NT_STATUS_INVALID_HANDLE with wbinfo -a

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

NT_STATUS_INVALID_HANDLE with wbinfo -a

Devon Crouse
I've been stuck on this one for days and can't seem to find anything
referencing the same problem; help would be greatly appreciated.  I have a
functioning Samba 3.5.4-63 installation acting as a PDC - users can log in
from Windows 7 machines without problems etc. etc.

 

The issue is with using wbinfo -a to authenticate users (without going into
too much detail, I'm trying to use the ntlm_auth helper for Squid, and I
think this error might be the best indication I've found as to why that
isn't working.)  wbinfo -u/-g both return the correct lists of users/groups
as winbind is up and running, but I can't get it to authorize any of them:

 

[[hidden email] - ~]# wbinfo -a DOMAIN+user%password

plaintext password authentication failed

Could not authenticate user DOMAIN+user%password with plaintext password

challenge/response password authentication failed

error code was NT_STATUS_INVALID_HANDLE (0xc0000008)

error messsage was: Invalid handle

Could not authenticate user DOMAIN+user with challenge/response

 

Perhaps this is just an error in usage, but I have also tried many other
variations (e.g. just user%password, DOMAIN+user - typing password when
prompted, etc.)  If I use WRONGDOMAIN+user the error does change to
NT_STATUS_NO_SUCH_USER, but DOMAIN+wronguser still gives INVALID_HANDLE.
The only log entries that seem to correlate to these attempts are in
/var/log/log.wb-DOMAIN:

 

[2010/08/17 10:52:48.288391,  2]
winbindd/winbindd_pam.c:1724(winbindd_dual_pam_auth)

  Plain-text authentication for user DOMAIN+user returned
NT_STATUS_INVALID_HANDLE (PAM: 4)

[2010/08/17 10:52:55.887613,  2]
winbindd/winbindd_pam.c:2003(winbindd_dual_pam_auth_crap)

  NTLM CRAP authentication for user [DOMAIN]\[user] returned
NT_STATUS_INVALID_HANDLE (PAM: 4)

 

I'll include the global section of my smb.conf; please let me know if there
is any more relevant information I can provide.

 

[global]

        workgroup = domain

        server string = domain

        netbios name = domain

        bind interfaces only = yes

        interfaces = eth1 lo

        smb ports = 139

        os level = 35

        domain master = yes

        preferred master = yes

        domain logons = yes

        wins support = yes

        dns proxy = yes

        idmap uid = 15000-20000

        idmap gid = 15000-20000

        winbind separator = +

        winbind enum users = yes

        winbind enum groups = yes

        winbind use default domain = yes

 

# Security

        security = user

        hosts allow = 10.10.10. 127.

        hide dot files = yes

        unix password sync = yes

        encrypt passwords = yes

        passwd program = /usr/bin/passwd %u

        passdb backend = tdbsam

 

# Directories

        logon path = \\%L\profiles\%U

        logon drive = Z:

        logon home = \\%L\%U

        logon script = logon.bat

 

# Scripts

        add user script = /usr/sbin/useradd -m %u

        delete user script = /usr/sbin/userdel -r %u

        add group script = /usr/sbin/groupadd %g

        delete group script = /usr/sbin/groupdel %g

        add user to group script = /usr/sbin/usermod -G %g %u

        add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g
users %u

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: NT_STATUS_INVALID_HANDLE with wbinfo -a

Roel van Meer-3
Devon Crouse writes:

> I've been stuck on this one for days and can't seem to find anything
> referencing the same problem; help would be greatly appreciated.  I have a
> functioning Samba 3.5.4-63 installation acting as a PDC - users can log in
> from Windows 7 machines without problems etc. etc.
>
>  
>
> The issue is with using wbinfo -a to authenticate users (without going into
> too much detail, I'm trying to use the ntlm_auth helper for Squid, and I
> think this error might be the best indication I've found as to why that
> isn't working.)  wbinfo -u/-g both return the correct lists of users/groups
> as winbind is up and running, but I can't get it to authorize any of them:

Well, you're CC'd in this bug report:
https://bugzilla.samba.org/show_bug.cgi?id=7481
I think it is the same problem..

I've tried to make it work with 3.5.x and haven't succeeded, but 3.4.x works
like a charm. The bug report has a patch that fixes the problem for me
(though I can't guarantee that it's the proper solution).

I'd say you have two options: downgrade to 3.4.8 or see if the patch works
for you. Hopefully the bug will get fixed soon.
I haven't tested the 3.6.0pre1 yet, but I've planned to do that soon.

Regards,

roel



>
>  
>
> [[hidden email] - ~]# wbinfo -a DOMAIN+user%password
>
> plaintext password authentication failed
>
> Could not authenticate user DOMAIN+user%password with plaintext password
>
> challenge/response password authentication failed
>
> error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
>
> error messsage was: Invalid handle
>
> Could not authenticate user DOMAIN+user with challenge/response
>
>  
>
> Perhaps this is just an error in usage, but I have also tried many other
> variations (e.g. just user%password, DOMAIN+user - typing password when
> prompted, etc.)  If I use WRONGDOMAIN+user the error does change to
> NT_STATUS_NO_SUCH_USER, but DOMAIN+wronguser still gives INVALID_HANDLE.
> The only log entries that seem to correlate to these attempts are in
> /var/log/log.wb-DOMAIN:
>
>  
>
> [2010/08/17 10:52:48.288391,  2]
> winbindd/winbindd_pam.c:1724(winbindd_dual_pam_auth)
>
>   Plain-text authentication for user DOMAIN+user returned
> NT_STATUS_INVALID_HANDLE (PAM: 4)
>
> [2010/08/17 10:52:55.887613,  2]
> winbindd/winbindd_pam.c:2003(winbindd_dual_pam_auth_crap)
>
>   NTLM CRAP authentication for user [DOMAIN]\[user] returned
> NT_STATUS_INVALID_HANDLE (PAM: 4)
>
>  
>
> I'll include the global section of my smb.conf; please let me know if there
> is any more relevant information I can provide.
>
>  
>
> [global]
>
>         workgroup = domain
>
>         server string = domain
>
>         netbios name = domain
>
>         bind interfaces only = yes
>
>         interfaces = eth1 lo
>
>         smb ports = 139
>
>         os level = 35
>
>         domain master = yes
>
>         preferred master = yes
>
>         domain logons = yes
>
>         wins support = yes
>
>         dns proxy = yes
>
>         idmap uid = 15000-20000
>
>         idmap gid = 15000-20000
>
>         winbind separator = +
>
>         winbind enum users = yes
>
>         winbind enum groups = yes
>
>         winbind use default domain = yes
>
>  
>
> # Security
>
>         security = user
>
>         hosts allow = 10.10.10. 127.
>
>         hide dot files = yes
>
>         unix password sync = yes
>
>         encrypt passwords = yes
>
>         passwd program = /usr/bin/passwd %u
>
>         passdb backend = tdbsam
>
>  
>
> # Directories
>
>         logon path = \\%L\profiles\%U
>
>         logon drive = Z:
>
>         logon home = \\%L\%U
>
>         logon script = logon.bat
>
>  
>
> # Scripts
>
>         add user script = /usr/sbin/useradd -m %u
>
>         delete user script = /usr/sbin/userdel -r %u
>
>         add group script = /usr/sbin/groupadd %g
>
>         delete group script = /usr/sbin/groupdel %g
>
>         add user to group script = /usr/sbin/usermod -G %g %u
>
>         add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g
> users %u
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba