connect to a share on an Active Directory Win2K3 DC

I have a Linux (Mandrake 10.1 / SAMBA 3.0.7) box that has successfully
joined AD but cannot mount a share on the ADC (Win2K3 / AD). I can
authenticate and view the machine fine but trying to mount a hidden share
reults in the error message listed below. I can mount a hidden share on a
Win2KPro machine that's a member of the domain fine.

[wcattell@frodo wcattell]$ smbclient -L //merry -U wcattell
Password:
Domain=[TEXASFLOOD] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2]

Sharename Type Comment
--------- ---- -------
FM3 Disk
E$ Disk Default share
IPC$ IPC Remote IPC
D$ Disk Default share
Resources$ Disk "Event logging files"
NETLOGON Disk Logon server share
archives2 Disk
Tunes Disk
ADMIN$ Disk Remote Admin
SYSVOL Disk Logon server share
C$ Disk Default share
MERRY.LOG Disk Exchange message tracking logs
Address Disk "Access to address objects"
Domain=[TEXASFLOOD] OS=[Windows Server 2003 3790] Server=[Windows Server 2003 5.2]

Server Comment
--------- -------
BILBO
FRODO Samba Server 3.0.7
MERRY
SAM Samba Server

Workgroup Master
--------- -------
TEXASFLOOD MERRY
[wcattell@frodo wcattell]$


The error when trying to mount...

[wcattell@frodo wcattell]$ su
Password:
[root@frodo wcattell]# mount -t smbfs -o username=wcattell //merry/c$ /mnt/win-c
cli_negprot: SMB signing is mandatory and we have disabled it.
835: protocol negotiation failed
SMB connection failed
[root@frodo wcattell]#

On 2004-10-11 01:03:04 -0400, "William B. Cattell"
<(E-Mail Removed)> said:

> The error when trying to mount...
>
> [wcattell@frodo wcattell]$ su
> Password:
> [root@frodo wcattell]# mount -t smbfs -o username=wcattell //merry/c$
> /mnt/win-c
> cli_negprot: SMB signing is mandatory and we have disabled it.
> 835: protocol negotiation failed
> SMB connection failed
> [root@frodo wcattell]#

Looks like you need to disable SMB signing, which is turned on by
default in Windows Server 2003 (this is a change from Windows 2000
Server). You can change this using the Local Security Policy console,
unless the setting is being enforced via Group Policy (in which case
you'll need to edit the Group Policy Object in Active Directory).

I believe the option for SMB signing is called "Digitally sign packets
(always)" and is found under Security Settings > Security Options
(sorry, I don't have a Local Security Policy console in front of me so
I can't verify the exact wording or location).

Hope this helps.

--
Scott Lowe

On Mon, 11 Oct 2004 20:59:25 -0400, Scott Lowe wrote:

> On 2004-10-11 01:03:04 -0400, "William B. Cattell"
> <(E-Mail Removed)> said:
>
>> The error when trying to mount...
>>
>> [wcattell@frodo wcattell]$ su
>> Password:
>> [root@frodo wcattell]# mount -t smbfs -o username=wcattell //merry/c$
>> /mnt/win-c
>> cli_negprot: SMB signing is mandatory and we have disabled it.
>> 835: protocol negotiation failed
>> SMB connection failed
>> [root@frodo wcattell]#
>
> Looks like you need to disable SMB signing, which is turned on by
> default in Windows Server 2003 (this is a change from Windows 2000
> Server). You can change this using the Local Security Policy console,
> unless the setting is being enforced via Group Policy (in which case
> you'll need to edit the Group Policy Object in Active Directory).
>
> I believe the option for SMB signing is called "Digitally sign packets
> (always)" and is found under Security Settings > Security Options
> (sorry, I don't have a Local Security Policy console in front of me so
> I can't verify the exact wording or location).
>
> Hope this helps.

Thanks Scott. I was focusing in on the SAMBA side and didn't even think
about GPOs. 'Appreciate the pointer.

Bill

On Tue, 12 Oct 2004 05:35:13 +0000, William B. Cattell wrote:

> On Mon, 11 Oct 2004 20:59:25 -0400, Scott Lowe wrote:
>
>> On 2004-10-11 01:03:04 -0400, "William B. Cattell"
>> <(E-Mail Removed)> said:
>>
>>> The error when trying to mount...
>>>
>>> [wcattell@frodo wcattell]$ su
>>> Password:
>>> [root@frodo wcattell]# mount -t smbfs -o username=wcattell //merry/c$
>>> /mnt/win-c
>>> cli_negprot: SMB signing is mandatory and we have disabled it.
>>> 835: protocol negotiation failed
>>> SMB connection failed
>>> [root@frodo wcattell]#
>>
>> Looks like you need to disable SMB signing, which is turned on by
>> default in Windows Server 2003 (this is a change from Windows 2000
>> Server). You can change this using the Local Security Policy console,
>> unless the setting is being enforced via Group Policy (in which case
>> you'll need to edit the Group Policy Object in Active Directory).
>>
>> I believe the option for SMB signing is called "Digitally sign packets
>> (always)" and is found under Security Settings > Security Options
>> (sorry, I don't have a Local Security Policy console in front of me so
>> I can't verify the exact wording or location).
>>
>> Hope this helps.
>
> Thanks Scott. I was focusing in on the SAMBA side and didn't even think
> about GPOs. 'Appreciate the pointer.
>
> Bill

Scott - You "Da Man". That was it. All is working well in Mudville again.

8-)