How are machine passwords updated/refreshed in Samba 3.0

Andrew Bartlett abartlet at
Thu Nov 3 23:20:09 GMT 2005

On Thu, 2005-11-03 at 15:14 -0800, Krishna Ganugapati wrote:
> I actually thought the same - that it was mandatory to update machine 
> passwords... (by the way, thank you for the clarification).
> Your  answer about adding this to winbindd brings up an interesting thought. 
> >From what I've read of winbind, it's primary goal is to provide NT4 accounts 
> and AD counts  logon capabilities (mapping AD/NT4 SIDs to Linux uids and 
> gids) and support the equivalent of LookupAccountName and LookupAccountSid. 
> ... Seems like winbindd is really the quasi-equivalent of lsass on Windows. 
> Is this accurate?

Winbindd has become the kitchen sink of 'if it needs to be in a
persistent samba deamon'.  It includes connection caching in particular,
and uses that to support lookupname/lookupsid for smbd processes and

> Because if so, you'd really want winbindd to be the service wrappered around 
> secrets.tdb and even the kerberos keytab stuff.  I haven't spelunked through 
> the code a whole lot, but it seems like today utilities directly access the 
> secrets.tdb file and the Kerberos keytab files <is this correct?>

No, we don't use keytabs in Samba3.  We just read the password, and
perform comparisons in memory.

> <begin-speculation, I could be very wrong>
> - Granted they have access because the user invoking the smb utilities has 
> euid and egid privileges on the secrets.tdb file to manipulate it, but it 
> would be kind of nice if the "samba-lsass"/winbindd was the protected 
> service and one had to make equivalent local rpc calls to manipulate stuff 
> to the winbindd service. Today' you're anyway accessing remote SAM databases 
> through rpc calls (over pipes /netbios-over-tcpip),
> <end-speculation>
> Am I completely wrong here?

Samba operates smbd with regain-able root privileges, so can become root
to access things as required.  For secrets.tdb, it simply opens it at
startup, but anyway...

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list