when to change $MACHINE.ACC password

Luke Kenneth Casson Leighton lkcl at samba.org
Mon Feb 21 06:34:03 GMT 2000

there is a shared secret involved in nt logins.  one copy is kept in the
lsa (lsa_query_secret) for *internal* use of the client-side
implementation of nt logins.

i reecently added code that removes the need for the samba server to be
joined to its own domain, by reading the shared secret _also_ using

unfortunately, the password must be changed once a week.  this causes
synchronicity problems, because client-side calls lsa_query_secret, and
server-side also calls lsa_query_secret, both obtain $MACHINE.ACC

if someone makes a login while the $MACHINE.ACC is being updated , the
login will fail.

i could say, only change $MACHINE.ACC when there are no connections or no
accesses to $MACHINE.ACC...

which can only be done as administrator... so you shouldn't ave to worry
about security attacks: a connection by a rogue administrator for one week
on $MACHINE.ACC is pretty much going to get noticed.


More information about the samba-technical mailing list