[Samba] Checking the trust account password returned
NT_STATUS_INVALID_HANDLE
Turbo Fredriksson
turbo at dagdrivarn.se
Fri Jul 27 09:37:05 GMT 2007
I'm trying to setup a FreeRADIUS (version 1.1.6 w/ LDAP support)
server on our new server here at home, which in turn should
authenticate against the Samba server (also on the same host - version
3.0.25) which in turn uses an OpenLDAP server (CVS version HEAD as of
20070719).
Samba works perfectly against the OL server. Authentication
etc is a-ok.
But regarding winbind, the first problem is that it won't start.
'touch'ing the file '/var/run/samba/winbindd_cache.tdb' and then
start 'winbind -iS -d3' works. This I can live with (at the moment)
but then running 'wbinfo -t' will give me the following problem:
----- s n i p -----
celia:~# touch /var/run/samba/winbindd_cache.tdb && winbindd -iS -d3 2>&1 | tee /tmp/z
[...]
initialize_winbindd_cache: clearing cache and re-creating with version number 1
Added domain FREQVIST S-1-5-21-1048132253-3888718238-3496884323
Added domain BUILTIN S-1-5-32
[12095]: list trusted domains
[... running wbinfo ...]
[ 0]: request interface version
[ 0]: request location of privileged pipe
[ 0]: check machine account
[12095]: check machine account
could not open handle to NETLOGON pipe
Checking the trust account password returned NT_STATUS_INVALID_HANDLE
----- s n i p -----
And wbinfo say:
----- s n i p -----
celia:/home/turbo# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
Could not check secret
----- s n i p -----
A 'net join' works (according to 'net' at least - I get an error in the
samba logs!):
----- s n i p -----
celia:/home/turbo# net join -w FREQVIST -S 127.0.0.1 -U root
Password:
Joined domain FREQVIST.
----- s n i p -----
Only running 'net join' will give me an error because of wrong
password. MIGHT be because of the current Samba server my girlfriend
is maintaing (which is to be moved to this new server).
----- s n i p -----
celia:~# tail -f /var/log/samba/samba.log -n0
[2007/07/27 11:25:58, 0, pid=12169, effective(65534, 65534), real(65534, 0)] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
_net_auth2: creds_server_check failed. Rejecting auth request from client CELIA machine account CELIA$
----- s n i p -----
This before I've entered the password...
The command 'pdbedit -L -w' tells me this about 'celia$':
----- s n i p -----
celia$:3005:E19AB02A48615917B24265D82887F525:2CBC29FB015E87AC0A198A0F0150811C:[S ]:LCT-46A9BA2A:
----- s n i p -----
and 'pdbedit -L -v celia\$' (just for completeness):
----- s n i p -----
Unix username: celia$
NT username: celia$
Account Flags: [S ]
User SID: S-1-5-21-1048132253-3888718238-3496884323-7010
Primary Group SID: S-1-5-21-1048132253-3888718238-3496884323-513
Full Name: Machine Account,,,
Home Directory: \\celia\celia_\.profile
HomeDir Drive:
Logon Script: tid.bat
Profile Path: \\celia\celia_\profile
Domain: FREQVIST
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Tue, 19 Jan 2038 04:14:07 CET
Kickoff time: Tue, 19 Jan 2038 04:14:07 CET
Password last set: Fri, 27 Jul 2007 11:26:02 CEST
Password can change: Fri, 27 Jul 2007 11:26:02 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
----- s n i p -----
Any idea what I can do or did wrong? Is winbind supposed to work on
the same host as [sn]mbd? Is it 'just supposed to work'?
Oh, and the smb.conf is probably of some use (comments removed
and only the '[global]' section included):
----- s n i p -----
[global]
workgroup = FREQVIST
netbios name = CELIA
server string = %h server (Samba %v)
username map = /etc/samba/smbusers
passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = o=FREQVIST,c=SE
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap passwd sync = Yes
ldap admin dn = <admin dn>
password server = 127.0.0.1
encrypt passwords = true
passwd program = /bin/passwd %u
passwd chat = *new*password* %n\\n*new*password* %n\\n *changed*
passwd chat debug = Yes
pam password change = Yes
winbind separator = \\
winbind cache time = 10
template shell = /bin/bash
template homedir = /home/%U
idmap uid = 10000-20000
idmap gid = 10000-20000
syslog = 3
log file = /var/log/samba/samba.log
debug pid = Yes
debug uid = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY IPTOS_THROUGHPUT
logon script = tid.bat
logon home = \\%N\%U\.profile
domain master = True
domain logons = Yes
preferred master = True
os level = 70
dns proxy = No
wins support = yes
time server = Yes
hosts allow = 192.168.1.
panic action = /usr/share/samba/panic-action %d
add machine script = /etc/samba/adduser.sh %u
[netlogon]
path = /home/samba/netlogin
----- s n i p -----
Just one more thing. The 'ldap machine suffix' config option...
I'd like to have all computers etc in 'ou=Computers,c=SE', but
that don't seem to be possible?!
More information about the samba
mailing list