samba-tng-alpha-1.1.tar.gz

William Jojo jojowil at hvcc.edu
Wed Mar 22 16:03:47 GMT 2000



Luke,

Thanks for the reply. I understand what you are getting at. However, I do
have trouble compile the TNG code. And have for some time.

I would've tried the samedit program if I could get by the enumeration
constant problem on the first file make tries. Then if I comment out the
offending enumeration constant, I cannot get it to create the shared
libraries.

I've sent several emails to this list (samba at samba.org) regarding just
this problem and am a little offended that when AIX is having a problem it
seems to get ignored - similar to the email I sent regarding
quotas.

I would love to use the TNG code for our installation, but simply can't
due to problems compiling and a lack of support.

As far as why we have to do things the way we are: simple - we're an
educational institution that must keep up to date with current hardware
and software technology. This means we have to roll out 3 builds a year -
one for each semester. Perhaps there are others in the same boat - or
worse.

Now, this is very simple for a staff of 3 to handle with the simple tool
known as smbpasswd. We're using 2.0.6 and don't have samedit.


If and when we can get the code to compile, we'll try it your way. Until
then we'll continue to find our own solutions.

Bill

On Mon, 20 Mar 2000, Luke Kenneth Casson Leighton wrote:

> On Sun, 19 Mar 2000, William Jojo wrote:
> 
> > 
> > Luke,
> > 
> > Why would you disable the -m option of smbpasswd? We use Ghost to re-image a PC
> > here and we need to reset the machine account after a rebuild so it will
> > gracefully join the domain without having to jump through hoops.
> 
> because 1) having a default well-known workstation trust account password
> is a security risk: the trust account is used to encrypt user passwords.
> 
> because 2) if you _must_ do this, you can use samedit's "createuser
> wkstaname$ -p wkstaname" to explicitly set the trust account password to
> the [very insecure] initial value.
> 
> oh, and it gets even better if you add a backup domain controller with the
> trust account password [as the bdc name]: then you run the risk of losing
> your entire SAM database to an attacker, as they pretend to be the BDC,
> using the default password and suck all user profile (plus passwords)
> group, alias and domain information off your PDC -- after all, that's what
> SAM synchronisation is supposed to do!!!
> 
>  
> > A little history - we build a master image and then ditribute that to 600 PCs on
> > our campus. By resetting the machine account through smbpasswd, we can simply
> > rename the machine (since every machine now has the same name from the master
> > image) and after a reboot, it's happy.
> > 
> > If you would recommend a different method, I'm all ears, but I think disabling
> > smbpasswd -m would be a grave mistake.
> 
> you can use samedit's createuser with -j to totally randomise the local
> workstation trust account password _and_ this totally random value will be
> stored in the PDC's SAM database, too, so the workstation is synchronised
> with the PDC.
> 
> this can be done just as well in an NT-only environment as it can in a
> mixed samba-NT environment.
> 
> you should be able to do this as a one-step-in-a-script on a secure local
> network:
> 
> samedit -S thepdc -U admin%pdcpwd -W pdcdomname -l log
> [$ ] use \\wkstaname -U localadmin%localpwd -W wkstaname
> connect blah blah: OK
> 
> [$ ] use -u
> connect to PDC
> connect to wksta
> 
> [$ ] createuser wkstaname$ -j PDCDOMNAME
> creating trust account: OK [this is done to PDC using pdc admin pwd]
> setting $MACHINE.ACC: OK [this is done to wksta using wksta locadm pwd]
> 
> now -- at this point, you should be able to go to the wksta and the pdc,
> and change the name, and voila.
> 
> however, if you ask nicely, i might investigate how to change the local
> workstation name, by adding new commands:
> 
> [$ ] srvinfoset -n newworkstationname
> 
> [$ ] samuserset wkstaname$ -n newworkstationname$
> 
> then you can do this, afterwards:
> 
> regedit -S wkstaname -U localadmin%localpwd -W wkstaname
> [$ ] shutdown --reboot --force-close (or -r -f).
> 
> luke
> 
> 



More information about the samba-ntdom mailing list