machine trust account password changes
gerth-samba at graphics.stanford.edu
Sun Aug 29 17:54:20 GMT 2004
Andrew Bartlett wrote:
> I have a custom patch at my site (attached, out of morbid interest) that
> doesn't change the 'last change time' if the client sends the same value
> for the new password as the old one. This happens with my WinXP
> clients, but this patch significantly reduced load on my LDAP servers.
Ironically, reducing the load on the LDAP server (in my case, Apple's
Open Directory under OSX 10.3.5) is my goal too. As you may remember in
my original post the problem is that the Samba (a flavor of 3.0.2)
on the Mac is returning something which both Win2K and WinXP log as
an event 3224 with bad "stub data". Then, since the change has failed,
they try again every two hours. As the number of machines grows, this
results in a constant stream of requests. Finding out that the machines
are going to set the new password to the same value makes this all
doubly galling. I'd actually be tempted to put on your patch if I ever
get desperate enough to try and get the source for the Apple.
I also found articles on the web indicating that one could alter the
interval between requests (WinXP changed it from 7 days to 30 days) by
tweaking the registry key
So I joined a new machine to the domain and set the value to 1, but it
didn't seem to provoke more frequent attempts. That's how I ended up
looking again and finding nltest.
So now I can show that nltest changes are successful with 3.0.4 and fail
with the Mac's 3.0.2 Samba. Did a regular 3.0.2 on, say Linux, also have
problems with changing machine trust passwords after the MS RPC fix that
broke changing user password?
Do you think that it's reasonable to believe that if Apple went to 3.0.4
that the machine trust account changes would start working?
More information about the samba-technical