[Samba] Checking the trust account password returned NT_STATUS_INVALID_HANDLE

Turbo Fredriksson turbo at dagdrivarn.se
Fri Jul 27 09:37:05 GMT 2007

I'm trying to setup a FreeRADIUS (version 1.1.6 w/ LDAP support)
server on our new server here at home, which in turn should
authenticate against the Samba server (also on the same host - version
3.0.25) which in turn uses an OpenLDAP server (CVS version HEAD as of

Samba works perfectly against the OL server. Authentication
etc is a-ok.

But regarding winbind, the first problem is that it won't start.
'touch'ing the file '/var/run/samba/winbindd_cache.tdb' and then
start 'winbind -iS -d3' works. This I can live with (at the moment)
but then running 'wbinfo -t' will give me the following problem:

----- s n i p -----
celia:~# touch /var/run/samba/winbindd_cache.tdb && winbindd -iS -d3 2>&1 | tee /tmp/z
initialize_winbindd_cache: clearing cache and re-creating with version number 1
Added domain FREQVIST  S-1-5-21-1048132253-3888718238-3496884323
Added domain BUILTIN  S-1-5-32
[12095]: list trusted domains
[... running wbinfo ...]
[    0]: request interface version
[    0]: request location of privileged pipe
[    0]: check machine account
[12095]: check machine account
could not open handle to NETLOGON pipe
Checking the trust account password returned NT_STATUS_INVALID_HANDLE
----- s n i p -----

And wbinfo say:

----- s n i p -----
celia:/home/turbo# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
Could not check secret
----- s n i p -----

A 'net join' works (according to 'net' at least - I get an error in the
samba logs!):

----- s n i p -----
celia:/home/turbo# net join -w FREQVIST -S -U root
Joined domain FREQVIST.
----- s n i p -----

Only running 'net join' will give me an error because of wrong
password. MIGHT be because of the current Samba server my girlfriend
is maintaing (which is to be moved to this new server).

----- s n i p -----
celia:~# tail -f /var/log/samba/samba.log -n0
[2007/07/27 11:25:58, 0, pid=12169, effective(65534, 65534), real(65534, 0)] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
  _net_auth2: creds_server_check failed. Rejecting auth request from client CELIA machine account CELIA$
----- s n i p -----

This before I've entered the password...

The command 'pdbedit -L -w' tells me this about 'celia$':

----- s n i p -----
celia$:3005:E19AB02A48615917B24265D82887F525:2CBC29FB015E87AC0A198A0F0150811C:[S          ]:LCT-46A9BA2A:
----- s n i p -----

and 'pdbedit -L -v celia\$' (just for completeness):

----- s n i p -----
Unix username:        celia$
NT username:          celia$
Account Flags:        [S          ]
User SID:             S-1-5-21-1048132253-3888718238-3496884323-7010
Primary Group SID:    S-1-5-21-1048132253-3888718238-3496884323-513
Full Name:            Machine Account,,,
Home Directory:       \\celia\celia_\.profile
HomeDir Drive:        
Logon Script:         tid.bat
Profile Path:         \\celia\celia_\profile
Domain:               FREQVIST
Account desc:         
Munged dial:          
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
Password last set:    Fri, 27 Jul 2007 11:26:02 CEST
Password can change:  Fri, 27 Jul 2007 11:26:02 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password   : 0
Bad password count  : 0
----- s n i p -----

Any idea what I can do or did wrong? Is winbind supposed to work on
the same host as [sn]mbd? Is it 'just supposed to work'?

Oh, and the smb.conf is probably of some use (comments removed
and only the '[global]' section included):

----- s n i p -----
        workgroup = FREQVIST
        netbios name = CELIA
        server string = %h server (Samba %v)

        username map = /etc/samba/smbusers
        passdb backend = ldapsam:ldap://
        ldap suffix = o=FREQVIST,c=SE
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=People
        ldap group suffix = ou=Groups
        ldap passwd sync = Yes
        ldap admin dn = <admin dn>

        password server =
        encrypt passwords = true
        passwd program = /bin/passwd %u
        passwd chat = *new*password* %n\\n*new*password* %n\\n *changed*
        passwd chat debug = Yes
        pam password change = Yes

        winbind separator = \\
        winbind cache time = 10
        template shell = /bin/bash
        template homedir = /home/%U
        idmap uid = 10000-20000
        idmap gid = 10000-20000

        syslog = 3
        log file = /var/log/samba/samba.log
        debug pid = Yes
        debug uid = Yes
        logon script = tid.bat
        logon home = \\%N\%U\.profile

        domain master = True
        domain logons = Yes
        preferred master = True
        os level = 70
        dns proxy = No
        wins support = yes
        time server = Yes
        hosts allow = 192.168.1.

        panic action = /usr/share/samba/panic-action %d
        add machine script = /etc/samba/adduser.sh %u

        path = /home/samba/netlogin
----- s n i p -----

Just one more thing. The 'ldap machine suffix' config option...
I'd like to have all computers etc in 'ou=Computers,c=SE', but
that don't seem to be possible?!

More information about the samba mailing list