[Samba] Secret is bad

[Andrew Bartlett]

"Konkol, Josh" wrote:
> 
> I have two suggestions:
> 
> 1.  I would change your winbind separator.  I think it's confusing if you
> use the default '\'.  To do this add a line to your winbind segment that
> says:
> 
>         winbind separator = +
> 
> 2.  In my experience with "Secret is Bad", I had a 90% fix rate when I did
> the following
> 
>         Deleted all files under %sambaroot%\private

BAD IDEA.  The data in this directory is intended to be persistant - and
deleting it will regenerate the computer SID.  This can have unintended
consequences.

>         Re-created the samba machine account using:
> %sambaroot%\bin\smbpasswd -a -m MACHINENAME$

Not required - the 'machinename$' account exists on the PDC ONLY.  You
only even 'see' this on a Samba PDC - on win2k that account appears in
'server manager' as the domain member.

>         Delete the computer account in the domain using Server Manager
>         Re-joined the domain using:  %sambaroot%\bin\smbpasswd -j DOMAINNAME
> -r PDCNAME
>         Then check the secret again.

It is better to simply rejoin the domain from the unix command line:

smbpasswd -j DOMAIN -r PDC -Uadministrator

As this avoids a nasty race condition:  'Adding' a machine to a domain
actually sets a well-known password on the account - a password that the
machine then 'knows' (its based on the workstation/server name) and
changes during the 'join'.  Sombody else could change it first - which
would not be 'a good thing'.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net