machine trust account password changes

John Gerth gerth-samba at
Sun Aug 29 17:54:20 GMT 2004

Andrew Bartlett wrote:
> I have a custom patch at my site (attached, out of morbid interest) that
> doesn't change the 'last change time' if the client sends the same value
> for the new password as the old one.  This happens with my WinXP
> clients, but this patch significantly reduced load on my LDAP servers.
  Ironically, reducing the load on the LDAP server (in my case, Apple's
  Open Directory under OSX 10.3.5) is my goal too. As you may remember in
  my original post the problem is that the Samba (a flavor of 3.0.2)
  on the Mac is returning something which both Win2K and WinXP log as
  an event 3224 with bad "stub data".  Then, since the change has failed,
  they try again every two hours. As the number of machines grows, this
  results in a constant stream of requests. Finding out that the machines
  are going to set the new password to the same value makes this all
  doubly galling. I'd actually be tempted to put on your patch if I ever
  get desperate enough to try and get the source for the Apple.

  I also found articles on the web indicating that one could alter the
  interval between requests (WinXP changed it from 7 days to 30 days) by
  tweaking the registry key
  So I joined a new machine to the domain and set the value to 1, but it
  didn't seem to provoke more frequent attempts.  That's how I ended up
  looking again and finding nltest.

  So now I can show that nltest changes are successful with 3.0.4 and fail
  with the Mac's 3.0.2 Samba.  Did a regular 3.0.2 on, say Linux, also have
  problems with changing machine trust passwords after the MS RPC fix that
  broke changing user password?

  Do you think that it's reasonable to believe that if Apple went to 3.0.4
  that the machine trust account changes would start working?

More information about the samba-technical mailing list