在家庭服务器上 smb 完美运行了大约 6 个月之后,现在它无法允许远程系统挂载,并且在 /var/log/messages 中出现以下错误消息:
Jun 27 12:53:10 bike3 smbd[19385]: [2020/06/27 12:53:10.706872, 0] ../../source3/smbd/negprot.c:211(negprot_spnego)
Jun 27 12:53:10 bike3 smbd[19385]: Failed to start SPNEGO handler for negprot OID list!
我正在使用一个非常基本的 smb.conf 配置,并尝试了各种 Google 设置,但都没有成功:
[global]
workgroup = WORKGROUP
security = user
log level = 3
map to guest = bad user
dns proxy = no
; tested various combinations:
client use spnego = no
client ntlmv2 auth = no
client min protocol = SMB2
client max protocol = SMB3
[pictures]
comment = pictures
path = /mnt/pictures
public = yes
browsable = yes
writable = yes
guest ok = yes
read only = no
我已经重新安装了所有 samba 软件包:
Reinstalled:
samba-4.11.2-13.el8.x86_64 samba-client-4.11.2-13.el8.x86_64 samba-client-libs-4.11.2-13.el8.x86_64 samba-common-4.11.2-13.el8.noarch
samba-common-libs-4.11.2-13.el8.x86_64 samba-common-tools-4.11.2-13.el8.x86_64
我已经在 Windows 10 和 OS X Mojave 上进行了测试,两者都因相同的错误而失败,这是 log.smb 中的日志级别 3:
[2020/06/27 13:06:11.367462, 3] ../../lib/util/access.c:371(allow_access)
Allowed connection from 192.168.xxx.xxx (192.168.xxx.xxx)
[2020/06/27 13:06:11.368276, 3] ../../source3/smbd/oplock.c:1414(init_oplocks)
init_oplocks: initializing messages.
[2020/06/27 13:06:11.368563, 3] ../../source3/smbd/server_exit.c:244(exit_server_common)
Server exit (failed to receive smb request)
[2020/06/27 13:06:11.372050, 3] ../../lib/util/access.c:371(allow_access)
Allowed connection from 192.168.1.197 (192.168.1.197)
[2020/06/27 13:06:11.372676, 3] ../../source3/smbd/oplock.c:1414(init_oplocks)
init_oplocks: initializing messages.
[2020/06/27 13:06:11.372763, 3] ../../source3/smbd/process.c:1956(process_smb)
Transaction 0 of length 73 (0 toread)
[2020/06/27 13:06:11.372787, 3] ../../source3/smbd/process.c:1549(switch_message)
switch message SMBnegprot (pid 21109) conn 0x0
[2020/06/27 13:06:11.373194, 3] ../../source3/smbd/negprot.c:636(reply_negprot)
Requested protocol [NT LM 0.12]
[2020/06/27 13:06:11.373220, 3] ../../source3/smbd/negprot.c:636(reply_negprot)
Requested protocol [SMB 2.002]
[2020/06/27 13:06:11.373237, 3] ../../source3/smbd/negprot.c:636(reply_negprot)
Requested protocol [SMB 2.???]
[2020/06/27 13:06:11.373469, 3] ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2020/06/27 13:06:11.373856, 3] ../../auth/gensec/gensec_start.c:988(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2020/06/27 13:06:11.373880, 3] ../../auth/gensec/gensec_start.c:988(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2020/06/27 13:06:11.373895, 3] ../../auth/gensec/gensec_start.c:988(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2020/06/27 13:06:11.373911, 3] ../../auth/gensec/gensec_start.c:988(gensec_register)
GENSEC backend 'spnego' registered
[2020/06/27 13:06:11.373929, 3] ../../auth/gensec/gensec_start.c:988(gensec_register)
GENSEC backend 'schannel' registered
[2020/06/27 13:06:11.373954, 3] ../../auth/gensec/gensec_start.c:988(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2020/06/27 13:06:11.373970, 3] ../../auth/gensec/gensec_start.c:988(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2020/06/27 13:06:11.373984, 3] ../../auth/gensec/gensec_start.c:988(gensec_register)
GENSEC backend 'ntlmssp' registered
[2020/06/27 13:06:11.374000, 3] ../../auth/gensec/gensec_start.c:988(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2020/06/27 13:06:11.374016, 3] ../../auth/gensec/gensec_start.c:988(gensec_register)
GENSEC backend 'http_basic' registered
[2020/06/27 13:06:11.374031, 3] ../../auth/gensec/gensec_start.c:988(gensec_register)
GENSEC backend 'http_ntlm' registered
[2020/06/27 13:06:11.374048, 3] ../../auth/gensec/gensec_start.c:988(gensec_register)
GENSEC backend 'http_negotiate' registered
[2020/06/27 13:06:11.374124, 1] ../../auth/gensec/spnego.c:418(gensec_spnego_create_negTokenInit_step)
gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
[2020/06/27 13:06:11.374149, 0] ../../source3/smbd/negprot.c:211(negprot_spnego)
Failed to start SPNEGO handler for negprot OID list!
[2020/06/27 13:06:11.374316, 3] ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_MEMORY] || at ../../source3/smbd/smb2_negprot.c:307
[2020/06/27 13:06:11.374367, 3] ../../source3/smbd/negprot.c:771(reply_negprot)
Selected protocol SMB 2.???
[2020/06/27 13:06:11.377729, 3] ../../source3/smbd/server_exit.c:244(exit_server_common)
Server exit (NT_STATUS_END_OF_FILE)
在此先感谢您的帮助。
答案1
这是 Google 上针对此错误的最佳搜索结果,因此,尽管该错误已存在一年多,我仍将努力寻找解决此问题的方法。
禁用 FIPS 合规性。
可能有一种方法可以通过配置 SAMBA 来解决这个问题,以符合 FIPS 标准,但就我的用例而言,禁用 FIPS 会更快。
编辑以包含我遵循的指示
本指南的致谢:https://www.thegeekdiary.com/how-to-disable-fips-mode-on-centos-rhel-7/
删除 dracut-fips 包。
yum remove dracut-fips*备份 FIPS initramfs。
cp -p /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).backup
注意:检查 initramfs 文件是否已创建。此外,您可以使用其他位置而不是 /boot/ 来避免空间问题。重新创建 initramfs 文件:
dracut -f
或者
dracut -f -v /boot/initramfs-$(uname -r).img $(uname -r)从内核命令行禁用 fips=1 值。修改 grub.cfg 中当前内核的内核命令行,将以下选项“fips=0”添加到 /etc/default/grub 文件中的 GRUB_CMDLINE_LINUX 键,然后重建 grub.cfg 文件:
GRUB_CMDLINE_LINUX 行的示例如下:
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=vg_os/root rd.lvm.lv=vg_os/swap rhgb quiet fips=0"
对 /etc/default/grub 的更改需要重建 grub.cfg 文件,如下所示:
grub2-mkconfig -o /boot/grub2/grub.cfg
或者如果您有基于 UEFI 的运行:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg重新启动服务器以使更改生效:
shutdown -r now检查重启后 FIPS 是否未处于强制模式 /proc/sys/crypto/fips_enabled 应为 0。
例如:
cat /proc/sys/crypto/fips_enabled
0