security=domain bombs

Gerald Carter cartegw at Eng.Auburn.EDU
Fri May 22 17:23:03 GMT 1998

Jeremy Allison wrote:
> No, this is wrong. If you do this everything
> will break. The MACHINE.SID contains the
> ascii text of what used to be in the 'domain sid'
> parameter in smb.conf - ie. a string like
> S-1-21-123-456-789

Oops. Sorry.

> - it gets randomly generated the first time
> any smbd starts up if it doesn't exist, and
> *never* changes once created (it's the machine
> 'identity' - just like an NT machine SID).
> The private/DOMAIN.MACHINENAME.mac file is
> the machine password file, that must exist
> if security=domain is set in smb.conf.
> This file is created when you join the
> domain using smbpasswd - first add the
> Samba machine to the NT domain on the PDC
> (if it's a Samba PDC using smbpasswd -a -m
> as usual, if it's an NT PDC using server
> manager for domains), and then on the
> machine joining the domain type add the
> pdc name as the first entry in the
> 'password server' list and then type
> (as root) :
> smbpasswd -j <DOMAINNAME>

I missed this part.

> This will create the private/DOMAIN.MACHINENAME.mac
> file that contains the machine password for
> this domain.
> I know this is confusing, I need to write a
> document on this but don't have the time
> right now (soon, I promise).

You want me to add it to the NTDOM FAQ?

jerry "yes-I-am-braindead-today" carter
                            Gerald ( Jerry ) Carter	
Engineering Network Services                           Auburn University 
jerry at   

       "...a hundred billion castaways looking for a home."
                                  - Sting "Message in a Bottle" ( 1979 )

More information about the samba-ntdom mailing list