[Samba] Samba BDCs and machine trust account passwords

Mikko Kortelainen mkortela at cc.hut.fi
Thu Jan 16 13:23:06 GMT 2003 

>> Would it be possible for a workstation to negotiate a new password 
>> with a SLAVE server, that would be overwritten whenever the master 
>> sends a new copy of smbpasswd to the slaves?

> Are you sure that your slaves are configured as BDCs?  It smells to
> me like they think their local server is the PDC.  The sync then
> kills their password.

Here's (what I think is) the essential part from my SLAVE smb.conf:

  security = user
  domain logons = yes
  domain master = no
  os level = 64
  local master = yes
  preferred master = yes

The MASTER configuration is the same except that the "domain master" is set to yes.

I've understood that the above configuration causes the workstations to send their password updates to the MASTER. Am I wrong? If I am, is there any way in 2.2.7 to correct this (either so that the workstations change their passwords directly with the master, or that the slave sends an update message to the master automatically). Or do I have to go to 3.0 and LDAP? (which I'd rather not prefer, yet)

My users have no problems changing their user account passwords from anywhere, so there must be a difference in the way these two things work...?

Mikko Kortelainen
mikko.kortelainen at hut.fi

-----Alkuperäinen viesti-----
Lähettäjä: samba-admin at lists.samba.org [mailto:samba-admin at lists.samba.org] Puolesta Andrew Bartlett
Lähetetty: 16. tammikuuta 2003 14:40
Vastaanottaja: Mikko Kortelainen
Kopio: samba at lists.samba.org
Aihe: Re: [Samba] Samba BDCs and machine trust account passwords


On Thu, 2003-01-16 at 22:48, Mikko Kortelainen wrote:
> I have a problem with machine trust accounts breaking in a purely 
> Samba controlled domain. I have one master Samba server acting as a 
> PDC, and three slave servers in different networks. The UNIX user 
> account information is updated by means of NIS, and smbpasswd gets 
> rsync'ed to the slave servers whenever there is a change in the file. 
> All this works without problems at all times.
> 
> When I attach workstations to the domain, everything works fine for a 
> while. But after a certain time (a few hours to a few weeks) the 
> workstations start complaining that the machine trust account with the 
> domain is broken. In fact, in the log files it says that the 
> authentication fails because the password challenge and response are 
> different, so it really seems that the password that the workstation 
> has is different from the one Samba has. This problem comes up only 
> within the networks of the slave servers, the network of the master 
> server has never had any problems (it has been up and running more 
> than 6 months without problems now).
> 
> Could this mean that the workstation thinks it has changed its trust 
> account password successfully, while the Samba server still has the 
> old password?
> 
> How often do the Windowstations change their trust account passwords?

Once per week.

> Would it be possible for a workstation to negotiate a new password 
> with a SLAVE server, that would be overwritten whenever the master 
> sends a new copy of smbpasswd to the slaves?

Are you sure that your slaves are configured as BDCs?  It smells to me like they think their local server is the PDC.  The sync then kills their password.

> Do I have to have a script at the slave servers that update the master 
> server's smbpasswd whenever there's a change in their own files? Can I 
> do this with the "unix password sync" and "passwd program" and "passwd 
> chat" smb.conf-options? Or is there a way to tell Samba not to change 
> the password in the local smbpasswd, but hand it to the master server 
> instead? Can "password server" option do this?

If your local servers think they are PDCs, and you cannot get your machines to talk to the real PDC directly, then look into replicated LDAP, Samba 3.0 and rebinds.  (or the patch that has been on the samba-technical list recently).  That will cause the slave servers to contact the master to update the password.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list