[Samba] Samba 2.2.8 is failing on change machine account password
boehm at nortelnetworks.com
Fri Mar 28 13:24:23 GMT 2003
On Fri, Mar 28, 2003 at 11:50:34PM +1100, Andrew Bartlett wrote:
>>>>> "Andrew" == Andrew Bartlett <abartlet at samba.org> writes:
Andrew> If you run 'smbpasswd -t' it should do it on demand.
Eric> That doesn't seem to work
Andrew> I didn't say it would work, just that it would be easier
Andrew> to debug :-)
True enough :-(
Eric> Doesn't this present a potential security issue if the machine
Eric> password never changes?
Andrew> Small - basically if the 'bad guy' can figure out the
Andrew> password by cryptographic or network brute force before
Andrew> you change it, yes. If he is listening on the connection
Andrew> always anyway, then they will observe the password change.
Andrew> In short - keep it secret, and it's not too bad.
>> [2003/03/27 15:33:15, 5, pid=25400] lib/util.c:(291) smb_bcc=0
>> [2003/03/27 15:33:15, 6, pid=25400] lib/util_sock.c:(518)
>> write_socket(10,39) [2003/03/27 15:33:15, 6, pid=25400]
>> lib/util_sock.c:(521) write_socket(10,39) wrote 39 [2003/03/27
>> 15:34:15, 3, pid=25400] smbd/sec_ctx.c:(329) setting sec ctx
>> (0, 0) - sec_ctx_stack_ndx = 0 [2003/03/27 15:34:15, 5,
>> pid=25400] smbd/uid.c:(217) change_to_root_user: now uid=(0,0)
>> gid=(0,0) [2003/03/27 15:34:15, 10, pid=25400]
>> smbd/process.c:(1137) timeout_processing: checking to see if
>> machine account password need changing. [2003/03/27 15:34:15,
>> 10, pid=25400] smbd/process.c:(1167) timeout_processing:
>> machine account password last change time = (1046645657) Sun,
>> 02 Mar 2003 17:54:17 EST. [2003/03/27 15:34:15, 0, pid=25400]
>> rpc_client/cli_trust.c:(46) domain_client_validate: unable to
>> fetch domain sid.
Andrew> This certainly looks like an issue.
Andrew> Have you tried rejoining the domain?
No, I was hoping to avoid that as I don't control the domain and don't
have domain admin rights. I have to open a ticket and have the machine
account refreshed or deleted/recreated -- that can take time.
I have several servers I have to upgrade and rejoining the domain
would complicate the process and make it take longer. I don't believe
it was necessary to rejoin for 2.2.5.
However, if you think that rejoining the domain is the next logical
step in debugging this, I'll give it a try. Would it be best to have
the account refreshed or deleted/recreated?
Alternatively, would it be better to try earlier 2.2.x versions and
use smbpasswd -t in an attempt to find out which version broke it?
Eric M. Boehm /"\ ASCII Ribbon Campaign
boehm at nortelnetworks.com \ / No HTML or RTF in mail
X No proprietary word-processing
Respect Open Standards / \ files in mail
More information about the samba