samba-tng-alpha-1.1.tar.gz

[Luke Kenneth Casson Leighton]

On Sun, 19 Mar 2000, William Jojo wrote:

> 
> Luke,
> 
> Why would you disable the -m option of smbpasswd? We use Ghost to re-image a PC
> here and we need to reset the machine account after a rebuild so it will
> gracefully join the domain without having to jump through hoops.

because 1) having a default well-known workstation trust account password
is a security risk: the trust account is used to encrypt user passwords.

because 2) if you _must_ do this, you can use samedit's "createuser
wkstaname$ -p wkstaname" to explicitly set the trust account password to
the [very insecure] initial value.

oh, and it gets even better if you add a backup domain controller with the
trust account password [as the bdc name]: then you run the risk of losing
your entire SAM database to an attacker, as they pretend to be the BDC,
using the default password and suck all user profile (plus passwords)
group, alias and domain information off your PDC -- after all, that's what
SAM synchronisation is supposed to do!!!

 
> A little history - we build a master image and then ditribute that to 600 PCs on
> our campus. By resetting the machine account through smbpasswd, we can simply
> rename the machine (since every machine now has the same name from the master
> image) and after a reboot, it's happy.
> 
> If you would recommend a different method, I'm all ears, but I think disabling
> smbpasswd -m would be a grave mistake.

you can use samedit's createuser with -j to totally randomise the local
workstation trust account password _and_ this totally random value will be
stored in the PDC's SAM database, too, so the workstation is synchronised
with the PDC.

this can be done just as well in an NT-only environment as it can in a
mixed samba-NT environment.

you should be able to do this as a one-step-in-a-script on a secure local
network:

samedit -S thepdc -U admin%pdcpwd -W pdcdomname -l log
[$ ] use \\wkstaname -U localadmin%localpwd -W wkstaname
connect blah blah: OK

[$ ] use -u
connect to PDC
connect to wksta

[$ ] createuser wkstaname$ -j PDCDOMNAME
creating trust account: OK [this is done to PDC using pdc admin pwd]
setting $MACHINE.ACC: OK [this is done to wksta using wksta locadm pwd]

now -- at this point, you should be able to go to the wksta and the pdc,
and change the name, and voila.

however, if you ask nicely, i might investigate how to change the local
workstation name, by adding new commands:

[$ ] srvinfoset -n newworkstationname

[$ ] samuserset wkstaname$ -n newworkstationname$

then you can do this, afterwards:

regedit -S wkstaname -U localadmin%localpwd -W wkstaname
[$ ] shutdown --reboot --force-close (or -r -f).

luke