[Samba] Samba 2.2.8 is failing on change machine account password

Andrew Bartlett abartlet at samba.org
Fri Mar 28 12:50:34 GMT 2003 

On Fri, 2003-03-28 at 23:44, Eric Boehm wrote:
> On Fri, Mar 28, 2003 at 10:00:47PM +1100, Andrew Bartlett wrote:
> >>>>> "Andrew" == Andrew Bartlett <abartlet at samba.org> writes:
> 
>     Andrew> On Fri, 2003-03-28 at 19:44, Hansjoerg Maurer wrote:
> 
>     Andrew> If you run 'smbpasswd -t' it should do it on demand.
> 
> That doesn't seem to work

I didn't say it would work, just that it would be easier to debug :-)

> smbpasswd -t AMERICASE
> 2003/03/28 07:40:32 : change_trust_account_password: Failed to change password for domain AMERICASE.
> 
> I do have a debug level 10 log of the attempt but there really isn't
> much more information in it. I really do think this might be a bug. If
> anyone has been able to get this to work, I would appreciate hearing
> about it. If there are other steps I can take to help debug/fix this,
> I am willing to take those steps.
> 
> Doesn't this present a potential security issue if the machine
> password never changes?

Small - basically if the 'bad guy' can figure out the password by
cryptographic or network brute force before you change it, yes.  If he
is listening on the connection always anyway, then they will observe the
password change.

In short - keep it secret, and it's not too bad.

> [2003/03/27 15:33:15, 5, pid=25400] lib/util.c:(291)
>   smb_bcc=0
> [2003/03/27 15:33:15, 6, pid=25400] lib/util_sock.c:(518)
>   write_socket(10,39)
> [2003/03/27 15:33:15, 6, pid=25400] lib/util_sock.c:(521)
>   write_socket(10,39) wrote 39
> [2003/03/27 15:34:15, 3, pid=25400] smbd/sec_ctx.c:(329)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2003/03/27 15:34:15, 5, pid=25400] smbd/uid.c:(217)
>   change_to_root_user: now uid=(0,0) gid=(0,0)
> [2003/03/27 15:34:15, 10, pid=25400] smbd/process.c:(1137)
>   timeout_processing: checking to see if machine account password need changing.
> [2003/03/27 15:34:15, 10, pid=25400] smbd/process.c:(1167)
>   timeout_processing: machine account password last change time = (1046645657) Sun, 02 Mar 2003 17:54:17 EST.
> [2003/03/27 15:34:15, 0, pid=25400] rpc_client/cli_trust.c:(46)
>   domain_client_validate: unable to fetch domain sid.

This certainly looks like an issue.

Have you tried rejoining the domain?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030328/b8c0d007/attachment.bin

More information about the samba mailing list