[Samba] ntlm_auth NT_STATUS_INVALID_HANDLE with windbind

Tue Oct 18 11:55:27 MDT 2011

Thank you very much for your answer; a very detailed answer!
I hope you will find few more minutes to clarify the things I didn't 
understand...  particularly the Fumiyas law :-)

> wbinfo should show three domains:
> # wbinfo -m
> BULITIN
> YOUR_DOMAIN
> YOUR_SERVER
In my case "MY_SERVER" is missing.

> # net getdomainsid
> SID for local machine YOUR_SERVER is: LOCAL-SID
> SID for domain YOUR_DOMAIN is: DOMAIN-SID
Ok.
In my case local and domain sids are the same

> # ldapsearch -xLLL "(&(objectclass=sambaDomain)(sambaDomainName=*))"
I don't use ldap, but the simple tdbsam.
I'm trying to switch to openldap, but I'm in trouble as far as I can't 
find a working guide.
As you can confirm later, for example, smbldaptools has some "bugs" but 
I have never read about them.

> and finally
> # wbinfo --ping-dc
> MUST succeed
Ok, it succeed

> As SATOH Fumiyas tells us, one SHOULD join without a running winbindd
> Daemon.
> # net rpc join -S localhost -U administrator
>
> One are NOT joining "localhost"! One join $HOSTNAME!!
Sorry, I don't understand..

> Verify with
> # net rpc testjoin
> Join to 'YOUR_DOMAIN' is OK
..but this works :-)

> and
> # pdbedit -v $HOSTNAME$
> Account Flags:        [S          ]
> User SID:             "DOMAIN-SID"-"SERVER-RID"
> Primary Group SID:    "DOMAIN-SID"-515
Ok, but I have a problem: the PG-SID ends with 3007
Primary Group SID:    "DOMAIN-SID"-3007

All our machines have this issue.. because
#> net groupmap list|grep 3007
Domain Computers ("DOMAIN-SID"-3007) -> msmachines

I don't know why.. I remember it was 515.. I'm confused, it's very 
strange. How can I have changed it? Many other SID ends in 30xx

I don't know if this can cause the following problem.

> # wbinfo -a user%secret
> plaintext password authentication succeeded
> challenge/response password authentication succeeded

and this fails

> It works for me with Samba 3.5.6 and also with 3.5.11 from backports :-)
Perfect, so I'm sure I can make it works :-)
Are you using the windbind.conf workaround?

> Step-by-step guide
>
> You should verify these three groups:
> # net sam list builtin
> administrators
> guests
> users
For me "guest" is missing

> # net sam show administrators
> BUILTIN\administrators is a Local Group with SID S-1-5-32-544
> # net sam show guests
> BUILTIN\guests is a Local Group with SID S-1-5-32-546
> # net sam show users
> BUILTIN\users is a Local Group with SID S-1-5-32-545
Finally a perfect result! :-)

> and verify that these groups have their default members:
> # net rpc group members Administrators
> YOUR_DOMAIN\Domain Admins
> # net rpc group members guests
> YOUR_DOMAIN\Domain Guests
> # net rpc group members users
> YOUR_DOMAIN\Domain Users
Strange, it ask me for root's password, but:

Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

> You must have a valid "idmap alloc setup"
> and have stored the secret in secrets.tdb
> smb.conf:
I hope "idmap secret" refers to a ldpap password.

> will store user and passord in secrets.tdb, so that winbindd has enough
> rights to work. If your administrator account has uidnumber=0, you may
> use this account.
>
>
> stop samba, start winbind, start samba
> wait some seconds, winbindd will now create the third domain which has
> the name of your PDCs hostname.

I lost myself.. because I cant' distinguish the ldap from the tdbsam 
operations.
In my case, with tdbsam, winbind needs to find a password in secret.tdb?

> HINT
> when I checked winbindd.conf with testparm, I have get some errors,
> until I put an empty or comment line before the line with the include
> statement :-) .
Here it doesn't need it :-)

I will try to know how is possible to have Sid ending in 3007, but I'm 
sure I have some problem in the tdbsam database as far I can't delete 
some machine accounts.
Probably it could be better to solve this problem before all others 
("tdbbackup -s" should be enaugh.. ).

Alessandro