Machine Account Passwords are changed on the "WRONG" server!!

[Brian M Hoy]

Summary

When machine account passwords are changed, they are usually updated on
one of the "BDC" servers rather than the PDC server.

Topology

We are solely using Samba 2.2.7 file servers (Linux and Solaris) and
OpenLDAP for authentication.  Our corporate network consists of 51
branch offices and 1 head office.

The samba daemon at head office is the PDC.  The master LDAP replication
daemon also resides on the same machine.

Although Samba does not have SAM replication functionality, by using
LDAP replication we are achieving the same thing.  In other words all
user password changes are changed on the PDC, which updates the local
LDAP server, which replicates to all the LDAP daemons on the branch
offices, who in turn are queried by the local samba daemons.  All in all
it works very extremely well.....except for....

Machine account passwords

These are changed on the PC's current "secure channel partner" (one of
the BDCs usually).  This URL explains it in more detail:

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B266729

The following excerpt is from the Microsoft document above:

"... Netlogon is also responsible for changing the machine account
password. By default, this password is reset every seven days. The
workstation sends the request to the secure channel partner. The secure
channel partner passes the request to the PDC...."

As any PC generally uses the same "BDC", this only causes occasional
problems.

On our network with 1200 PCs we get the following problems:

1. laptops on the move need to be rejoined to the domain because the
machine account passwords are out of sync.
2. occasionally desktop PCs cannot authenticate against the domain and
need to be rejoined too.

The second point happens, because the PC will _occasionally_ use a
different DC to authenticate against (it's secure channel partner in MS
parlance).  If it just so happens to change its machine account password
with this SCP, then the machine's domain membership is broken next time
it uses its "normal" SCP.

My Workaround

I have a written a Perl script which fetches the machine account details
from every LDAP server on our network and then figures out which one has
the most recent machine account password, and then submits the change to
the LDAP master so that it is replicated everywhere, thereby getting
around these problems.  It works, but is not ideal

A quick look at the Samba source suggests that it would not handle LDAP
referrals.  Am I right here?  If it did, then LDAP could be configured
to give a referral to the LDAP master for changes, solving the problem
(at least for LDAP users).

Better Fixes:

If you believe the MS document, then the Samba "BDC" should pass the
machine account password change request to the PDC.  That would be nice!



Comments anyone???


Cheers,
Brian