[Samba] NT_STATUS_INVALID_HANDLE with wbinfo -a

Devon Crouse devoncrouse at gmail.com
Tue Aug 17 10:58:12 MDT 2010 

I've been stuck on this one for days and can't seem to find anything
referencing the same problem; help would be greatly appreciated.  I have a
functioning Samba 3.5.4-63 installation acting as a PDC - users can log in
from Windows 7 machines without problems etc. etc.

 

The issue is with using wbinfo -a to authenticate users (without going into
too much detail, I'm trying to use the ntlm_auth helper for Squid, and I
think this error might be the best indication I've found as to why that
isn't working.)  wbinfo -u/-g both return the correct lists of users/groups
as winbind is up and running, but I can't get it to authorize any of them:

 

[root at domain.com - ~]# wbinfo -a DOMAIN+user%password

plaintext password authentication failed

Could not authenticate user DOMAIN+user%password with plaintext password

challenge/response password authentication failed

error code was NT_STATUS_INVALID_HANDLE (0xc0000008)

error messsage was: Invalid handle

Could not authenticate user DOMAIN+user with challenge/response

 

Perhaps this is just an error in usage, but I have also tried many other
variations (e.g. just user%password, DOMAIN+user - typing password when
prompted, etc.)  If I use WRONGDOMAIN+user the error does change to
NT_STATUS_NO_SUCH_USER, but DOMAIN+wronguser still gives INVALID_HANDLE.
The only log entries that seem to correlate to these attempts are in
/var/log/log.wb-DOMAIN:

 

[2010/08/17 10:52:48.288391,  2]
winbindd/winbindd_pam.c:1724(winbindd_dual_pam_auth)

  Plain-text authentication for user DOMAIN+user returned
NT_STATUS_INVALID_HANDLE (PAM: 4)

[2010/08/17 10:52:55.887613,  2]
winbindd/winbindd_pam.c:2003(winbindd_dual_pam_auth_crap)

  NTLM CRAP authentication for user [DOMAIN]\[user] returned
NT_STATUS_INVALID_HANDLE (PAM: 4)

 

I'll include the global section of my smb.conf; please let me know if there
is any more relevant information I can provide.

 

[global]

        workgroup = domain

        server string = domain

        netbios name = domain

        bind interfaces only = yes

        interfaces = eth1 lo

        smb ports = 139

        os level = 35

        domain master = yes

        preferred master = yes

        domain logons = yes

        wins support = yes

        dns proxy = yes

        idmap uid = 15000-20000

        idmap gid = 15000-20000

        winbind separator = +

        winbind enum users = yes

        winbind enum groups = yes

        winbind use default domain = yes

 

# Security

        security = user

        hosts allow = 10.10.10. 127.

        hide dot files = yes

        unix password sync = yes

        encrypt passwords = yes

        passwd program = /usr/bin/passwd %u

        passdb backend = tdbsam

 

# Directories

        logon path = \\%L\profiles\%U

        logon drive = Z:

        logon home = \\%L\%U

        logon script = logon.bat

 

# Scripts

        add user script = /usr/sbin/useradd -m %u

        delete user script = /usr/sbin/userdel -r %u

        add group script = /usr/sbin/groupadd %g

        delete group script = /usr/sbin/groupdel %g

        add user to group script = /usr/sbin/usermod -G %g %u

        add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g
users %u

More information about the samba mailing list