# Help mounting a windows 2003 share

## revoohc

I need some help mounting a windows 2003 share.  I have gone ahead and emerge samba 3 but am still unable to mount the share.  When I try to mount the share I get the following:

mount //skuspldcorp1/skshare/Cross_Departmental /mnt/xp -t smbfs -o username=skcorp\\choover

cli_negprot: SMB signing is mandatory and we have disabled it.

5111: protocol negotiation failed

SMB connection failed

Any ideas on what I need to change to fix this?

Thanks,

Chris

----------

## prizna

I'm having the same problem...

I can browse my Samba server from my Windows systems (2003 AD server, XP Pro workstations...).

And I can also use "smbclient -k //server/share" to access my server.

But i CAN'T use "smbmount //10.0.0.2/100GB /mnt/smb1 -o krb"

This is the error message I get:

zap samba # smbmount //10.0.0.2/100GB /mnt/smb1 -o krb

Warning: kerberos support will only work for samba servers

cli_negprot: SMB signing is mandatory and we have disabled it.

31676: protocol negotiation failed

SMB connection failed

----------

## mozingod

This is a feature that's been in Windows since NT, but Microsoft just now made it on by default instead of off. It pretty much requires specially signed access from the user accessing the share, which Linux doesn't do. Here's how to turn it off in a domain, or do it locally if it's just one machine...

a.	Open Active Directory Users and Computers, right-click the Domain Controllers container, and then click Properties. Click the Group Policy tab, and then click Edit.

b.	Under Computer Configuration, go to the Windows Settings\Security Settings\Local Policies\Security Options folder.

c.	In the details pane, double-click Microsoft network server: Digitally sign communications (always), and then click Disabled to prevent SMB packet signing from being required.

d.	In the details pane, double-click Domain member: Digitally encrypt or sign secure channel data (always), and then click Disabled to prevent secure channel signing from being required.

----------

## prizna

Great, that worked... Thanks for the info   :Smile: 

----------

## X

Has anyone been able to mount a drive without disabling smb signing?

Supposedly it works with CIFS but I keep getting this error:

 *Quote:*   

> ms957g# mount -t cifs "//server.edu/t" /mnt/t -o username=X
> 
> mount: //server.edu/t: can't read superblock
> 
> 

 

----------

## TJNII

I can't disable signing. (Not my system)  Is there a workaround?

----------

## frozenJim

I'm baffled then.  I have no authority on the win2003 server and so cannot affect anything there.

I am having no problems connecting using my Gnome interface however.  Isn't THAT using Samba?  I say "connect to server" and choose "Windows Share" as my server type, fill in the blanks and BINGO - I have an icon on my desktop that allows me full access to that windows share.  (note: here's your workaround TJNII)

Unfortunately, this is not good enough for what i need: an actual mounted directory that can be browsed by non network-aware apps (like softmaker's office suite which is not opensource   :Evil or Very Mad:   but is one truly amazing MS-Office clone!).

But using either of the following fails with the message about SMB Messaging being required:

```
spore-linux / # mount -tsmbfs '//SERVER/share' /dir1/dir2

cli_negprot: SMB signing is mandatory and we have disabled it.

1715: protocol negotiation failed

SMB connection failed

```

or

```
spore-linux / # smbmount //SERVER/share /dir1/dir2 username='my_name' password='surely_not' workgroup='eager_beavers'

cli_negprot: SMB signing is mandatory and we have disabled it.

1722: protocol negotiation failed

SMB connection failed

```

----------

## Shaman

Solution #1:

Add this to your SMB config file/s:

client signing = yes

It requires your Samba to have encryption built into it.  Some versions do not and you may need to look at your build defaults in Gentoo as well.  I've heard it's a bit tricky.

Solution #2:

Go to your W2K3 box and find Administrative Tools, then open Domain Controller Security Settings.  Scroll to Microsoft Network Server: Digitally Sign Communications (Always). Set this option to Disabled.

----------

## frozenJim

Tried that.  I edited my virgin smb.conf to this:

```
[global]

wins support = no

workgroup = spore

server string = spore

client signing = yes

server signing = yes

```

Then I restarted my samba service.  However it made no difference at all.

So... what's this about Samba encryption then?  I wonder if setting the kerebos flag would be the solution?

```
spore-linux / # emerge -Dav samba

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R   ] net-fs/samba-3.0.22-r3  USE="cups ldap pam python readline xml -acl -async -automount -doc -examples -kerberos -ldapsam -libclamav -mysql -oav -postgres -quotas (-selinux) -swat -syslog -winbind" 0 kB 

```

So, Shaman, if this were YOUR windows domain.... what would you recommend?

----------

## Shaman

Kerberos is likely the issue.  I'd spend a bit of time on that and if it doesn't work... turn off mandatory encryption.

After all, not all Windows systems support it either, and it isn't like the W2K3 server won't let encrypted clients connect anymore, it just turns off the mandate.

----------

## frozenJim

Nope, reemerged with kerebos but nothing much changed.

My system admin tells me that SMB encryption is on by default when Windows server is installed.  They just left the default setting because it didn't make any sense to them to do otherwise.

Do we know if the Samba folks are working on this?

----------

## mariourk

Perhaps a bit late, but I'll post it anyway.

You need to use cifs instead of smbfs

Example:

```

mount -t cifs -o username=your_username,uid=your_linuxid //192.168.0.1/share /path/to/mount-point

```

To use cifs, you have to enable it in your kernel:

```

File systems  --->

Network File Systems  --->

<*> CIFS support (advanced network filesystem for Samba, Window and other CIFS compliant servers)

```

Hopefully this will help someone  :Very Happy: 

source

----------

## frozenJim

Well I'll be darned... it worked.  CIFS was the answer.

```
mount -tcifs -o username=just_me //Server/share /my_drive/the_folder
```

thanks all!   :Very Happy: 

----------

