Knowing when a machine trust account password has changed... nltest

John Gerth gerth-samba at graphics.stanford.edu
Sun Aug 29 06:24:13 GMT 2004 

I was able to answer my earlier question about checking tdbsam as to whether a machine
trust account password has changed. I apologize for asking in this forum, but
I thought I was going to need knowledge of smbd log entries which, understandably,
are not documented in detailed outside of the source.

If the machine SQUARE is in domain MYDOMAIN, you can use the MS support tool "nltest" to force a change with:
    nltest /sc_change_pwd:MYDOMAIN

The log on the Samba PDC will record something like:
>  Got API command 0x26 on pipe "NETLOGON" (pnum 7570)
> [2004/08/27 16:47:50, 3] rpc_server/srv_pipe.c:api_pipe_bind_req(886)
>   api_pipe_bind_req: \PIPE\NETLOGON -> \PIPE\lsass
> [2004/08/27 16:47:50, 3] rpc_server/srv_pipe.c:check_bind_req(758)
>   check_bind_req for \PIPE\NETLOGON
> [2004/08/27 16:47:50, 3] smbd/process.c:process_smb(890)
>   Transaction 44 of length 276
> [2004/08/27 16:47:50, 3] smbd/process.c:switch_message(685)
>   switch message SMBwriteX (pid 11595)
> [2004/08/27 16:47:50, 4] smbd/uid.c:change_to_user(186)
>   change_to_user: Skipping user change - already user
> [2004/08/27 16:47:50, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1156)
>   search for pipe pnum=7570
> [2004/08/27 16:47:50, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(544)
>   free_pipe_context: destroying talloc pool of size 0
> [2004/08/27 16:47:50, 4] rpc_server/srv_pipe.c:api_rpcTNP(1528)
>   api_rpcTNP: NETLOGON op 0x6 - api_rpcTNP: rpc command: NET_SRVPWSET
> [2004/08/27 16:47:50, 4] libsmb/credentials.c:cred_create(90)
>   cred_create
> [2004/08/27 16:47:50, 4] libsmb/credentials.c:cred_assert(121)
>   cred_assert
> [2004/08/27 16:47:50, 4] libsmb/credentials.c:cred_create(90)
>   cred_create
> [2004/08/27 16:47:50, 3] rpc_server/srv_netlog_nt.c:_net_srv_pwset(417)
>   Server Password Set by Wksta:[SQUARE] on account [SQUARE$]
> [2004/08/27 16:47:50, 3] smbd/sec_ctx.c:push_sec_ctx(256) 

and pdbedit will show the password change time:
> Unix username:        square$
> NT username:
> Account Flags:        [W          ]
> User SID:             S-1-5-21-365605009-162135838-3863443527-11202
> Primary Group SID:    S-1-5-21-365605009-162135838-3863443527-10773
> Full Name:            SQUARE$
> Home Directory:       \\viper\square_
> HomeDir Drive:        U:
> Logon Script:
> Profile Path:
> Domain:               MYDOMAIN
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          Mon, 18 Jan 2038 19:14:07 GMT
> Kickoff time:         Mon, 18 Jan 2038 19:14:07 GMT
> Password last set:    Fri, 27 Aug 2004 16:47:50 GMT
> Password can change:  Fri, 27 Aug 2004 16:47:50 GMT
> Password must change: Mon, 18 Jan 2038 19:14:07 GMT
> Last bad password   : 0
> Bad password count  : 0 
>
  For a further discussion of nltest, see:

  http://support.microsoft.com:80/support/kb/articles/q181/1/71.asp&NoWebContent=1

More information about the samba-technical mailing list