machine trust account password changes

Andrew Bartlett abartlet at samba.org
Sun Aug 29 22:44:37 GMT 2004 

On Mon, 2004-08-30 at 03:54, John Gerth wrote:
> Andrew Bartlett wrote:
> > 
> > I have a custom patch at my site (attached, out of morbid interest) that
> > doesn't change the 'last change time' if the client sends the same value
> > for the new password as the old one.  This happens with my WinXP
> > clients, but this patch significantly reduced load on my LDAP servers.
> > 
>   Ironically, reducing the load on the LDAP server (in my case, Apple's
>   Open Directory under OSX 10.3.5) is my goal too. As you may remember in
>   my original post the problem is that the Samba (a flavor of 3.0.2)
>   on the Mac is returning something which both Win2K and WinXP log as
>   an event 3224 with bad "stub data".  Then, since the change has failed,
>   they try again every two hours. As the number of machines grows, this
>   results in a constant stream of requests. Finding out that the machines
>   are going to set the new password to the same value makes this all
>   doubly galling. I'd actually be tempted to put on your patch if I ever
>   get desperate enough to try and get the source for the Apple.

It's all up on their Darwin source website, or you could make a nice
pain of yourself, and either find the included source CD (unlikely) or
the required notice (I wonder if apple's lawyers are awake) and make a
formal request :-).

I'm not sure exactly what particular state of brokenness my clients were
in - some are under a delusion that we are running AD (due to bugs in
old, pre 3.0 versions of Samba), but the patch did help a lot.

>   I also found articles on the web indicating that one could alter the
>   interval between requests (WinXP changed it from 7 days to 30 days) by
>   tweaking the registry key
>    HKLM\SYSTEM\CurrrentControlSet\Services\Netlogon\Parameters\maximumpasswordage
>   So I joined a new machine to the domain and set the value to 1, but it
>   didn't seem to provoke more frequent attempts.  That's how I ended up
>   looking again and finding nltest.
> 
>   So now I can show that nltest changes are successful with 3.0.4 and fail
>   with the Mac's 3.0.2 Samba.  Did a regular 3.0.2 on, say Linux, also have
>   problems with changing machine trust passwords after the MS RPC fix that
>   broke changing user password?

Yes.

>   Do you think that it's reasonable to believe that if Apple went to 3.0.4
>   that the machine trust account changes would start working?

Yes.  Your analysis is completely correct.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040830/2d45c289/attachment.bin

More information about the samba-technical mailing list