Turbo Fredriksson
2007-Jul-28 16:06 UTC
[Samba] Checking the trust account password returned NT_STATUS_INVALID_HANDLE
I'm trying to setup a FreeRADIUS (version 1.1.6 w/ LDAP support) server on our new server here at home, which in turn should authenticate against the Samba server (also on the same host - version 3.0.25) which in turn uses an OpenLDAP server (CVS version HEAD as of 20070719). Samba works perfectly against the OL server. Authentication etc is a-ok. But regarding winbind, the first problem is that it won't start. 'touch'ing the file '/var/run/samba/winbindd_cache.tdb' and then start 'winbind -iS -d3' works. This I can live with (at the moment) but then running 'wbinfo -t' will give me the following problem: ----- s n i p ----- celia:~# touch /var/run/samba/winbindd_cache.tdb && winbindd -iS -d3 2>&1 | tee /tmp/z [...] initialize_winbindd_cache: clearing cache and re-creating with version number 1 Added domain FREQVIST S-1-5-21-1048132253-3888718238-3496884323 Added domain BUILTIN S-1-5-32 [12095]: list trusted domains [... running wbinfo ...] [ 0]: request interface version [ 0]: request location of privileged pipe [ 0]: check machine account [12095]: check machine account could not open handle to NETLOGON pipe Checking the trust account password returned NT_STATUS_INVALID_HANDLE ----- s n i p ----- And wbinfo say: ----- s n i p ----- celia:/home/turbo# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_INVALID_HANDLE (0xc0000008) Could not check secret ----- s n i p ----- A 'net join' works (according to 'net' at least - I get an error in the samba logs!): ----- s n i p ----- celia:/home/turbo# net join -w FREQVIST -S 127.0.0.1 -U root Password: Joined domain FREQVIST. ----- s n i p ----- Only running 'net join' will give me an error because of wrong password. MIGHT be because of the current Samba server my girlfriend is maintaing (which is to be moved to this new server). ----- s n i p ----- celia:~# tail -f /var/log/samba/samba.log -n0 [2007/07/27 11:25:58, 0, pid=12169, effective(65534, 65534), real(65534, 0)] rpc_server/srv_netlog_nt.c:_net_auth_2(478) _net_auth2: creds_server_check failed. Rejecting auth request from client CELIA machine account CELIA$ ----- s n i p ----- This before I've entered the password... The command 'pdbedit -L -w' tells me this about 'celia$': ----- s n i p ----- celia$:3005:E19AB02A48615917B24265D82887F525:2CBC29FB015E87AC0A198A0F0150811C:[S ]:LCT-46A9BA2A: ----- s n i p ----- and 'pdbedit -L -v celia\$' (just for completeness): ----- s n i p ----- Unix username: celia$ NT username: celia$ Account Flags: [S ] User SID: S-1-5-21-1048132253-3888718238-3496884323-7010 Primary Group SID: S-1-5-21-1048132253-3888718238-3496884323-513 Full Name: Machine Account,,, Home Directory: \\celia\celia_\.profile HomeDir Drive: Logon Script: tid.bat Profile Path: \\celia\celia_\profile Domain: FREQVIST Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Tue, 19 Jan 2038 04:14:07 CET Kickoff time: Tue, 19 Jan 2038 04:14:07 CET Password last set: Fri, 27 Jul 2007 11:26:02 CEST Password can change: Fri, 27 Jul 2007 11:26:02 CEST Password must change: Tue, 19 Jan 2038 04:14:07 CET Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF ----- s n i p ----- Any idea what I can do or did wrong? Is winbind supposed to work on the same host as [sn]mbd? Is it 'just supposed to work'? Oh, and the smb.conf is probably of some use (comments removed and only the '[global]' section included): ----- s n i p ----- [global] workgroup = FREQVIST netbios name = CELIA server string = %h server (Samba %v) username map = /etc/samba/smbusers passdb backend = ldapsam:ldap://127.0.0.1 ldap suffix = o=FREQVIST,c=SE ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Groups ldap passwd sync = Yes ldap admin dn = <admin dn> password server = 127.0.0.1 encrypt passwords = true passwd program = /bin/passwd %u passwd chat = *new*password* %n\\n*new*password* %n\\n *changed* passwd chat debug = Yes pam password change = Yes winbind separator = \\ winbind cache time = 10 template shell = /bin/bash template homedir = /home/%U idmap uid = 10000-20000 idmap gid = 10000-20000 syslog = 3 log file = /var/log/samba/samba.log debug pid = Yes debug uid = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY IPTOS_THROUGHPUT logon script = tid.bat logon home = \\%N\%U\.profile domain master = True domain logons = Yes preferred master = True os level = 70 dns proxy = No wins support = yes time server = Yes hosts allow = 192.168.1. panic action = /usr/share/samba/panic-action %d add machine script = /etc/samba/adduser.sh %u [netlogon] path = /home/samba/netlogin ----- s n i p ----- Just one more thing. The 'ldap machine suffix' config option... I'd like to have all computers etc in 'ou=Computers,c=SE', but that don't seem to be possible?!
Turbo Fredriksson
2007-Jul-30 18:19 UTC
[Samba] Checking the trust account password returned NT_STATUS_INVALID_HANDLE
Quoting Turbo Fredriksson <turbo@dagdrivarn.se>:> I'm trying to setup a FreeRADIUS (version 1.1.6 w/ LDAP support) > server on our new server here at home, which in turn should > authenticate against the Samba server (also on the same host - version > 3.0.25) which in turn uses an OpenLDAP server (CVS version HEAD as of > 20070719).This works with 2.0.14a and 2.0.24. But in both, I get this after a couple minutes (about half an hour) of restart (a restart solves the problem for another half hour): ----- s n i p ----- [2007/07/30 16:23:25, 0, pid=7295, effective(0, 0), real(0, 0)] passdb/pdb_get_set.c:pdb_get_group_sid(164) pdb_get_group_sid: Failed to find Unix account for turbo [2007/07/30 16:23:25, 1, pid=7295, effective(0, 0), real(0, 0)] auth/auth_util.c:make_server_info_sam(572) User turbo in passdb, but getpwnam() fails! [2007/07/30 16:23:25, 0, pid=7295, effective(0, 0), real(0, 0)] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' ----- s n i p ----- The command 'pdbedit -L' still works perfectly, but 'wbinfo -u' never worked. PS. It doesn't seem to matter if I have WinBind running or not... It's currently off.