3.0Alpha21 and W2K AD 'dorking' Samba machine acct?
Andrew Bartlett
abartlet at samba.org
Fri Feb 14 20:08:06 GMT 2003
On Thu, 2003-02-13 at 01:30, Nik Conwell wrote:
>
> On Thu, 30 Jan 2003, Andrew Bartlett wrote:
>
>
> > On Thu, 2003-01-30 at 23:32, Nik Conwell wrote:
> > >
> > > Anybody seeing a scenario like this?
> > >
> > > net ads join adds our machine entry to AD just fine.
> > >
> > > The machine entry object in the AD database has:
> > >
> > > OperatingSystem "Samba"
> > > OperatingSystemVersion "post3.0-HEAD"
> > > dnsHostname "ourhost"
> > >
> > > Some time later "something" happened, and AD now has:
> > >
> > > OperatingSystem "Windows"
> > > OperatingSystemVersion "NT 4"
> > > dnsHostname is empty.
> > >
> > > and then authentication to ourhost fails.
> >
> > Something is doing a NT4 password change. This can occur if
> > 'security=domain' is set, rather than 'security=ads'.
> >
> > Or if 'net rpc changetrustpw' is run.
>
> Interesting - security=ads is set in the config, and neither of the two of us
> who have privs to do the net cmds have run changetrustpw (or knew what it was
> before you wrote about it ;-))
>
> I have an unverified pet theory that under some circumstances the smbd may think
> it's running as security=domain (unable to read the config file due to it being
> unmounted - it's on NFS disk - or since the file doesn't have o=r). I'll put
> some DEBUG logging statements near change_trust_account_password() to see if
> we're somehow getting there.
>
> Thanks for your help.
> -nik
I since looked into this myself - and it's werid!
If you make even a single connection to the NETLOGON pipe, to verify an
NTLM password with the PDC, your OS gets reset!
This occurs during the credentials setup for that pipe - the interesting
thing will be to see what Win2k does for that pipe, and to see if we can
emulate it.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030215/de6237a1/attachment.bin
More information about the samba-technical
mailing list