[Samba] Samba 2.2.8 is failing on change machine account password

Eric Boehm boehm at nortelnetworks.com
Fri Mar 28 13:24:23 GMT 2003 

On Fri, Mar 28, 2003 at 11:50:34PM +1100, Andrew Bartlett wrote:
>>>>> "Andrew" == Andrew Bartlett <abartlet at samba.org> writes:

    Andrew> If you run 'smbpasswd -t' it should do it on demand.

    Eric>  That doesn't seem to work

    Andrew> I didn't say it would work, just that it would be easier
    Andrew> to debug :-)

True enough :-(

    Eric> Doesn't this present a potential security issue if the machine
    Eric> password never changes?

    Andrew> Small - basically if the 'bad guy' can figure out the
    Andrew> password by cryptographic or network brute force before
    Andrew> you change it, yes.  If he is listening on the connection
    Andrew> always anyway, then they will observe the password change.

    Andrew> In short - keep it secret, and it's not too bad.

    >> [2003/03/27 15:33:15, 5, pid=25400] lib/util.c:(291) smb_bcc=0
    >> [2003/03/27 15:33:15, 6, pid=25400] lib/util_sock.c:(518)
    >> write_socket(10,39) [2003/03/27 15:33:15, 6, pid=25400]
    >> lib/util_sock.c:(521) write_socket(10,39) wrote 39 [2003/03/27
    >> 15:34:15, 3, pid=25400] smbd/sec_ctx.c:(329) setting sec ctx
    >> (0, 0) - sec_ctx_stack_ndx = 0 [2003/03/27 15:34:15, 5,
    >> pid=25400] smbd/uid.c:(217) change_to_root_user: now uid=(0,0)
    >> gid=(0,0) [2003/03/27 15:34:15, 10, pid=25400]
    >> smbd/process.c:(1137) timeout_processing: checking to see if
    >> machine account password need changing.  [2003/03/27 15:34:15,
    >> 10, pid=25400] smbd/process.c:(1167) timeout_processing:
    >> machine account password last change time = (1046645657) Sun,
    >> 02 Mar 2003 17:54:17 EST.  [2003/03/27 15:34:15, 0, pid=25400]
    >> rpc_client/cli_trust.c:(46) domain_client_validate: unable to
    >> fetch domain sid.

    Andrew> This certainly looks like an issue.

    Andrew> Have you tried rejoining the domain?

No, I was hoping to avoid that as I don't control the domain and don't
have domain admin rights. I have to open a ticket and have the machine
account refreshed or deleted/recreated -- that can take time.

I have several servers I have to upgrade and rejoining the domain
would complicate the process and make it take longer. I don't believe
it was necessary to rejoin for 2.2.5.

However, if you think that rejoining the domain is the next logical
step in debugging this, I'll give it a try. Would it be best to have
the account refreshed or deleted/recreated?

Alternatively, would it be better to try earlier 2.2.x versions and
use smbpasswd -t in an attempt to find out which version broke it?

-- 
Eric M. Boehm                  /"\  ASCII Ribbon Campaign
boehm at nortelnetworks.com       \ /  No HTML or RTF in mail
                                X   No proprietary word-processing
Respect Open Standards         / \  files in mail

More information about the samba mailing list