question about machine hostid in smbpasswd Samba 2.0.6a

Paul J Collins pjdc at eircom.net
Wed Aug 2 18:07:03 GMT 2000 

>>>>> "Simo" == Simo Sorce <simo.sorce at polimi.it> writes:

    Simo> "Melissa M. Thrush" wrote:
    >> 
    >> I have Samba 2.0.6a working as a PDC on a Solaris 2.6 box.  It's been
    >> working fine and I have machines added to the smbpasswd by using
    >> the "smbpasswd -a -m" command.  Recently I installed a new "pc image" (OS,
    >> apps, etc.) onto a pc that had been working as a member of the domain.
    >> When the new image was installed however, a user could no longer log into
    >> the domain from this pc.  I had to readd the machine to the smbpasswd file
    >> even though it already was there.
    >> 
    >> My question, is the encrypted smbpasswd hash comprised somehow of the
    >> machine's hostid (serial number)?  Because when I install a new "pc image"
    >> the new image has a different "serial number/hostid" than the previous
    >> image.
    >> 

    Simo> We used the same method there with ghost software principally.
    Simo> We have to readd machines also to Win Domains because of machine
    Simo> passwords.
    Simo> By default machine password are changed every week, so an image older
    Simo> then a week fails it's autenthication because of wrong password.
    Simo> Password are changed by the client and I do not know any way to avoid
    Simo> it.

To the best of my knowledge, this is initiated by the server, and
there is an smb.conf setting to change the interval (this came up when
TNG's password changing didn't work).

In any case, you're going to have to change the machine name of the
image, so you'll have to recreate the machine account.

    Simo> A way to not have the machine rejoin a sambaPDC server may
    Simo> be to save the smbpasswd entry when you make the machine
    Simo> image and restore this entry when you install back that
    Simo> image, this is untested anyway, but.

Er, when you image the machine, all record of the domain it was in
will be lost, including the current machine account password.  There
is probably a way to put the password back in the machine's LSA
secrets, but is it really worth the bother?

It's also strongly recommended that you use NewSID or similar to
assign a new machine SID before you join an imaged machine to a
domain.  (I sincerely hope your image is not of a domain member
machine!)  If you don't, workgroup security breaks down, and if you
wind up using Windows 2000 Server, it'll cause problems there too
(possibly only with Active Directory-based installations, but I don't
know).

This is all a tad messy, hope it makes sense.

-- 
Paul Collins <pjdc at eircom.net> - - - - - - - [ A&P,a&f ]
 GPG: 0A49 49A9 2932 0EE5 89B2  9EE0 3B65 7154 8131 1BCD
 PGP: 88BA 2393 8E3C CECF E43A  44B4 0766 DD71 04E5 962C
"Cover up and say goodnight... say goodnight."

More information about the samba-ntdom mailing list