[Samba] ntlm_auth NT_STATUS_INVALID_HANDLE with windbind
walk2sun at arcor.de
Mon Oct 17 09:26:35 MDT 2011
On 09:35:16 wrote Alessandro:
> I should use an authenticated proxy with Squid, but I have a problem
> with winbind.
> I'm working on a PDC, debian squeeze with samba from backport (ver.
> 2:3.5.11~dfsg-1~bpo60+1 )
> Here the problem: I can authenticate users.
> /usr/bin/ntlm_auth --username=myname --domain=MYCOMPANY
> password: XXXX
> NT_STATUS_INVALID_HANDLE: Invalid handle (0xc0000008)
> wbinfo -a myname
> Enter myname's password: XXXX
> plaintext password authentication failed
> Could not authenticate user myname with plaintext password
> Enter myname's password: XXXX
> challenge/response password authentication failed
> error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
> error messsage was: Invalid handle
> Could not authenticate user myname with challenge/response
> With --domain argument the result is the same
> wbinfo seems to work fine with all other arguments (-u, -g, etc.. a
> strange behavior: with -m it gives two domains, "BUILTIN" and
wbinfo should show three domains:
# wbinfo -m
# net getdomainsid
SID for local machine YOUR_SERVER is: LOCAL-SID
SID for domain YOUR_DOMAIN is: DOMAIN-SID
# ldapsearch -xLLL "(&(objectclass=sambaDomain)(sambaDomainName=*))"
# wbinfo --ping-dc
As SATOH Fumiyas tells us, one SHOULD join without a running winbindd
# net rpc join -S localhost -U administrator
One are NOT joining "localhost"! One join $HOSTNAME!!
# net rpc testjoin
Join to 'YOUR_DOMAIN' is OK
# pdbedit -v $HOSTNAME$
Account Flags: [S ]
User SID: "DOMAIN-SID"-"SERVER-RID"
Primary Group SID: "DOMAIN-SID"-515
These tree settings are imortant. It MUST be a server account and the
primary group sid MUST have the RID=515
# wbinfo -a user%secret
plaintext password authentication succeeded
challenge/response password authentication succeeded
Dont forget to add the user "proxy" to the group "winbindd_priv", so
that the ntlm_auth helper from squid has enough rights.
> I found the following bug:
> I could compile samba from source applying the #7481 patch, but I'm
> not sure this is my case, because the workaround exposed at the end
> of #7481 doesn't work for me.
> Any idea?
It works for me with Samba 3.5.6 and also with 3.5.11 from backports :-)
. I use openldap as passdb backend.
You should verify these three groups:
# net sam list builtin
# net sam show administrators
BUILTIN\administrators is a Local Group with SID S-1-5-32-544
# net sam show guests
BUILTIN\guests is a Local Group with SID S-1-5-32-546
# net sam show users
BUILTIN\users is a Local Group with SID S-1-5-32-545
and verify that these groups have their default members:
# net rpc group members Administrators
# net rpc group members guests
# net rpc group members users
You must have a valid "idmap alloc setup"
and have stored the secret in secrets.tdb
; idmap Konfiguration fuer SAMBA 3.5.6 mit LDAP
idmap backend = ldap
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
idmap alloc backend = ldap
idmap alloc config : ldap_url = ldap://127.0.0.1/
idmap alloc config : ldap_base_dn = ou=Idmap,dc=example,dc=net
idmap alloc config : ldap_user_dn = cn=admin,dc=example,dc=net
Store the idmap secret in secrets.tdb
# net idmap secret alloc <secret>
The <secret> must be the password from ldap_user_dn
If you are using ldap as passdb backend then set this:
ldapsam:editposix = yes
in smb.conf. This will prevent samba to use the smbldaptools. They
produce wrong joins! And by the way, check that the previously created
builtin groups have sambaGroupType=4. smbldaptools set this to 5, which
does not work.
If you now have set ldapsam:editposix dont forget to restart samba
now, you should join as explained earlier
Store the authuser in secrets.tdb
# net -Uroot setauthuser
will store user and passord in secrets.tdb, so that winbindd has enough
rights to work. If your administrator account has uidnumber=0, you may
use this account.
stop samba, start winbind, start samba
wait some seconds, winbindd will now create the third domain which has
the name of your PDCs hostname.
check with wbinfo
when I checked winbindd.conf with testparm, I have get some errors,
until I put an empty or comment line before the line with the include
statement :-) .
More information about the samba