[Samba] Samba BDCs and machine trust account passwords

Mikko Kortelainen mkortela at cc.hut.fi
Thu Jan 16 11:43:01 GMT 2003

I have a problem with machine trust accounts breaking in a purely Samba
controlled domain. I have one master Samba server acting as a PDC, and
three slave servers in different networks. The UNIX user account
information is updated by means of NIS, and smbpasswd gets rsync'ed to
the slave servers whenever there is a change in the file. All this works
without problems at all times.

When I attach workstations to the domain, everything works fine for a
while. But after a certain time (a few hours to a few weeks) the
workstations start complaining that the machine trust account with the
domain is broken. In fact, in the log files it says that the
authentication fails because the password challenge and response are
different, so it really seems that the password that the workstation has
is different from the one Samba has. This problem comes up only within
the networks of the slave servers, the network of the master server has
never had any problems (it has been up and running more than 6 months
without problems now).

Could this mean that the workstation thinks it has changed its trust
account password successfully, while the Samba server still has the old

How often do the Windowstations change their trust account passwords?

Would it be possible for a workstation to negotiate a new password with
a SLAVE server, that would be overwritten whenever the master sends a
new copy of smbpasswd to the slaves?

Do I have to have a script at the slave servers that update the master
server's smbpasswd whenever there's a change in their own files? Can I
do this with the "unix password sync" and "passwd program" and "passwd
chat" smb.conf-options? Or is there a way to tell Samba not to change
the password in the local smbpasswd, but hand it to the master server
instead? Can "password server" option do this?

Mikko Kortelainen
mikko.kortelainen at hut.fi

More information about the samba mailing list