How are machine passwords updated/refreshed in Samba 3.0
abartlet at samba.org
Thu Nov 3 23:20:09 GMT 2005
On Thu, 2005-11-03 at 15:14 -0800, Krishna Ganugapati wrote:
> I actually thought the same - that it was mandatory to update machine
> passwords... (by the way, thank you for the clarification).
> Your answer about adding this to winbindd brings up an interesting thought.
> >From what I've read of winbind, it's primary goal is to provide NT4 accounts
> and AD counts logon capabilities (mapping AD/NT4 SIDs to Linux uids and
> gids) and support the equivalent of LookupAccountName and LookupAccountSid.
> ... Seems like winbindd is really the quasi-equivalent of lsass on Windows.
> Is this accurate?
Winbindd has become the kitchen sink of 'if it needs to be in a
persistent samba deamon'. It includes connection caching in particular,
and uses that to support lookupname/lookupsid for smbd processes and
> Because if so, you'd really want winbindd to be the service wrappered around
> secrets.tdb and even the kerberos keytab stuff. I haven't spelunked through
> the code a whole lot, but it seems like today utilities directly access the
> secrets.tdb file and the Kerberos keytab files <is this correct?>
No, we don't use keytabs in Samba3. We just read the password, and
perform comparisons in memory.
> <begin-speculation, I could be very wrong>
> - Granted they have access because the user invoking the smb utilities has
> euid and egid privileges on the secrets.tdb file to manipulate it, but it
> would be kind of nice if the "samba-lsass"/winbindd was the protected
> service and one had to make equivalent local rpc calls to manipulate stuff
> to the winbindd service. Today' you're anyway accessing remote SAM databases
> through rpc calls (over pipes /netbios-over-tcpip),
> Am I completely wrong here?
Samba operates smbd with regain-able root privileges, so can become root
to access things as required. For secrets.tdb, it simply opens it at
startup, but anyway...
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051104/0dbc08a9/attachment.bin
More information about the samba-technical