Knowing when a machine trust account password has changed?

John Gerth gerth-samba at graphics.stanford.edu
Wed Aug 25 03:08:50 GMT 2004 

I have a Redhat 9 Linux system with a Samba 3.0.4 PDC (tdbsam authentication)
which I'm trying to materialize for a lab cluster this fall.

I also have a Mac 10.3.5 with their Samba 3.0.2 PDC (apple open directory auth).

The client machines in the Mac domain are unable to change their machine trust
account passwords which I imagine is because the Samba is 3.0.2 not 3.0.4
and so they're running afoul of the MS patch which affected password
changing (see below).  This is becoming increasingly annoying as the clients try every
two hours to change their passwords and once you have dozens to hundreds
of machines that means both the Samba and Windows logs are constantly rattling
on about the failures.

Users are also confused because when they change their own passwords, an
error is reported, but the password is indeed changed.

Anyway, I'm trying to escalate this within Apple and am hoping to prove that
if they went to 3.0.4 that the problems would go away. Thus I'd like to show
them that the clients in the Linux Samba domain are not having this problem.
Therefore, I put a WinXP client into the Linux domain a couple of weeks ago and also
set its registry entry to change the trust password every day instead of
every week.  There aren't any more failures in the Windows logs, but I don't
think they log successes so I figured I would have to check for those on the PDC.
However, when I do "pdbedit -Lv" there it says that the trust password was
last set on the day the machine joined the domain.

I'm hoping to avoid doing a packet trace on this so:
    a) would tdbsam on Linux update the time when a trust password changed?
    b) if not, what debug level would I have to run on the Linux PDC to see the
        request arrive (4 doesn't appear to be enough)?

/John
************ the error as recorded by Windows in the system event log
  id: 3224
  description: Changing machine account password for account FUBAR$ failed with the following error:
              The stub received bad data.
  data: 0000: 0c 00 03 c0

More information about the samba-technical mailing list