Creating machine trust account for NT
werner maes
werner.maes at cc.kuleuven.ac.be
Thu Nov 15 08:38:06 GMT 2001
>OK, this is a basic rundown of how it works:
>
>When you select this option, the NT client logs in to the Samba server,
>and issues a 'create account' RPC command, then a 'set password' command
>to set a random smb password on the trust account.
>
>This works fine on the Samba side of things, but we have some legacy
>issues: Unfortunately the way samba works internally it requires an
>/etc/passwd account before it can create it in smbpasswd. By default
>the 'create user' call only makes the smbpasswd part, you have to do the
>unix stuff yourself. This is what the 'add user script' (and the 'add
>machine script' in HEAD) are for, to allow samba to do both parts.
>
>Now, back to your question. Why you did the 'smbpasswd -am' yourself,
>you effectively did the same thing as the 'create user' checkbox on the
>NT client achives, except that you set the password to a known value.
>In this case the NT client just changes that password when you join it,
>but in the meantime any other machine can use that account - not a good
>thing and why only the second method is supported under Win2k.
>
>Andrew Bartlett
Thanks for your reply,
I get the picture.
But now I've done some tests. Everything seems to work fine, even when you
select the option "create a computer account in the domain". There's still
one problem however.
If I try selecting this option on a NT 4.0 Server, the machine trust
account is created on the Samba server but with wrong settings.
e.g:
testnts$:507:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:NO
PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NDW ]:LCT-00000000:
This is the entry I get after I added a NT server to a Samba domain with
the option "create a computer account in the domain" enabled.
With these settings you cannot login in the domain.
If you first create the machine account with "smbpasswd -a -m" and then add
the NT server to the domain, then it works.
With NT Workstation 4.0 everything works fine (same for Win2000).
Am I correct?
Werner
More information about the samba
mailing list