[Samba] NT_STATUS_INVALID_HANDLE with wbinfo -a
Roel van Meer
rolek at bokxing.nl
Thu Aug 19 03:04:49 MDT 2010
Devon Crouse writes:
> I've been stuck on this one for days and can't seem to find anything
> referencing the same problem; help would be greatly appreciated. I have a
> functioning Samba 3.5.4-63 installation acting as a PDC - users can log in
> from Windows 7 machines without problems etc. etc.
>
>
>
> The issue is with using wbinfo -a to authenticate users (without going into
> too much detail, I'm trying to use the ntlm_auth helper for Squid, and I
> think this error might be the best indication I've found as to why that
> isn't working.) wbinfo -u/-g both return the correct lists of users/groups
> as winbind is up and running, but I can't get it to authorize any of them:
Well, you're CC'd in this bug report:
https://bugzilla.samba.org/show_bug.cgi?id=7481
I think it is the same problem..
I've tried to make it work with 3.5.x and haven't succeeded, but 3.4.x works
like a charm. The bug report has a patch that fixes the problem for me
(though I can't guarantee that it's the proper solution).
I'd say you have two options: downgrade to 3.4.8 or see if the patch works
for you. Hopefully the bug will get fixed soon.
I haven't tested the 3.6.0pre1 yet, but I've planned to do that soon.
Regards,
roel
>
>
>
> [root at domain.com - ~]# wbinfo -a DOMAIN+user%password
>
> plaintext password authentication failed
>
> Could not authenticate user DOMAIN+user%password with plaintext password
>
> challenge/response password authentication failed
>
> error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
>
> error messsage was: Invalid handle
>
> Could not authenticate user DOMAIN+user with challenge/response
>
>
>
> Perhaps this is just an error in usage, but I have also tried many other
> variations (e.g. just user%password, DOMAIN+user - typing password when
> prompted, etc.) If I use WRONGDOMAIN+user the error does change to
> NT_STATUS_NO_SUCH_USER, but DOMAIN+wronguser still gives INVALID_HANDLE.
> The only log entries that seem to correlate to these attempts are in
> /var/log/log.wb-DOMAIN:
>
>
>
> [2010/08/17 10:52:48.288391, 2]
> winbindd/winbindd_pam.c:1724(winbindd_dual_pam_auth)
>
> Plain-text authentication for user DOMAIN+user returned
> NT_STATUS_INVALID_HANDLE (PAM: 4)
>
> [2010/08/17 10:52:55.887613, 2]
> winbindd/winbindd_pam.c:2003(winbindd_dual_pam_auth_crap)
>
> NTLM CRAP authentication for user [DOMAIN]\[user] returned
> NT_STATUS_INVALID_HANDLE (PAM: 4)
>
>
>
> I'll include the global section of my smb.conf; please let me know if there
> is any more relevant information I can provide.
>
>
>
> [global]
>
> workgroup = domain
>
> server string = domain
>
> netbios name = domain
>
> bind interfaces only = yes
>
> interfaces = eth1 lo
>
> smb ports = 139
>
> os level = 35
>
> domain master = yes
>
> preferred master = yes
>
> domain logons = yes
>
> wins support = yes
>
> dns proxy = yes
>
> idmap uid = 15000-20000
>
> idmap gid = 15000-20000
>
> winbind separator = +
>
> winbind enum users = yes
>
> winbind enum groups = yes
>
> winbind use default domain = yes
>
>
>
> # Security
>
> security = user
>
> hosts allow = 10.10.10. 127.
>
> hide dot files = yes
>
> unix password sync = yes
>
> encrypt passwords = yes
>
> passwd program = /usr/bin/passwd %u
>
> passdb backend = tdbsam
>
>
>
> # Directories
>
> logon path = \\%L\profiles\%U
>
> logon drive = Z:
>
> logon home = \\%L\%U
>
> logon script = logon.bat
>
>
>
> # Scripts
>
> add user script = /usr/sbin/useradd -m %u
>
> delete user script = /usr/sbin/userdel -r %u
>
> add group script = /usr/sbin/groupadd %g
>
> delete group script = /usr/sbin/groupdel %g
>
> add user to group script = /usr/sbin/usermod -G %g %u
>
> add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g
> users %u
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list