How are machine passwords updated/refreshed in Samba 3.0

Krishna Ganugapati krishnag at
Thu Nov 3 23:14:29 GMT 2005

I actually thought the same - that it was mandatory to update machine 
passwords... (by the way, thank you for the clarification).

Your  answer about adding this to winbindd brings up an interesting thought. 
>From what I've read of winbind, it's primary goal is to provide NT4 accounts 
and AD counts  logon capabilities (mapping AD/NT4 SIDs to Linux uids and 
gids) and support the equivalent of LookupAccountName and LookupAccountSid. 
... Seems like winbindd is really the quasi-equivalent of lsass on Windows. 
Is this accurate?

Because if so, you'd really want winbindd to be the service wrappered around 
secrets.tdb and even the kerberos keytab stuff.  I haven't spelunked through 
the code a whole lot, but it seems like today utilities directly access the 
secrets.tdb file and the Kerberos keytab files <is this correct?>
<begin-speculation, I could be very wrong>
- Granted they have access because the user invoking the smb utilities has 
euid and egid privileges on the secrets.tdb file to manipulate it, but it 
would be kind of nice if the "samba-lsass"/winbindd was the protected 
service and one had to make equivalent local rpc calls to manipulate stuff 
to the winbindd service. Today' you're anyway accessing remote SAM databases 
through rpc calls (over pipes /netbios-over-tcpip),

Am I completely wrong here?

----- Original Message ----- 
From: "Henrik Nordstrom" <hno at>
To: "Andrew Bartlett" <abartlet at>
Cc: "Krishna Ganugapati" <krishnag at>; 
<samba-technical at>
Sent: Thursday, November 03, 2005 2:35 PM
Subject: Re: How are machine passwords updated/refreshed in Samba 3.0

> On Fri, 4 Nov 2005, Andrew Bartlett wrote:
>>> c) How are machine passwords updated in Samba 3.0 - I believe machine
>> Currently nobody does, due to accidents of history.  It has caused
>> surprisingly few problems.  You can manually call 'net ads
>> changetrustpw' to change it.
> Interesting. Had the impression winbindd did take care of this.
> Any idea why it is causing such few problems?
> From what I know of NT Domain it's fairly crucial that the computer 
> account is working proper.. but I suppose it could be that it never really 
> expires, just a policy that it should be replaced every now an then.. 
> (would be difficult for environments with laptops being away for extended 
> periods of time otherwise..)
> Regards
> Henrik

More information about the samba-technical mailing list