NT WS replication (Re: samba-tng-alpha-1.1.tar.gz)

Mon Mar 20 06:53:45 GMT 2000

Hi,

here is what we are doing:

before replicating the image, I join the master to the domain (it changes
the password to something else). Then I replicate the computers and copy
the password in the smbpasswd to the replicated computers. Like this
nobody knows the WS passwords and the WS change them again after some
time.

S. Schapiro

On Mon, 20 Mar 2000, Luke Kenneth Casson Leighton wrote:

> On Sun, 19 Mar 2000, William Jojo wrote:
> 
> >
> > Luke,
> >
> > Why would you disable the -m option of smbpasswd? We use Ghost to re-image a PC
> > here and we need to reset the machine account after a rebuild so it will
> > gracefully join the domain without having to jump through hoops.
> 
> because 1) having a default well-known workstation trust account password
> is a security risk: the trust account is used to encrypt user passwords.
> 
> because 2) if you _must_ do this, you can use samedit's "createuser
> wkstaname$ -p wkstaname" to explicitly set the trust account password to
> the [very insecure] initial value.
> 
> oh, and it gets even better if you add a backup domain controller with the
> trust account password [as the bdc name]: then you run the risk oflosing
> your entire SAM database to an attacker, as they pretend to be the BDC,
> using the default password and suck all user profile (plus passwords)
> group, alias and domain information off your PDC -- after all, that's what
> SAM synchronisation is supposed to do!!!
> 
> 
> > A little history - we build a master image and then ditribute that to 600 PCs on
> > our campus. By resetting the machine account through smbpasswd, we can simply
> > rename the machine (since every machine now has the same name from the master
> > image) and after a reboot, it's happy.
> >
> > If you would recommend a different method, I'm all ears, but I think disabling
> > smbpasswd -m would be a grave mistake.
> 
> you can use samedit's createuser with -j to totally randomise the local
> workstation trust account password _and_ this totally random value will be
> stored in the PDC's SAM database, too, so the workstation is synchronised
> with the PDC.
> 
> this can be done just as well in an NT-only environment as it can in a
> mixed samba-NT environment.
> 
> you should be able to do this as a one-step-in-a-script on a secure local
> network:
> 
> samedit -S thepdc -U admin%pdcpwd -W pdcdomname -l log
> [$ ] use \\wkstaname -U localadmin%localpwd -W wkstaname
> connect blah blah: OK
> 
> [$ ] use -u
> connect to PDC
> connect to wksta
> 
> [$ ] createuser wkstaname$ -j PDCDOMNAME
> creating trust account: OK [this is done to PDC using pdc admin pwd]
> setting $MACHINE.ACC: OK [this is done to wksta using wksta locadm pwd]
> 
> now -- at this point, you should be able to go to the wksta and the pdc,
> and change the name, and voila.
> 
> however, if you ask nicely, i might investigate how to change the local
> workstation name, by adding new commands:
> 
> [$ ] srvinfoset -n newworkstationname
> 
> [$ ] samuserset wkstaname$ -n newworkstationname$
> 
> then you can do this, afterwards:
> 
> regedit -S wkstaname -U localadmin%localpwd -W wkstaname
> [$ ] shutdown --reboot --force-close (or -r -f).
> 
> luke
> 

-- 
Schlomo Schapiro
Computation Authority
Hebrew University of Jerusalem

Tel: ++972 / 2 / 65-84404
email: schapiro at clerk.pi.huji.ac.il