[Samba] Secret is bad

Andrew Bartlett abartlet at pcug.org.au
Sat May 11 19:01:02 GMT 2002

"Konkol, Josh" wrote:
> I have two suggestions:
> 1.  I would change your winbind separator.  I think it's confusing if you
> use the default '\'.  To do this add a line to your winbind segment that
> says:
>         winbind separator = +
> 2.  In my experience with "Secret is Bad", I had a 90% fix rate when I did
> the following
>         Deleted all files under %sambaroot%\private

BAD IDEA.  The data in this directory is intended to be persistant - and
deleting it will regenerate the computer SID.  This can have unintended

>         Re-created the samba machine account using:
> %sambaroot%\bin\smbpasswd -a -m MACHINENAME$

Not required - the 'machinename$' account exists on the PDC ONLY.  You
only even 'see' this on a Samba PDC - on win2k that account appears in
'server manager' as the domain member.

>         Delete the computer account in the domain using Server Manager
>         Re-joined the domain using:  %sambaroot%\bin\smbpasswd -j DOMAINNAME
>         Then check the secret again.

It is better to simply rejoin the domain from the unix command line:

smbpasswd -j DOMAIN -r PDC -Uadministrator

As this avoids a nasty race condition:  'Adding' a machine to a domain
actually sets a well-known password on the account - a password that the
machine then 'knows' (its based on the workstation/server name) and
changes during the 'join'.  Sombody else could change it first - which
would not be 'a good thing'.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list