[Samba] ntlm_auth NT_STATUS_INVALID_HANDLE with windbind

Harry Jede walk2sun at arcor.de
Mon Oct 17 09:26:35 MDT 2011

On 09:35:16 wrote Alessandro:
> I should use an authenticated proxy with Squid, but I have a problem
> with winbind.
> I'm working on a PDC, debian squeeze with samba from backport (ver.
> 2:3.5.11~dfsg-1~bpo60+1 )
> Here the problem: I can authenticate users.
> /usr/bin/ntlm_auth --username=myname --domain=MYCOMPANY
> password: XXXX
> NT_STATUS_INVALID_HANDLE: Invalid handle (0xc0000008)
> wbinfo -a myname
> Enter myname's password: XXXX
> plaintext password authentication failed
> Could not authenticate user myname with plaintext password
> Enter myname's password: XXXX
> challenge/response password authentication failed
> error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
> error messsage was: Invalid handle
> Could not authenticate user myname with challenge/response
> With --domain argument the result is the same
> wbinfo seems to work fine with all other arguments (-u, -g, etc.. a
> strange behavior: with -m it gives two domains, "BUILTIN" and

wbinfo should show three domains:
# wbinfo -m

# net getdomainsid
SID for local machine YOUR_SERVER is: LOCAL-SID

# ldapsearch -xLLL "(&(objectclass=sambaDomain)(sambaDomainName=*))" 
dn: sambaDomainName=YOUR_DOMAIN,dc=example,dc=net

dn: sambaDomainName=YOUR_SERVER,dc=example,dc=net

and finally 
# wbinfo --ping-dc
MUST succeed

As SATOH Fumiyas tells us, one SHOULD join without a running winbindd 
# net rpc join -S localhost -U administrator

One are NOT joining "localhost"! One join $HOSTNAME!!

Verify with 
# net rpc testjoin
Join to 'YOUR_DOMAIN' is OK

# pdbedit -v $HOSTNAME$
Account Flags:        [S          ]
User SID:             "DOMAIN-SID"-"SERVER-RID"
Primary Group SID:    "DOMAIN-SID"-515

These tree settings are imortant. It MUST be a server account and the 
primary group sid MUST have the RID=515

# wbinfo -a user%secret
plaintext password authentication succeeded
challenge/response password authentication succeeded

Dont forget to add the user "proxy" to the group "winbindd_priv", so 
that the ntlm_auth helper from squid has enough rights.

> I found the following bug:
> https://bugzilla.samba.org/show_bug.cgi?id=7481
> http://osdir.com/ml/debian-bugs-dist/2011-02/msg00966.html
> http://osdir.com/ml/debian-bugs-dist/2011-02/msg09069.html
> I could compile samba from source applying the #7481 patch, but I'm
> not sure this is my case, because the workaround exposed at the end
> of #7481 doesn't work for me.
> Any idea?
It works for me with Samba 3.5.6 and also with 3.5.11 from backports :-) 
. I use openldap as passdb backend.

Step-by-step guide

You should verify these three groups:
# net sam list builtin

# net sam show administrators
BUILTIN\administrators is a Local Group with SID S-1-5-32-544
# net sam show guests
BUILTIN\guests is a Local Group with SID S-1-5-32-546
# net sam show users
BUILTIN\users is a Local Group with SID S-1-5-32-545

and verify that these groups have their default members:
# net rpc group members Administrators
YOUR_DOMAIN\Domain Admins
# net rpc group members guests
YOUR_DOMAIN\Domain Guests
# net rpc group members users
YOUR_DOMAIN\Domain Users

You must have a valid "idmap alloc setup"
and have stored the secret in secrets.tdb

; idmap Konfiguration fuer SAMBA 3.5.6 mit LDAP
idmap backend           = ldap
idmap uid               = 1000000-1999999
idmap gid               = 1000000-1999999
idmap alloc backend     = ldap
idmap alloc config : ldap_url           = ldap://
idmap alloc config : ldap_base_dn       = ou=Idmap,dc=example,dc=net
idmap alloc config : ldap_user_dn       = cn=admin,dc=example,dc=net

Store the idmap secret in secrets.tdb
# net idmap secret alloc <secret>
The <secret> must be the password from ldap_user_dn

If you are using ldap as passdb backend then set this:

	ldapsam:editposix	= yes

in smb.conf. This will prevent samba to use the smbldaptools. They 
produce wrong joins! And by the way, check that the previously created 
builtin groups have sambaGroupType=4. smbldaptools set this to 5, which 
does not work.
If you now have set ldapsam:editposix dont forget to restart samba

now, you should join as explained earlier

Store the authuser in secrets.tdb
# net -Uroot setauthuser

will store user and passord in secrets.tdb, so that winbindd has enough 
rights to work. If your administrator account has uidnumber=0, you may 
use this account.

stop samba, start winbind, start samba
wait some seconds, winbindd will now create the third domain which has 
the name of your PDCs hostname.

check with wbinfo

when I checked winbindd.conf with testparm, I have get some errors, 
until I put an empty or comment line before the line with the include 
statement :-) .

> Thanks
> Alessandro


	Harry Jede

More information about the samba mailing list