How are machine passwords updated/refreshed in Samba 3.0

Andrew Bartlett abartlet at
Thu Nov 3 22:21:45 GMT 2005

On Thu, 2005-11-03 at 13:45 -0800, Krishna Ganugapati wrote:
> I'm  trying to understand the code base of Samba 3.0
> An AD join is well documented in utils/net_ads.c 
>  1) A machine account is created in the directory
> 2) A password is set on the machine account
> 2a) Machine password is stored in the tdb - as secrets_store_machine_password()
> 3) The password, principal name are used to create a kerberos key which is stored in the system keytab file
> Similarly an old style NT4 domain member is probably  documented in utils/net_join_rpc.c - net_rpc_join_newstyle
> 1) A machine account is created  - (verified its a machine account because of the appended "$")
> 2) A password is set on the machine account
> 3) The domain join is tested doing a netlogon with the newly created account ( cli_nt_establish_netlogon(using the md4_trust_password))
> 4) The password is stored in the secret database.
> Here are my questions
> a) Am I right about the AD join?
> b) Am I right about the net_rpc_join_newstyle being the join to an NT4 domain 
>    (if so, why is this called newstyle - unless something changed since NT3.x days 
>    to NT4) - can someone comment on this?

The 'oldstyle' worked on an assumption that NT4 (and below, I presume)
had, which was that the account was created in 'Server Manager' with a
fixed password (being the machine name).

The newstyle takes the administrator (or suitably privileged user) and
creates the account from scratch.

> c) How are machine passwords updated in Samba 3.0 - I believe machine 
>    passwords are updated once every 30 days. Who initiates the password  
>    change? I'm presuming it is the client ... in which case it must be 
>    initiated by a daemon process - which one is it?

Currently nobody does, due to accidents of history.  It has caused
surprisingly few problems.  You can manually call 'net ads
changetrustpw' to change it.  

It was changed by smbd, but smbd no longer reads that password, so
doesn't trigger the change.  It also doesn't do it for ADS joins.  We
could add this to winbindd easily (particularly as we discovered new
RPCs recently).

> d) Here is something I don't understand in  net_rpc_join_newstyle 
> After the machine has been successfully joined  to the domain and 
> tested by doing  cli_nt_establish_netlogon ( line 313 in net_join_rpc.c)
> the machine password and the  domain sid  is stored in the secrets database
> Here's my question:
> The machine password has to be periodically refreshed. Who initiates this? 
> If the client initiates this, then there must be some daemon process that 
> periodically does this. Is this the case?
> If the machine password is updated only on administrator input, does 
> this mean that machine account passwords never expire? Once trusted always trusted?

Apparently so.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list