samba server mount points stopped working on CentOS 8 install, error: Failed to start SPNEGO handler for negprot OID list

cifs samba centos8 smb-conf

After about 6 months of smb working flawlessly on a home server, it is now failing to allow remote systems to mount with the following error message in /var/log/messages:

Jun 27 12:53:10 bike3 smbd[19385]: [2020/06/27 12:53:10.706872,  0] ../../source3/smbd/negprot.c:211(negprot_spnego)
Jun 27 12:53:10 bike3 smbd[19385]:  Failed to start SPNEGO handler for negprot OID list!

I am using a very basic smb.conf configuration, and have tried a variety of googled settings, with no luck:

[global]
        workgroup = WORKGROUP
        security = user
        log level = 3
        map to guest = bad user
        dns proxy = no
; tested various combinations:
        client use spnego = no
        client ntlmv2 auth = no
        client min protocol = SMB2
        client max protocol = SMB3


[pictures]
       comment = pictures
       path = /mnt/pictures
       public = yes
       browsable = yes
       writable = yes
       guest ok = yes
       read only = no

I have reinstalled all samba packages:

Reinstalled:
  samba-4.11.2-13.el8.x86_64                  samba-client-4.11.2-13.el8.x86_64            samba-client-libs-4.11.2-13.el8.x86_64      samba-common-4.11.2-13.el8.noarch
  samba-common-libs-4.11.2-13.el8.x86_64      samba-common-tools-4.11.2-13.el8.x86_64

I have tested from Windows 10 and OS X Mojave, both fail with the same error, here is the log level 3 in the log.smb:

[2020/06/27 13:06:11.367462,  3] ../../lib/util/access.c:371(allow_access)
  Allowed connection from 192.168.xxx.xxx (192.168.xxx.xxx)
[2020/06/27 13:06:11.368276,  3] ../../source3/smbd/oplock.c:1414(init_oplocks)
  init_oplocks: initializing messages.
[2020/06/27 13:06:11.368563,  3] ../../source3/smbd/server_exit.c:244(exit_server_common)
  Server exit (failed to receive smb request)
[2020/06/27 13:06:11.372050,  3] ../../lib/util/access.c:371(allow_access)
  Allowed connection from 192.168.1.197 (192.168.1.197)
[2020/06/27 13:06:11.372676,  3] ../../source3/smbd/oplock.c:1414(init_oplocks)
  init_oplocks: initializing messages.
[2020/06/27 13:06:11.372763,  3] ../../source3/smbd/process.c:1956(process_smb)
  Transaction 0 of length 73 (0 toread)
[2020/06/27 13:06:11.372787,  3] ../../source3/smbd/process.c:1549(switch_message)
  switch message SMBnegprot (pid 21109) conn 0x0
[2020/06/27 13:06:11.373194,  3] ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [NT LM 0.12]
[2020/06/27 13:06:11.373220,  3] ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [SMB 2.002]
[2020/06/27 13:06:11.373237,  3] ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [SMB 2.???]
[2020/06/27 13:06:11.373469,  3] ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
[2020/06/27 13:06:11.373856,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2020/06/27 13:06:11.373880,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2020/06/27 13:06:11.373895,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2020/06/27 13:06:11.373911,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'spnego' registered
[2020/06/27 13:06:11.373929,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'schannel' registered
[2020/06/27 13:06:11.373954,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2020/06/27 13:06:11.373970,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2020/06/27 13:06:11.373984,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2020/06/27 13:06:11.374000,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2020/06/27 13:06:11.374016,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'http_basic' registered
[2020/06/27 13:06:11.374031,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2020/06/27 13:06:11.374048,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'http_negotiate' registered
[2020/06/27 13:06:11.374124,  1] ../../auth/gensec/spnego.c:418(gensec_spnego_create_negTokenInit_step)
  gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
[2020/06/27 13:06:11.374149,  0] ../../source3/smbd/negprot.c:211(negprot_spnego)
  Failed to start SPNEGO handler for negprot OID list!
[2020/06/27 13:06:11.374316,  3] ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_MEMORY] || at ../../source3/smbd/smb2_negprot.c:307
[2020/06/27 13:06:11.374367,  3] ../../source3/smbd/negprot.c:771(reply_negprot)
  Selected protocol SMB 2.???
[2020/06/27 13:06:11.377729,  3] ../../source3/smbd/server_exit.c:244(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)

Thanks in advance for any help.


Solution 1:

This is the top result on Google for this error, so even though it's a year+ old I'm going to toss on what solved this for me.

Disabling FIPS compliance.

There's probably a way to fix this by configuring SAMBA, to be FIPS-compliant, but for my use case, it was faster to just disable FIPS.

Edited to include the directions I followed

Credit for the how-to: https://www.thegeekdiary.com/how-to-disable-fips-mode-on-centos-rhel-7/

  1. Remove dracut-fips packages.
    yum remove dracut-fips*

  2. Take a backup of the FIPS initramfs.
    cp -p /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).backup
    Note: Check if the initramfs file has been created or not. Also, you can use another location instead of /boot/ to avoid space issues.

  3. Recreate the initramfs file:
    dracut -f
    OR
    dracut -f -v /boot/initramfs-$(uname -r).img $(uname -r)

  4. Disable fips=1 value from the kernel command-line. Modify the kernel command line of the current kernel in the grub.cfg adding the following option “fips=0” to the GRUB_CMDLINE_LINUX key in the /etc/default/grub file and then rebuild the grub.cfg file:
    Example of how GRUB_CMDLINE_LINUX line looks like:

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=vg_os/root rd.lvm.lv=vg_os/swap rhgb quiet fips=0"

  1. Changes to /etc/default/grub require rebuilding the grub.cfg file as follow:
    grub2-mkconfig -o /boot/grub2/grub.cfg
    Or If you have a UEFI-based run:
    grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

  2. Reboot the server for the changes to take effect:
    shutdown -r now

  3. Check that FIPS is not in enforcing mode after a reboot /proc/sys/crypto/fips_enabled should be 0.
    Example:
    cat /proc/sys/crypto/fips_enabled
    0

Related

How to configure a service auto-restart after failure with PowerShell
Get folder and file names and store it in a variable in windows?
Global Load Balancer, but not exposed to Internet
remote desktop disconnects when i connect to vpn on remote server
How to use a VPN Client inside Azure VM and Keep Remote Desktop Connection available?
Nginx Configuration:504 Gateway Time-out error
Does NGINX handle some error events / codes without them being set up in the config by default?
Layer 2 Network vs Layer 3 Network [closed]
How to setup fake raid for vmware virtual machines?
Wordpress theme not displaying properly, problem with .htaccess?
Poor disk throughput on Google App Engine
How can I restrict access from external IP's for a ngnix location