[Samba] NT_STATUS_INVALID_HANDLE with wbinfo -a
Devon Crouse
devoncrouse at gmail.com
Tue Aug 17 10:58:12 MDT 2010
I've been stuck on this one for days and can't seem to find anything
referencing the same problem; help would be greatly appreciated. I have a
functioning Samba 3.5.4-63 installation acting as a PDC - users can log in
from Windows 7 machines without problems etc. etc.
The issue is with using wbinfo -a to authenticate users (without going into
too much detail, I'm trying to use the ntlm_auth helper for Squid, and I
think this error might be the best indication I've found as to why that
isn't working.) wbinfo -u/-g both return the correct lists of users/groups
as winbind is up and running, but I can't get it to authorize any of them:
[root at domain.com - ~]# wbinfo -a DOMAIN+user%password
plaintext password authentication failed
Could not authenticate user DOMAIN+user%password with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
error messsage was: Invalid handle
Could not authenticate user DOMAIN+user with challenge/response
Perhaps this is just an error in usage, but I have also tried many other
variations (e.g. just user%password, DOMAIN+user - typing password when
prompted, etc.) If I use WRONGDOMAIN+user the error does change to
NT_STATUS_NO_SUCH_USER, but DOMAIN+wronguser still gives INVALID_HANDLE.
The only log entries that seem to correlate to these attempts are in
/var/log/log.wb-DOMAIN:
[2010/08/17 10:52:48.288391, 2]
winbindd/winbindd_pam.c:1724(winbindd_dual_pam_auth)
Plain-text authentication for user DOMAIN+user returned
NT_STATUS_INVALID_HANDLE (PAM: 4)
[2010/08/17 10:52:55.887613, 2]
winbindd/winbindd_pam.c:2003(winbindd_dual_pam_auth_crap)
NTLM CRAP authentication for user [DOMAIN]\[user] returned
NT_STATUS_INVALID_HANDLE (PAM: 4)
I'll include the global section of my smb.conf; please let me know if there
is any more relevant information I can provide.
[global]
workgroup = domain
server string = domain
netbios name = domain
bind interfaces only = yes
interfaces = eth1 lo
smb ports = 139
os level = 35
domain master = yes
preferred master = yes
domain logons = yes
wins support = yes
dns proxy = yes
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
# Security
security = user
hosts allow = 10.10.10. 127.
hide dot files = yes
unix password sync = yes
encrypt passwords = yes
passwd program = /usr/bin/passwd %u
passdb backend = tdbsam
# Directories
logon path = \\%L\profiles\%U
logon drive = Z:
logon home = \\%L\%U
logon script = logon.bat
# Scripts
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g
users %u
More information about the samba
mailing list