[Samba] Secret is bad
Andrew Bartlett
abartlet at pcug.org.au
Sat May 11 19:01:02 GMT 2002
"Konkol, Josh" wrote:
>
> I have two suggestions:
>
> 1. I would change your winbind separator. I think it's confusing if you
> use the default '\'. To do this add a line to your winbind segment that
> says:
>
> winbind separator = +
>
> 2. In my experience with "Secret is Bad", I had a 90% fix rate when I did
> the following
>
> Deleted all files under %sambaroot%\private
BAD IDEA. The data in this directory is intended to be persistant - and
deleting it will regenerate the computer SID. This can have unintended
consequences.
> Re-created the samba machine account using:
> %sambaroot%\bin\smbpasswd -a -m MACHINENAME$
Not required - the 'machinename$' account exists on the PDC ONLY. You
only even 'see' this on a Samba PDC - on win2k that account appears in
'server manager' as the domain member.
> Delete the computer account in the domain using Server Manager
> Re-joined the domain using: %sambaroot%\bin\smbpasswd -j DOMAINNAME
> -r PDCNAME
> Then check the secret again.
It is better to simply rejoin the domain from the unix command line:
smbpasswd -j DOMAIN -r PDC -Uadministrator
As this avoids a nasty race condition: 'Adding' a machine to a domain
actually sets a well-known password on the account - a password that the
machine then 'knows' (its based on the workstation/server name) and
changes during the 'join'. Sombody else could change it first - which
would not be 'a good thing'.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba
mailing list