Machine Account Passwords are changed on the "WRONG" server!!

Ignacio Coupeau icoupeau at unav.es
Fri Feb 14 08:35:49 GMT 2003


Brian M Hoy wrote:
> Summary
> 

> The second point happens, because the PC will _occasionally_ use a
> different DC to authenticate against (it's secure channel partner in MS
> parlance).  If it just so happens to change its machine account password
> with this SCP, then the machine's domain membership is broken next time
> it uses its "normal" SCP.
> 
> My Workaround
> 
> I have a written a Perl script which fetches the machine account details
> from every LDAP server on our network and then figures out which one has
> the most recent machine account password, and then submits the change to
> the LDAP master so that it is replicated everywhere, thereby getting
> around these problems.  It works, but is not ideal
> 
> A quick look at the Samba source suggests that it would not handle LDAP
> referrals.  Am I right here?  If it did, then LDAP could be configured
> to give a referral to the LDAP master for changes, solving the problem
> (at least for LDAP users).
> 

samba 2.2.8 may help:

16) Fixes for --with-ldapsam
     * Default to port 389 when "ldap ssl != on"
     * add support for rebinding to the master directory server
       for password changes when "ldap server" points to a read-only
       slave



-- 
____________________________________________________
Ignacio Coupeau, Ph.D.     icoupeau at unav.es
CTI, Director              icoupeau at alumni.unav.es
University of Navarra      icoupeau at ieee.org
Pamplona, SPAIN            http://www.unav.es/cti/



More information about the samba-technical mailing list