Password checking for Machine Trust Account

Wed Jun 20 11:35:50 GMT 2001

Patrick Boettcher wrote:
> 
> Hello,
> 
> I have a problem: I'm working on a school and with the full power of speech
> I was convincing the headmaster to use linux as server os, instead of
> win2k. Because all clients are win2k I need samba 2.2.0 as PDC. Its working
> well, at least I never had any problem, which wasn't solved after some
> moments. But now I have one:
> 
> In our school we have a software which made it possible to clone OSes after
> install on one pc to all other PC (even Win2k) or repair destroyed ws over
> network, so no hardware cards are need anymore. This software is called
> rembo (www.rembo.com). Now the problem is, the software is able to change
> die hostname after cloning the image, to change the sid and also to rejoin
> the pdc. But my pdc is samba. In the rembo forum
> (http://www.rembo.com/forumcgi/agnes?Support+SupportHTML+expand357#357) one
> of the programmer told me, that rembo is not possible to join samba pdc. He
> also told me, that a solution would be to deactive the password checking
> for the machine account. Now the question, where in the source I can find
> this check, and is it easy to change (I've got some c experience) ? I also
> know that the source is holy but in my situation I do not know another way.
> 
> Thanks for all advises
> 
> Patrick Boettcher

Why can't you just remove the account from the Samba PDC?  (smbpasswd -x
MACHINE$ I think).  If you automatically add machines as unix users do
that too.

Then all you need to do is join it to a random workgroup (ie not the
domain) and rejoin the domain an obligatory reboot later.  (Unless it
does that for you).  I see no reason this would not work - except that
Samba might not support the remote RPC calls to remove the machine in
the software, you would have to do it manually.  It certainly has the
calls to add an account from scratch, setting the initial password in
the process.  The only thing I can think is that this product wants to
change the password as admin for an existing account, which probably has
not been implemented.

Removing the machine password check would be very silly, as a LOT of
info is given out to a NT domain member, much of which should remain
private.  See the comments regarding the old-style 'create machine
account with default password' behavior in the doco.

Should you wish to be that foolish, I believe its in reply.c with a
sesible name for its purpose, but I don't recommend this approach.

Do you have any detailed logs of the failure case?  It might help
somebody implement the required functionality - if its possible.

Andrew Bartlett
abartlet at samba.org
-- 
Andrew Bartlett
abartlet at pcug.org.au
abartlet at samba.org