samba 服务器挂载点在 CentOS 8 安装中停止工作,错误:无法启动 negprot OID 列表的 SPNEGO 处理程序

samba 服务器挂载点在 CentOS 8 安装中停止工作,错误:无法启动 negprot OID 列表的 SPNEGO 处理程序

在家庭服务器上 smb 完美运行了大约 6 个月之后,现在它无法允许远程系统挂载,并且在 /var/log/messages 中出现以下错误消息:

Jun 27 12:53:10 bike3 smbd[19385]: [2020/06/27 12:53:10.706872,  0] ../../source3/smbd/negprot.c:211(negprot_spnego)
Jun 27 12:53:10 bike3 smbd[19385]:  Failed to start SPNEGO handler for negprot OID list!

我正在使用一个非常基本的 smb.conf 配置,并尝试了各种 Google 设置,但都没有成功:

[global]
        workgroup = WORKGROUP
        security = user
        log level = 3
        map to guest = bad user
        dns proxy = no
; tested various combinations:
        client use spnego = no
        client ntlmv2 auth = no
        client min protocol = SMB2
        client max protocol = SMB3


[pictures]
       comment = pictures
       path = /mnt/pictures
       public = yes
       browsable = yes
       writable = yes
       guest ok = yes
       read only = no

我已经重新安装了所有 samba 软件包:

Reinstalled:
  samba-4.11.2-13.el8.x86_64                  samba-client-4.11.2-13.el8.x86_64            samba-client-libs-4.11.2-13.el8.x86_64      samba-common-4.11.2-13.el8.noarch
  samba-common-libs-4.11.2-13.el8.x86_64      samba-common-tools-4.11.2-13.el8.x86_64

我已经在 Windows 10 和 OS X Mojave 上进行了测试,两者都因相同的错误而失败,这是 log.smb 中的日志级别 3:

[2020/06/27 13:06:11.367462,  3] ../../lib/util/access.c:371(allow_access)
  Allowed connection from 192.168.xxx.xxx (192.168.xxx.xxx)
[2020/06/27 13:06:11.368276,  3] ../../source3/smbd/oplock.c:1414(init_oplocks)
  init_oplocks: initializing messages.
[2020/06/27 13:06:11.368563,  3] ../../source3/smbd/server_exit.c:244(exit_server_common)
  Server exit (failed to receive smb request)
[2020/06/27 13:06:11.372050,  3] ../../lib/util/access.c:371(allow_access)
  Allowed connection from 192.168.1.197 (192.168.1.197)
[2020/06/27 13:06:11.372676,  3] ../../source3/smbd/oplock.c:1414(init_oplocks)
  init_oplocks: initializing messages.
[2020/06/27 13:06:11.372763,  3] ../../source3/smbd/process.c:1956(process_smb)
  Transaction 0 of length 73 (0 toread)
[2020/06/27 13:06:11.372787,  3] ../../source3/smbd/process.c:1549(switch_message)
  switch message SMBnegprot (pid 21109) conn 0x0
[2020/06/27 13:06:11.373194,  3] ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [NT LM 0.12]
[2020/06/27 13:06:11.373220,  3] ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [SMB 2.002]
[2020/06/27 13:06:11.373237,  3] ../../source3/smbd/negprot.c:636(reply_negprot)
  Requested protocol [SMB 2.???]
[2020/06/27 13:06:11.373469,  3] ../../source3/smbd/smb2_negprot.c:294(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
[2020/06/27 13:06:11.373856,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2020/06/27 13:06:11.373880,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2020/06/27 13:06:11.373895,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2020/06/27 13:06:11.373911,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'spnego' registered
[2020/06/27 13:06:11.373929,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'schannel' registered
[2020/06/27 13:06:11.373954,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2020/06/27 13:06:11.373970,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2020/06/27 13:06:11.373984,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2020/06/27 13:06:11.374000,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'ntlmssp_resume_ccache' registered
[2020/06/27 13:06:11.374016,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'http_basic' registered
[2020/06/27 13:06:11.374031,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2020/06/27 13:06:11.374048,  3] ../../auth/gensec/gensec_start.c:988(gensec_register)
  GENSEC backend 'http_negotiate' registered
[2020/06/27 13:06:11.374124,  1] ../../auth/gensec/spnego.c:418(gensec_spnego_create_negTokenInit_step)
  gensec_spnego_create_negTokenInit_step: Failed to setup SPNEGO negTokenInit request
[2020/06/27 13:06:11.374149,  0] ../../source3/smbd/negprot.c:211(negprot_spnego)
  Failed to start SPNEGO handler for negprot OID list!
[2020/06/27 13:06:11.374316,  3] ../../source3/smbd/smb2_server.c:3266(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_NO_MEMORY] || at ../../source3/smbd/smb2_negprot.c:307
[2020/06/27 13:06:11.374367,  3] ../../source3/smbd/negprot.c:771(reply_negprot)
  Selected protocol SMB 2.???
[2020/06/27 13:06:11.377729,  3] ../../source3/smbd/server_exit.c:244(exit_server_common)
  Server exit (NT_STATUS_END_OF_FILE)

在此先感谢您的帮助。

答案1

这是 Google 上针对此错误的最佳搜索结果,因此,尽管该错误已存在一年多,我仍将努力寻找解决此问题的方法。

禁用 FIPS 合规性。

可能有一种方法可以通过配置 SAMBA 来解决这个问题,以符合 FIPS 标准,但就我的用例而言,禁用 FIPS 会更快。

编辑以包含我遵循的指示

本指南的致谢:https://www.thegeekdiary.com/how-to-disable-fips-mode-on-centos-rhel-7/

  1. 删除 dracut-fips 包。
    yum remove dracut-fips*

  2. 备份 FIPS initramfs。
    cp -p /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).backup
    注意:检查 initramfs 文件是否已创建。此外,您可以使用其他位置而不是 /boot/ 来避免空间问题。

  3. 重新创建 initramfs 文件:
    dracut -f
    或者
    dracut -f -v /boot/initramfs-$(uname -r).img $(uname -r)

  4. 从内核命令行禁用 fips=1 值。修改 grub.cfg 中当前内核的内核命令行,将以下选项“fips=0”添加到 /etc/default/grub 文件中的 GRUB_CMDLINE_LINUX 键,然后重建 grub.cfg 文件:
    GRUB_CMDLINE_LINUX 行的示例如下:

GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=vg_os/root rd.lvm.lv=vg_os/swap rhgb quiet fips=0"  
  1. 对 /etc/default/grub 的更改需要重建 grub.cfg 文件,如下所示:
    grub2-mkconfig -o /boot/grub2/grub.cfg
    或者如果您有基于 UEFI 的运行:
    grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

  2. 重新启动服务器以使更改生效:
    shutdown -r now

  3. 检查重启后 FIPS 是否未处于强制模式 /proc/sys/crypto/fips_enabled 应为 0。
    例如:
    cat /proc/sys/crypto/fips_enabled
    0

相关内容