machine trust account password changes

Andrew Bartlett abartlet at
Sun Aug 29 22:44:37 GMT 2004

On Mon, 2004-08-30 at 03:54, John Gerth wrote:
> Andrew Bartlett wrote:
> > 
> > I have a custom patch at my site (attached, out of morbid interest) that
> > doesn't change the 'last change time' if the client sends the same value
> > for the new password as the old one.  This happens with my WinXP
> > clients, but this patch significantly reduced load on my LDAP servers.
> > 
>   Ironically, reducing the load on the LDAP server (in my case, Apple's
>   Open Directory under OSX 10.3.5) is my goal too. As you may remember in
>   my original post the problem is that the Samba (a flavor of 3.0.2)
>   on the Mac is returning something which both Win2K and WinXP log as
>   an event 3224 with bad "stub data".  Then, since the change has failed,
>   they try again every two hours. As the number of machines grows, this
>   results in a constant stream of requests. Finding out that the machines
>   are going to set the new password to the same value makes this all
>   doubly galling. I'd actually be tempted to put on your patch if I ever
>   get desperate enough to try and get the source for the Apple.

It's all up on their Darwin source website, or you could make a nice
pain of yourself, and either find the included source CD (unlikely) or
the required notice (I wonder if apple's lawyers are awake) and make a
formal request :-).

I'm not sure exactly what particular state of brokenness my clients were
in - some are under a delusion that we are running AD (due to bugs in
old, pre 3.0 versions of Samba), but the patch did help a lot.

>   I also found articles on the web indicating that one could alter the
>   interval between requests (WinXP changed it from 7 days to 30 days) by
>   tweaking the registry key
>    HKLM\SYSTEM\CurrrentControlSet\Services\Netlogon\Parameters\maximumpasswordage
>   So I joined a new machine to the domain and set the value to 1, but it
>   didn't seem to provoke more frequent attempts.  That's how I ended up
>   looking again and finding nltest.
>   So now I can show that nltest changes are successful with 3.0.4 and fail
>   with the Mac's 3.0.2 Samba.  Did a regular 3.0.2 on, say Linux, also have
>   problems with changing machine trust passwords after the MS RPC fix that
>   broke changing user password?


>   Do you think that it's reasonable to believe that if Apple went to 3.0.4
>   that the machine trust account changes would start working?

Yes.  Your analysis is completely correct.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Authentication Developer, Samba Team  
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list