[Samba] Samba, LDAP and machine account weirdness....

[Chris Bradshaw]

Hi....

I am using Samba 3.0.2 with LDAP as the passdb backend for both user accounts
and for machine accounts.

I have noticed something which looks a bit strange. It seems that at least some
machines (I don't think all machines, but can't be sure as of yet) appear to be
having sambaPwdCanChange and sambaPwdLastChange modified in their account entry
in the LDAP tree.....

I thought that the only time any machine account attributes would be
added/altered is when the machine account is initially added. 

One machine seems to be having these attributes in its machine account altered
every 15 minutes.....other machines seem to only have this occur once or twice.

Another strange thing I have noticed is that for all of these machines, both the
sambaLMPassword and sambaNTPassword hashes are identical.....I thought that
these would/should always be different (open to correction on this ;-)....

Everything seems to work OK, but this is generating some load on our LDAP
servers (master and replicas) and also I am concerned that perhaps we have been
hacked or perhaps a Windoze virus is causing this to happen. 

However, I am not aware of any viruses which attack an NT domain server and
cause machine accounts to be altered.....besides, the virus would need to know a
login/password with sufficient privilege to update the machine account via samba.

Could this be a hack or a virus? 

Or is there any setting in Windoze (registry or something) which would cause a
machine to try to update its machine account in some way?

Or is there anything else which might cause this (eg: a difference in the time
on samba and LDAP servers?)?

Sorry if this seems a but vague and lacking any more detail, but I am baffled
myself.

If anyone has any suggestions or advice I would be most grateful.

Thanx in advance.

Chris Bradshaw