security=domain bombs

Jeremy Allison jallison at
Fri May 22 17:04:21 GMT 1998

Gerald Carter wrote:
> Make sure that the private/<DOMAIN>.<MACHINENAME>.mac file exists on the
> samba domain client.  When I just recently set this up, the file was
> created but called MACHINE.SID.  rename this file to
> <DOMAIN>.<MACHINENAME>.mac and mae sure that you have added the machine
> account for the samba client on the PDC ( Samba or NT ).

No, this is wrong. If you do this everything
will break. The MACHINE.SID contains the
ascii text of what used to be in the 'domain sid'
parameter in smb.conf - ie. a string like 


- it gets randomly generated the first time
any smbd starts up if it doesn't exist, and
*never* changes once created (it's the machine
'identity' - just like an NT machine SID).

The private/DOMAIN.MACHINENAME.mac file is
the machine password file, that must exist
if security=domain is set in smb.conf.

This file is created when you join the
domain using smbpasswd - first add the
Samba machine to the NT domain on the PDC
(if it's a Samba PDC using smbpasswd -a -m
as usual, if it's an NT PDC using server
manager for domains), and then on the
machine joining the domain type add the
pdc name as the first entry in the
'password server' list and then type
(as root) :

smbpasswd -j <DOMAINNAME>

This will create the private/DOMAIN.MACHINENAME.mac
file that contains the machine password for
this domain.

I know this is confusing, I need to write a
document on this but don't have the time
right now (soon, I promise).



More information about the samba-ntdom mailing list