Machine Account Passwords are changed on the "WRONG" server!!

Ignacio Coupeau icoupeau at
Fri Feb 14 08:35:49 GMT 2003

Brian M Hoy wrote:
> Summary

> The second point happens, because the PC will _occasionally_ use a
> different DC to authenticate against (it's secure channel partner in MS
> parlance).  If it just so happens to change its machine account password
> with this SCP, then the machine's domain membership is broken next time
> it uses its "normal" SCP.
> My Workaround
> I have a written a Perl script which fetches the machine account details
> from every LDAP server on our network and then figures out which one has
> the most recent machine account password, and then submits the change to
> the LDAP master so that it is replicated everywhere, thereby getting
> around these problems.  It works, but is not ideal
> A quick look at the Samba source suggests that it would not handle LDAP
> referrals.  Am I right here?  If it did, then LDAP could be configured
> to give a referral to the LDAP master for changes, solving the problem
> (at least for LDAP users).

samba 2.2.8 may help:

16) Fixes for --with-ldapsam
     * Default to port 389 when "ldap ssl != on"
     * add support for rebinding to the master directory server
       for password changes when "ldap server" points to a read-only

Ignacio Coupeau, Ph.D.     icoupeau at
CTI, Director              icoupeau at
University of Navarra      icoupeau at
Pamplona, SPAIN  

More information about the samba-technical mailing list