Background I have a network of machines behind an air-gap, therefore upgrades are a tedious business normally performed four times per year. The systems run various versions of CentOS and I use the Samba that is distributed with CentOS. Last weekend I updated the 5.7 machines with updates to 18 April 2016, not the current 5.8. Those of my users who run Windows boxes (Windows 7 Enterprise) map Samba shares on my machines to a drive letter on their PCs. In order to do this they need to keep their Samba passwords updated. Samba passwords are held in /etc/samba/passdb.tdb. Problem Users are reporting that password setting fails. This seems to be a fairly solid issue (see below). Attempting to use "smbpasswd" or "smbclient -L YYYY" fails with an error "cli_negprot: SMB signing is mandatory and the server doesn't support it" which I've not seen before. smbpasswd the incoreectly states that the password has been changed, which it hasn't. In the transcript below I show the basic command (as seen by the users), smbclient used to find the error, versions and finally a -D3 which confirms the error. All work was done on the local machine. XXXX is my username YYYY is the machine's simple name. IP addresses have been stripped of meaningful information but were consistent. No other network problems are apparent. I'm sure there is a simple tweak required to the smb.conf file (which has not been changed), can anyone tell be what to tweak? Regards, Martin Transcript $ smbpasswd Old SMB password: New SMB password: Retype new SMB password: machine 127.0.0.1 rejected the negotiate protocol. Error was : NT_STATUS_ACCESS_DENIED. Password changed for user XXXX $ smbclient -L YYYY Enter XXXX's password: cli_negprot: SMB signing is mandatory and the server doesn't support it. protocol negotiation failed: NT_STATUS_ACCESS_DENIED $ smbclient -V Version 3.6.23-12.el5_11 $ uname -a Linux YYYY 2.6.18-409.el5 #1 SMP Tue Mar 15 18:13:50 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux $ smbpasswd -D3 added interface ib0 ip=:::::%ib0 bcast=::ffff:ffff:ffff:ffff%ib0 netmask=ffff:ffff:ffff:ffff:: added interface eth2 ip=:::::%eth2 bcast=::ffff:ffff:ffff:ffff%eth2 netmask=ffff:ffff:ffff:ffff:: added interface eth1 ip=:::::fe%eth1 bcast=::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff:: added interface ib0 ip=... bcast=...255 netmask=255.255.255.0 added interface eth1 ip=... bcast=...255 netmask=255.255.255.0 added interface eth2 ip=... bcast=...255 netmask=255.255.255.0 Old SMB password: New SMB password: Retype new SMB password: Connecting to 127.0.0.1 at port 445 cli_negprot: SMB signing is mandatory and the server doesn't support it. machine 127.0.0.1 rejected the negotiate protocol. Error was : NT_STATUS_ACCESS_DENIED. Password changed for user XXXX
"cli_negprot: SMB signing is mandatory and the server doesn't support
it"
Should mean that your Samba is too old for your clients.
See badlocks bug to better view of your issue.
See man smb.conf looking for "sign" into it.
I believe - but I'm not sure - that the option you are looking for are:
client ldap sasl wrapping = sign
client use spnego = yes
to be set on server side.
And you could face to the need to get a newer Samba version as the bug is
recent, as its solution, and neither your samba nor your redhat are recent.
Sometimes upgrades are required ;)
2016-06-01 15:29 GMT+02:00 J Martin Rushton <martinsworkmachine at
gmail.com>:
> Background
>
> I have a network of machines behind an air-gap, therefore upgrades are a
> tedious business normally performed four times per year. The systems run
> various versions of CentOS and I use the Samba that is distributed with
> CentOS. Last weekend I updated the 5.7 machines with updates to 18 April
> 2016, not the current 5.8. Those of my users who run Windows boxes
> (Windows 7 Enterprise) map Samba shares on my machines to a drive letter on
> their PCs. In order to do this they need to keep their Samba passwords
> updated. Samba passwords are held in /etc/samba/passdb.tdb.
>
> Problem
>
> Users are reporting that password setting fails. This seems to be a fairly
> solid issue (see below). Attempting to use "smbpasswd" or
"smbclient -L
> YYYY" fails with an error "cli_negprot: SMB signing is mandatory
and the
> server doesn't support it" which I've not seen before.
smbpasswd the
> incoreectly states that the password has been changed, which it hasn't.
>
> In the transcript below I show the basic command (as seen by the users),
> smbclient used to find the error, versions and finally a -D3 which confirms
> the error. All work was done on the local machine. XXXX is my username
> YYYY is the machine's simple name. IP addresses have been stripped of
> meaningful information but were consistent. No other network problems are
> apparent.
>
> I'm sure there is a simple tweak required to the smb.conf file (which
has
> not been changed), can anyone tell be what to tweak?
>
> Regards,
> Martin
>
> Transcript
>
> $ smbpasswd
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> machine 127.0.0.1 rejected the negotiate protocol. Error was :
> NT_STATUS_ACCESS_DENIED.
> Password changed for user XXXX
>
> $ smbclient -L YYYY
> Enter XXXX's password:
> cli_negprot: SMB signing is mandatory and the server doesn't support
it.
> protocol negotiation failed: NT_STATUS_ACCESS_DENIED
>
> $ smbclient -V
> Version 3.6.23-12.el5_11
> $ uname -a
> Linux YYYY 2.6.18-409.el5 #1 SMP Tue Mar 15 18:13:50 EDT 2016 x86_64
> x86_64 x86_64 GNU/Linux
>
> $ smbpasswd -D3
> added interface ib0 ip=:::::%ib0 bcast=::ffff:ffff:ffff:ffff%ib0
> netmask=ffff:ffff:ffff:ffff::
> added interface eth2 ip=:::::%eth2 bcast=::ffff:ffff:ffff:ffff%eth2
> netmask=ffff:ffff:ffff:ffff::
> added interface eth1 ip=:::::fe%eth1 bcast=::ffff:ffff:ffff:ffff%eth1
> netmask=ffff:ffff:ffff:ffff::
> added interface ib0 ip=... bcast=...255 netmask=255.255.255.0
> added interface eth1 ip=... bcast=...255 netmask=255.255.255.0
> added interface eth2 ip=... bcast=...255 netmask=255.255.255.0
> Old SMB password:
> New SMB password:
> Retype new SMB password:
> Connecting to 127.0.0.1 at port 445
> cli_negprot: SMB signing is mandatory and the server doesn't support
it.
> machine 127.0.0.1 rejected the negotiate protocol. Error was :
> NT_STATUS_ACCESS_DENIED.
> Password changed for user XXXX
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
On 01/06/16 14:29, J Martin Rushton wrote:> Background > > I have a network of machines behind an air-gap, therefore upgrades are > a tedious business normally performed four times per year. The systems > run various versions of CentOS and I use the Samba that is distributed > with CentOS. Last weekend I updated the 5.7 machines with updates to > 18 April 2016, not the current 5.8. Those of my users who run Windows > boxes (Windows 7 Enterprise) map Samba shares on my machines to a > drive letter on their PCs. In order to do this they need to keep their > Samba passwords updated. Samba passwords are held in > /etc/samba/passdb.tdb.Try upgrading your OS, 5.7 is very old, 5.11 is the current version and this goes EOL in March next year and if you look here: https://wiki.centos.org/Download You will find this: ** Please note Red Hat's policy on Production Phase 3 for EL5 in the above support policy. Only those security updates deemed crucial are now being released upstream for EL5 (so also for CentOS Linux 5) Please read this Mailing List <http://lists.centos.org/pipermail/centos/2014-November/148008.html> post for more details. The CentOS team recommends that you start moving workloads from CentOS-5 to CentOS Linux 6 or CentOS Linux 7. If you upgrade your OS, your problem may be fixed, but if it isn't, you stand more chance of getting it fixed. Rowland
On 02/06/16 13:42, Rowland penny wrote:> On 01/06/16 14:29, J Martin Rushton wrote: >> Background >> >> I have a network of machines behind an air-gap, therefore upgrades are >> a tedious business normally performed four times per year. The systems >> run various versions of CentOS and I use the Samba that is distributed >> with CentOS. Last weekend I updated the 5.7 machines with updates to >> 18 April 2016, not the current 5.8. Those of my users who run Windows >> boxes (Windows 7 Enterprise) map Samba shares on my machines to a >> drive letter on their PCs. In order to do this they need to keep their >> Samba passwords updated. Samba passwords are held in >> /etc/samba/passdb.tdb. > > Try upgrading your OS, 5.7 is very old, 5.11 is the current version and > this goes EOL in March next year and if you look here: > https://wiki.centos.org/Download > > You will find this: > > ** Please note Red Hat's policy on Production Phase 3 for EL5 in the > above support policy. Only those security updates deemed crucial are now > being released upstream for EL5 (so also for CentOS Linux 5) Please read > this Mailing List > <http://lists.centos.org/pipermail/centos/2014-November/148008.html> > post for more details. The CentOS team recommends that you start moving > workloads from CentOS-5 to CentOS Linux 6 or CentOS Linux 7. > > > If you upgrade your OS, your problem may be fixed, but if it isn't, you > stand more chance of getting it fixed. > > Rowland >Thanks Rowland. I'm afraid I made a mistake, the machines we have are 7.2, 6.7, and 5.11; hence my thinking about the .7/.8 issue. It is the 5.11 machines that are having the problem. The plan is to migrate Samba serving to the 6.x machines, but at the moment non-Samba problems are making them unreliable. So - we have just updated 5.11, and the Samba distributed with that has stopped working. I am reluctant to import a non-CentOS/RHEL version of Samba since it upsets the CentOS repository system. Apologies once again for confusing the issue. Martin
Mathias Thanks for your reply. I'm afraid I mixed up my machines, they are 5.11 ones (we also have 6.7 and 7.2 machines, hence my mutterings about 6.8). The Samba version is the one distributed with CentOS and both are about a month and a half old. We don't use LDAP (at the moment), so is the "client ldap sasl wrapping = sign" relevant? Furthermore, the problem is demonstrable on a single machine, so the client and server sides of smbclient or smbpassword ought to be identical. I'd love to move the whole Samba side onto a 6.7 machine, but we are having reliability problems with other software. Martin On 02/06/16 13:13, mathias dufresne wrote:> "cli_negprot: SMB signing is mandatory and the server doesn't support it" > > Should mean that your Samba is too old for your clients. > > See badlocks bug to better view of your issue. > > See man smb.conf looking for "sign" into it. > I believe - but I'm not sure - that the option you are looking for are: > client ldap sasl wrapping = sign > client use spnego = yes > to be set on server side. > > And you could face to the need to get a newer Samba version as the bug > is recent, as its solution, and neither your samba nor your redhat are > recent. > > Sometimes upgrades are required ;) > > 2016-06-01 15:29 GMT+02:00 J Martin Rushton > <martinsworkmachine at gmail.com <mailto:martinsworkmachine at gmail.com>>: > > Background > > I have a network of machines behind an air-gap, therefore upgrades > are a tedious business normally performed four times per year. The > systems run various versions of CentOS and I use the Samba that is > distributed with CentOS. Last weekend I updated the 5.7 machines > with updates to 18 April 2016, not the current 5.8. Those of my > users who run Windows boxes (Windows 7 Enterprise) map Samba shares > on my machines to a drive letter on their PCs. In order to do this > they need to keep their Samba passwords updated. Samba passwords are > held in /etc/samba/passdb.tdb. > > Problem > > Users are reporting that password setting fails. This seems to be a > fairly solid issue (see below). Attempting to use "smbpasswd" or > "smbclient -L YYYY" fails with an error "cli_negprot: SMB signing is > mandatory and the server doesn't support it" which I've not seen > before. smbpasswd the incoreectly states that the password has been > changed, which it hasn't. > > In the transcript below I show the basic command (as seen by the > users), smbclient used to find the error, versions and finally a -D3 > which confirms the error. All work was done on the local machine. > XXXX is my username YYYY is the machine's simple name. IP addresses > have been stripped of meaningful information but were consistent. No > other network problems are apparent. > > I'm sure there is a simple tweak required to the smb.conf file > (which has not been changed), can anyone tell be what to tweak? > > Regards, > Martin > > Transcript > > $ smbpasswd > Old SMB password: > New SMB password: > Retype new SMB password: > machine 127.0.0.1 rejected the negotiate protocol. Error was : > NT_STATUS_ACCESS_DENIED. > Password changed for user XXXX > > $ smbclient -L YYYY > Enter XXXX's password: > cli_negprot: SMB signing is mandatory and the server doesn't support it. > protocol negotiation failed: NT_STATUS_ACCESS_DENIED > > $ smbclient -V > Version 3.6.23-12.el5_11 > $ uname -a > Linux YYYY 2.6.18-409.el5 #1 SMP Tue Mar 15 18:13:50 EDT 2016 x86_64 > x86_64 x86_64 GNU/Linux > > $ smbpasswd -D3 > added interface ib0 ip=:::::%ib0 bcast=::ffff:ffff:ffff:ffff%ib0 > netmask=ffff:ffff:ffff:ffff:: > added interface eth2 ip=:::::%eth2 bcast=::ffff:ffff:ffff:ffff%eth2 > netmask=ffff:ffff:ffff:ffff:: > added interface eth1 ip=:::::fe%eth1 > bcast=::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff:: > added interface ib0 ip=... bcast=...255 netmask=255.255.255.0 > added interface eth1 ip=... bcast=...255 netmask=255.255.255.0 > added interface eth2 ip=... bcast=...255 netmask=255.255.255.0 > Old SMB password: > New SMB password: > Retype new SMB password: > Connecting to 127.0.0.1 at port 445 > cli_negprot: SMB signing is mandatory and the server doesn't support it. > machine 127.0.0.1 rejected the negotiate protocol. Error was : > NT_STATUS_ACCESS_DENIED. > Password changed for user XXXX > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >