[Samba] Samba BDCs and machine trust account passwords

Andrew Bartlett abartlet at samba.org
Thu Jan 16 12:37:00 GMT 2003 

On Thu, 2003-01-16 at 22:48, Mikko Kortelainen wrote:
> I have a problem with machine trust accounts breaking in a purely Samba
> controlled domain. I have one master Samba server acting as a PDC, and
> three slave servers in different networks. The UNIX user account
> information is updated by means of NIS, and smbpasswd gets rsync'ed to
> the slave servers whenever there is a change in the file. All this works
> without problems at all times.
> 
> When I attach workstations to the domain, everything works fine for a
> while. But after a certain time (a few hours to a few weeks) the
> workstations start complaining that the machine trust account with the
> domain is broken. In fact, in the log files it says that the
> authentication fails because the password challenge and response are
> different, so it really seems that the password that the workstation has
> is different from the one Samba has. This problem comes up only within
> the networks of the slave servers, the network of the master server has
> never had any problems (it has been up and running more than 6 months
> without problems now).
> 
> Could this mean that the workstation thinks it has changed its trust
> account password successfully, while the Samba server still has the old
> password?
> 
> How often do the Windowstations change their trust account passwords?

Once per week.

> Would it be possible for a workstation to negotiate a new password with
> a SLAVE server, that would be overwritten whenever the master sends a
> new copy of smbpasswd to the slaves?

Are you sure that your slaves are configured as BDCs?  It smells to me
like they think their local server is the PDC.  The sync then kills
their password.

> Do I have to have a script at the slave servers that update the master
> server's smbpasswd whenever there's a change in their own files? Can I
> do this with the "unix password sync" and "passwd program" and "passwd
> chat" smb.conf-options? Or is there a way to tell Samba not to change
> the password in the local smbpasswd, but hand it to the master server
> instead? Can "password server" option do this?

If your local servers think they are PDCs, and you cannot get your
machines to talk to the real PDC directly, then look into replicated
LDAP, Samba 3.0 and rebinds.  (or the patch that has been on the
samba-technical list recently).  That will cause the slave servers to
contact the master to update the password.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030116/0f629812/attachment.bin

More information about the samba mailing list