How are machine passwords updated/refreshed in Samba 3.0

Andrew Bartlett abartlet at samba.org
Thu Nov 3 23:20:09 GMT 2005 

On Thu, 2005-11-03 at 15:14 -0800, Krishna Ganugapati wrote:
> I actually thought the same - that it was mandatory to update machine 
> passwords... (by the way, thank you for the clarification).
> 
> Your  answer about adding this to winbindd brings up an interesting thought. 
> >From what I've read of winbind, it's primary goal is to provide NT4 accounts 
> and AD counts  logon capabilities (mapping AD/NT4 SIDs to Linux uids and 
> gids) and support the equivalent of LookupAccountName and LookupAccountSid. 
> ... Seems like winbindd is really the quasi-equivalent of lsass on Windows. 
> Is this accurate?

Winbindd has become the kitchen sink of 'if it needs to be in a
persistent samba deamon'.  It includes connection caching in particular,
and uses that to support lookupname/lookupsid for smbd processes and
others.

> Because if so, you'd really want winbindd to be the service wrappered around 
> secrets.tdb and even the kerberos keytab stuff.  I haven't spelunked through 
> the code a whole lot, but it seems like today utilities directly access the 
> secrets.tdb file and the Kerberos keytab files <is this correct?>

No, we don't use keytabs in Samba3.  We just read the password, and
perform comparisons in memory.

> <begin-speculation, I could be very wrong>
> - Granted they have access because the user invoking the smb utilities has 
> euid and egid privileges on the secrets.tdb file to manipulate it, but it 
> would be kind of nice if the "samba-lsass"/winbindd was the protected 
> service and one had to make equivalent local rpc calls to manipulate stuff 
> to the winbindd service. Today' you're anyway accessing remote SAM databases 
> through rpc calls (over pipes /netbios-over-tcpip),
> <end-speculation>
> 
> Am I completely wrong here?

Samba operates smbd with regain-able root privileges, so can become root
to access things as required.  For secrets.tdb, it simply opens it at
startup, but anyway...

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051104/0dbc08a9/attachment.bin

More information about the samba-technical mailing list