when to change $MACHINE.ACC password
Luke Kenneth Casson Leighton
lkcl at samba.org
Mon Feb 21 06:34:03 GMT 2000
there is a shared secret involved in nt logins. one copy is kept in the
lsa (lsa_query_secret) for *internal* use of the client-side
implementation of nt logins.
i reecently added code that removes the need for the samba server to be
joined to its own domain, by reading the shared secret _also_ using
unfortunately, the password must be changed once a week. this causes
synchronicity problems, because client-side calls lsa_query_secret, and
server-side also calls lsa_query_secret, both obtain $MACHINE.ACC
if someone makes a login while the $MACHINE.ACC is being updated , the
login will fail.
i could say, only change $MACHINE.ACC when there are no connections or no
accesses to $MACHINE.ACC...
which can only be done as administrator... so you shouldn't ave to worry
about security attacks: a connection by a rogue administrator for one week
on $MACHINE.ACC is pretty much going to get noticed.
More information about the samba-technical