[Samba] Samba BDCs and machine trust account passwords
Mikko Kortelainen
mkortela at cc.hut.fi
Thu Jan 16 13:23:06 GMT 2003
>> Would it be possible for a workstation to negotiate a new password
>> with a SLAVE server, that would be overwritten whenever the master
>> sends a new copy of smbpasswd to the slaves?
> Are you sure that your slaves are configured as BDCs? It smells to
> me like they think their local server is the PDC. The sync then
> kills their password.
Here's (what I think is) the essential part from my SLAVE smb.conf:
security = user
domain logons = yes
domain master = no
os level = 64
local master = yes
preferred master = yes
The MASTER configuration is the same except that the "domain master" is set to yes.
I've understood that the above configuration causes the workstations to send their password updates to the MASTER. Am I wrong? If I am, is there any way in 2.2.7 to correct this (either so that the workstations change their passwords directly with the master, or that the slave sends an update message to the master automatically). Or do I have to go to 3.0 and LDAP? (which I'd rather not prefer, yet)
My users have no problems changing their user account passwords from anywhere, so there must be a difference in the way these two things work...?
Mikko Kortelainen
mikko.kortelainen at hut.fi
-----Alkuperäinen viesti-----
Lähettäjä: samba-admin at lists.samba.org [mailto:samba-admin at lists.samba.org] Puolesta Andrew Bartlett
Lähetetty: 16. tammikuuta 2003 14:40
Vastaanottaja: Mikko Kortelainen
Kopio: samba at lists.samba.org
Aihe: Re: [Samba] Samba BDCs and machine trust account passwords
On Thu, 2003-01-16 at 22:48, Mikko Kortelainen wrote:
> I have a problem with machine trust accounts breaking in a purely
> Samba controlled domain. I have one master Samba server acting as a
> PDC, and three slave servers in different networks. The UNIX user
> account information is updated by means of NIS, and smbpasswd gets
> rsync'ed to the slave servers whenever there is a change in the file.
> All this works without problems at all times.
>
> When I attach workstations to the domain, everything works fine for a
> while. But after a certain time (a few hours to a few weeks) the
> workstations start complaining that the machine trust account with the
> domain is broken. In fact, in the log files it says that the
> authentication fails because the password challenge and response are
> different, so it really seems that the password that the workstation
> has is different from the one Samba has. This problem comes up only
> within the networks of the slave servers, the network of the master
> server has never had any problems (it has been up and running more
> than 6 months without problems now).
>
> Could this mean that the workstation thinks it has changed its trust
> account password successfully, while the Samba server still has the
> old password?
>
> How often do the Windowstations change their trust account passwords?
Once per week.
> Would it be possible for a workstation to negotiate a new password
> with a SLAVE server, that would be overwritten whenever the master
> sends a new copy of smbpasswd to the slaves?
Are you sure that your slaves are configured as BDCs? It smells to me like they think their local server is the PDC. The sync then kills their password.
> Do I have to have a script at the slave servers that update the master
> server's smbpasswd whenever there's a change in their own files? Can I
> do this with the "unix password sync" and "passwd program" and "passwd
> chat" smb.conf-options? Or is there a way to tell Samba not to change
> the password in the local smbpasswd, but hand it to the master server
> instead? Can "password server" option do this?
If your local servers think they are PDCs, and you cannot get your machines to talk to the real PDC directly, then look into replicated LDAP, Samba 3.0 and rebinds. (or the patch that has been on the samba-technical list recently). That will cause the slave servers to contact the master to update the password.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba
mailing list