	netbios name = onesys-samba
	server string = %h server
	disable netbios =no
	strict allocate = No
	strict locking = Auto
	sync always = No
	getwd cache = Yes
	max protocol = NT1
	name resolve order =host lmhosts wins bcast
	dns proxy = No
	wins support = Yes
	min protocol = NT1
	remote announce = 10.7.61.255/USGPEOPLEFR

	syslog = 3
	log level = 1
	log file = /var/log/samba/log.%m
	debug timestamp = yes
	follow symlinks = yes
	wide links = yes
	unix extensions = no

	usershare allow guests = no
	usershare max shares = 100
	usershare owner only = true
	usershare path=/var/lib/samba/usershares/data
	guest account = nobody
	map to guest = Bad Password
	template homedir = /home/%U
	template shell = /bin/false
	enable privileges = yes
	os level = 40
	ldap passwd sync = no


	security = ADS
	realm = USGPEOPLEFR.INT
	idmap config USGPEOPLEFR:backend	= rid
	idmap config USGPEOPLEFR:read only= yes
	idmap config USGPEOPLEFR:range	= 100000 - 199999
	idmap config USGPEOPLEFR:base_rid	= 0
	idmap gid = 70000 - 99999
	idmap uid = 70000 - 99999
	encrypt passwords = Yes
	client ntlmv2 auth = Yes
	client lanman auth = No
	winbind normalize names = Yes
	winbind separator = /
	winbind use default domain = No
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind nested groups = Yes
	winbind nss info = rfc2307
	winbind offline logon = true
	winbind cache time = 5
	winbind refresh tickets = true
	kerberos method = system keytab
	allow trusted domains = Yes
	server signing = mandatory
	client signing = mandatory
	lm announce = No
	ntlm auth = No
	lanman auth = No
	preferred master = No
	printing = bsd
	nt acl support=yes
	map acl inherit=yes
	acl check permissions=yes
	inherit permissions=no
	inherit acls=yes
	acl map full control=yes
	dos filemode=yes
	force unknown acl user = no


# LDAP settings -----------------------------------
	ldap delete dn = no
	passdb backend = ldapsam:ldap://127.0.0.1:389
	ldap admin dn = cn=admin,dc=usgpeoplefr,dc=int
	ldap suffix = dc=usgpeoplefr,dc=int
	ldap group suffix = dc=organizations
	ldap user suffix =  dc=organizations
	ldap machine suffix = ou=Computer,dc=samba,dc=organizations
	ldap delete dn = yes
	ldap ssl  = off
	ldap idmap suffix ou=idmap,dc=samba,dc=organizations,dc=usgpeoplefr,dc=int

	logon path =""
	logon home =""
	logon drive = ""
	socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
	case sensitive = No
	default case = lower
	preserve case = yes
	short preserve case = yes
	wins support = Yes
	time server = yes
	msdfs root = no
	host msdfs = no

On 09/07/2011 4:45 AM, David Touzeau wrote:
> Dear
>
> Have connected SAMBA to an Active Directory server
> The getent did not show any user and winbindd claim :
>
> [2011/09/07 11:33:29.417355,  1]
> libsmb/cliconnect.c:1769(cli_negprot_done)
>    cli_negprot: SMB signing is mandatory and the server doesn't support
> it.
> [2011/09/07 11:33:29.417444,  1]
> winbindd/winbindd_cm.c:856(cm_prepare_connection)
>    cli_negprot failed: NT_STATUS_ACCESS_DENIED
> [2011/09/07 11:33:29.696520,  1]
> libsmb/cliconnect.c:1769(cli_negprot_done)
>    cli_negprot: SMB signing is mandatory and the server doesn't support
> it.
> [2011/09/07 11:33:29.696599,  1]
> winbindd/winbindd_cm.c:856(cm_prepare_connection)
>    cli_negprot failed: NT_STATUS_ACCESS_DENIED
> [2011/09/07 11:33:30.068625,  1]
> libsmb/cliconnect.c:1769(cli_negprot_done)
>    cli_negprot: SMB signing is mandatory and the server doesn't support
> it.
> [2011/09/07 11:33:30.068706,  1]
> winbindd/winbindd_cm.c:856(cm_prepare_connection)
>    cli_negprot failed: NT_STATUS_ACCESS_DENIED
>
> How can i fix this issue ?
If I'm reading this error message correctly, you either need to turn on 
server signing on the AD machine, or turn off server signing on the 
Samba machine.
         server signing = Disabled

Dale
>
> here it is the smb.conf
>
> [global]
> 	workgroup = USGPEOPLEFR
> 	netbios name = onesys-samba
> 	server string = %h server
> 	disable netbios =no
> 	strict allocate = No
> 	strict locking = Auto
> 	sync always = No
> 	getwd cache = Yes
> 	max protocol = NT1
> 	name resolve order =host lmhosts wins bcast
> 	dns proxy = No
> 	wins support = Yes
> 	min protocol = NT1
> 	remote announce = 10.7.61.255/USGPEOPLEFR
>
> 	syslog = 3
> 	log level = 1
> 	log file = /var/log/samba/log.%m
> 	debug timestamp = yes
> 	follow symlinks = yes
> 	wide links = yes
> 	unix extensions = no
>
> 	usershare allow guests = no
> 	usershare max shares = 100
> 	usershare owner only = true
> 	usershare path=/var/lib/samba/usershares/data
> 	guest account = nobody
> 	map to guest = Bad Password
> 	template homedir = /home/%U
> 	template shell = /bin/false
> 	enable privileges = yes
> 	os level = 40
> 	ldap passwd sync = no
>
>
> 	security = ADS
> 	realm = USGPEOPLEFR.INT
> 	idmap config USGPEOPLEFR:backend	= rid
> 	idmap config USGPEOPLEFR:read only= yes
> 	idmap config USGPEOPLEFR:range	= 100000 - 199999
> 	idmap config USGPEOPLEFR:base_rid	= 0
> 	idmap gid = 70000 - 99999
> 	idmap uid = 70000 - 99999
> 	encrypt passwords = Yes
> 	client ntlmv2 auth = Yes
> 	client lanman auth = No
> 	winbind normalize names = Yes
> 	winbind separator = /
> 	winbind use default domain = No
> 	winbind enum users = Yes
> 	winbind enum groups = Yes
> 	winbind nested groups = Yes
> 	winbind nss info = rfc2307
> 	winbind offline logon = true
> 	winbind cache time = 5
> 	winbind refresh tickets = true
> 	kerberos method = system keytab
> 	allow trusted domains = Yes
> 	*server signing = mandatory*
> 	client signing = mandatory
> 	lm announce = No
> 	ntlm auth = No
> 	lanman auth = No
> 	preferred master = No
> 	printing = bsd
> 	nt acl support=yes
> 	map acl inherit=yes
> 	acl check permissions=yes
> 	inherit permissions=no
> 	inherit acls=yes
> 	acl map full control=yes
> 	dos filemode=yes
> 	force unknown acl user = no
>
>
> # LDAP settings -----------------------------------
> 	ldap delete dn = no
> 	passdb backend = ldapsam:ldap://127.0.0.1:389
> 	ldap admin dn = cn=admin,dc=usgpeoplefr,dc=int
> 	ldap suffix = dc=usgpeoplefr,dc=int
> 	ldap group suffix = dc=organizations
> 	ldap user suffix =  dc=organizations
> 	ldap machine suffix = ou=Computer,dc=samba,dc=organizations
> 	ldap delete dn = yes
> 	ldap ssl  = off
> 	ldap idmap suffix >
ou=idmap,dc=samba,dc=organizations,dc=usgpeoplefr,dc=int
>
> 	logon path =""
> 	logon home =""
> 	logon drive = ""
> 	socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
> SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
> 	case sensitive = No
> 	default case = lower
> 	preserve case = yes
> 	short preserve case = yes
> 	wins support = Yes
> 	time server = yes
> 	msdfs root = no
> 	host msdfs = no
>