[Samba] NT_STATUS_INVALID_HANDLE with wbinfo -a

Devon Crouse devoncrouse at gmail.com
Tue Aug 17 10:58:12 MDT 2010

I've been stuck on this one for days and can't seem to find anything
referencing the same problem; help would be greatly appreciated.  I have a
functioning Samba 3.5.4-63 installation acting as a PDC - users can log in
from Windows 7 machines without problems etc. etc.


The issue is with using wbinfo -a to authenticate users (without going into
too much detail, I'm trying to use the ntlm_auth helper for Squid, and I
think this error might be the best indication I've found as to why that
isn't working.)  wbinfo -u/-g both return the correct lists of users/groups
as winbind is up and running, but I can't get it to authorize any of them:


[root at domain.com - ~]# wbinfo -a DOMAIN+user%password

plaintext password authentication failed

Could not authenticate user DOMAIN+user%password with plaintext password

challenge/response password authentication failed

error code was NT_STATUS_INVALID_HANDLE (0xc0000008)

error messsage was: Invalid handle

Could not authenticate user DOMAIN+user with challenge/response


Perhaps this is just an error in usage, but I have also tried many other
variations (e.g. just user%password, DOMAIN+user - typing password when
prompted, etc.)  If I use WRONGDOMAIN+user the error does change to
The only log entries that seem to correlate to these attempts are in


[2010/08/17 10:52:48.288391,  2]

  Plain-text authentication for user DOMAIN+user returned

[2010/08/17 10:52:55.887613,  2]

  NTLM CRAP authentication for user [DOMAIN]\[user] returned


I'll include the global section of my smb.conf; please let me know if there
is any more relevant information I can provide.



        workgroup = domain

        server string = domain

        netbios name = domain

        bind interfaces only = yes

        interfaces = eth1 lo

        smb ports = 139

        os level = 35

        domain master = yes

        preferred master = yes

        domain logons = yes

        wins support = yes

        dns proxy = yes

        idmap uid = 15000-20000

        idmap gid = 15000-20000

        winbind separator = +

        winbind enum users = yes

        winbind enum groups = yes

        winbind use default domain = yes


# Security

        security = user

        hosts allow = 10.10.10. 127.

        hide dot files = yes

        unix password sync = yes

        encrypt passwords = yes

        passwd program = /usr/bin/passwd %u

        passdb backend = tdbsam


# Directories

        logon path = \\%L\profiles\%U

        logon drive = Z:

        logon home = \\%L\%U

        logon script = logon.bat


# Scripts

        add user script = /usr/sbin/useradd -m %u

        delete user script = /usr/sbin/userdel -r %u

        add group script = /usr/sbin/groupadd %g

        delete group script = /usr/sbin/groupdel %g

        add user to group script = /usr/sbin/usermod -G %g %u

        add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g
users %u

More information about the samba mailing list