How are machine passwords updated/refreshed in Samba 3.0

Krishna Ganugapati krishnag at
Thu Nov 3 21:45:56 GMT 2005

I'm  trying to understand the code base of Samba 3.0

An AD join is well documented in utils/net_ads.c 
 1) A machine account is created in the directory
2) A password is set on the machine account
2a) Machine password is stored in the tdb - as secrets_store_machine_password()
3) The password, principal name are used to create a kerberos key which is stored in the system keytab file

Similarly an old style NT4 domain member is probably  documented in utils/net_join_rpc.c - net_rpc_join_newstyle
1) A machine account is created  - (verified its a machine account because of the appended "$")
2) A password is set on the machine account
3) The domain join is tested doing a netlogon with the newly created account ( cli_nt_establish_netlogon(using the md4_trust_password))
4) The password is stored in the secret database.

Here are my questions
a) Am I right about the AD join?
b) Am I right about the net_rpc_join_newstyle being the join to an NT4 domain (if so, why is this called newstyle - unless something changed since NT3.x days to NT4) - can someone comment on this?

c) How are machine passwords updated in Samba 3.0 - I believe machine passwords are updated once every 30 days. Who initiates the password  change? I'm presuming it is the client ... in which case it must be initiated by a daemon process - which one is it?

d) Here is something I don't understand in  net_rpc_join_newstyle 

After the machine has been successfully joined  to the domain and tested by doing  cli_nt_establish_netlogon ( line 313 in net_join_rpc.c) the machine password and the  domain sid  is stored in the secrets database

Here's my question:

The machine password has to be periodically refreshed. Who initiates this? If the client initiates this, then there must be some daemon process that periodically does this. Is this the case?

If the machine password is updated only on administrator input, does this mean that machine account passwords never expire? Once trusted always trusted?

If there is a daemon running, can someone shed light on how this is done in Samba?



More information about the samba-technical mailing list