machine trust account password changes
abartlet at samba.org
Sun Aug 29 22:44:37 GMT 2004
On Mon, 2004-08-30 at 03:54, John Gerth wrote:
> Andrew Bartlett wrote:
> > I have a custom patch at my site (attached, out of morbid interest) that
> > doesn't change the 'last change time' if the client sends the same value
> > for the new password as the old one. This happens with my WinXP
> > clients, but this patch significantly reduced load on my LDAP servers.
> Ironically, reducing the load on the LDAP server (in my case, Apple's
> Open Directory under OSX 10.3.5) is my goal too. As you may remember in
> my original post the problem is that the Samba (a flavor of 3.0.2)
> on the Mac is returning something which both Win2K and WinXP log as
> an event 3224 with bad "stub data". Then, since the change has failed,
> they try again every two hours. As the number of machines grows, this
> results in a constant stream of requests. Finding out that the machines
> are going to set the new password to the same value makes this all
> doubly galling. I'd actually be tempted to put on your patch if I ever
> get desperate enough to try and get the source for the Apple.
It's all up on their Darwin source website, or you could make a nice
pain of yourself, and either find the included source CD (unlikely) or
the required notice (I wonder if apple's lawyers are awake) and make a
formal request :-).
I'm not sure exactly what particular state of brokenness my clients were
in - some are under a delusion that we are running AD (due to bugs in
old, pre 3.0 versions of Samba), but the patch did help a lot.
> I also found articles on the web indicating that one could alter the
> interval between requests (WinXP changed it from 7 days to 30 days) by
> tweaking the registry key
> So I joined a new machine to the domain and set the value to 1, but it
> didn't seem to provoke more frequent attempts. That's how I ended up
> looking again and finding nltest.
> So now I can show that nltest changes are successful with 3.0.4 and fail
> with the Mac's 3.0.2 Samba. Did a regular 3.0.2 on, say Linux, also have
> problems with changing machine trust passwords after the MS RPC fix that
> broke changing user password?
> Do you think that it's reasonable to believe that if Apple went to 3.0.4
> that the machine trust account changes would start working?
Yes. Your analysis is completely correct.
Andrew Bartlett abartlet at samba.org
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040830/2d45c289/attachment.bin
More information about the samba-technical