Password checking for Machine Trust Account

Jordan Coleman at
Wed Jun 20 15:43:23 GMT 2001

On Wed, Jun 20, 2001 at 09:35:50PM +1000, Andrew Bartlett wrote:
> Patrick Boettcher wrote:
> > In our school we have a software which made it possible to clone OSes after
> > install on one pc to all other PC (even Win2k) or repair destroyed ws over
> > network, so no hardware cards are need anymore. This software is called
> > rembo ( Now the problem is, the software is able to change
> > die hostname after cloning the image, to change the sid and also to rejoin
> > the pdc. But my pdc is samba.
> Why can't you just remove the account from the Samba PDC?  (smbpasswd -x
> MACHINE$ I think).  If you automatically add machines as unix users do
> that too.

Interesting.  I'm currently battling almost exactly the same problem.
We use Altiris Deployment Server, a system that's apparently similar
to Rembo.  What happens is that I can join a Win2K (SP2) workstation
to a domain after installing Win2K, but I can't join it to the domain
after imaging with the software.

What happens is that I get the now-infamous "procedure number is out
of range" in the latter case when I try to rejoin the domain.  Yes, I
do first delete the preexisting machine account from both the
smbpasswd file and from /etc/passwd (I have managed to get automatic
machine account creation working right).

What I've noticed is that after the "procedure number is out of range"
message on the workstation which tries to join the domain, the
smbpasswd file will contain an entry for the newly-created machine
account, but that account will have no password and will have the
"machine", "no password", and "disabled" flags set in the file.  This
is very different from what happens when a fresh machine joins the
domain successfully, in which case the smbpasswd entry has only the
"machine" flag set and shows a real encrypted password.

This is very frustrating, since I all this works perfectly (as do
domain logins, roving profiles, etc. (Thank you, Samba developers!!))
except in this one case where the machine is joining the domain after
being built from a disk image.  Note that joining and leaving and
rejoining a domain works just fine on machines that have been
installed from scratch (from the Windows 2000 CD), and even on
machines that have had their SIDs altered.

If anyone has any suggestions as to what might be the difference
between a pristine install and an almost exact copy of that pristine
install that might cause this problem, I'd be interested to hear it.


More information about the samba-technical mailing list