Machine Account Passwords are changed on the "WRONG" server!!
icoupeau at unav.es
Fri Feb 14 08:35:49 GMT 2003
Brian M Hoy wrote:
> The second point happens, because the PC will _occasionally_ use a
> different DC to authenticate against (it's secure channel partner in MS
> parlance). If it just so happens to change its machine account password
> with this SCP, then the machine's domain membership is broken next time
> it uses its "normal" SCP.
> My Workaround
> I have a written a Perl script which fetches the machine account details
> from every LDAP server on our network and then figures out which one has
> the most recent machine account password, and then submits the change to
> the LDAP master so that it is replicated everywhere, thereby getting
> around these problems. It works, but is not ideal
> A quick look at the Samba source suggests that it would not handle LDAP
> referrals. Am I right here? If it did, then LDAP could be configured
> to give a referral to the LDAP master for changes, solving the problem
> (at least for LDAP users).
samba 2.2.8 may help:
16) Fixes for --with-ldapsam
* Default to port 389 when "ldap ssl != on"
* add support for rebinding to the master directory server
for password changes when "ldap server" points to a read-only
Ignacio Coupeau, Ph.D. icoupeau at unav.es
CTI, Director icoupeau at alumni.unav.es
University of Navarra icoupeau at ieee.org
Pamplona, SPAIN http://www.unav.es/cti/
More information about the samba-technical