[Samba] Samba, LDAP and machine account weirdness....

Andrew Bartlett abartlet at samba.org
Wed Jun 9 13:45:17 GMT 2004 

On Wed, 2004-06-09 at 06:34, Chris Bradshaw wrote:
> Hi....
> 
> I am using Samba 3.0.2 with LDAP as the passdb backend for both user accounts
> and for machine accounts.
> 
> I have noticed something which looks a bit strange. It seems that at least some
> machines (I don't think all machines, but can't be sure as of yet) appear to be
> having sambaPwdCanChange and sambaPwdLastChange modified in their account entry
> in the LDAP tree.....
> 
> I thought that the only time any machine account attributes would be
> added/altered is when the machine account is initially added. 

No, machines will change their password regularly.  I noticed this
issue, and added a check/hack to make such a change (which does not
actually change the password) a no-op.

> One machine seems to be having these attributes in its machine account altered
> every 15 minutes.....other machines seem to only have this occur once or twice.
> 
> Another strange thing I have noticed is that for all of these machines, both the
> sambaLMPassword and sambaNTPassword hashes are identical.....I thought that
> these would/should always be different (open to correction on this ;-)....

For historical reasons, Samba sets the NT and LM passwords to the new NT
machine account password, on a machine password change.

> Everything seems to work OK, but this is generating some load on our LDAP
> servers (master and replicas) and also I am concerned that perhaps we have been
> hacked or perhaps a Windoze virus is causing this to happen. 
> 
> However, I am not aware of any viruses which attack an NT domain server and
> cause machine accounts to be altered.....besides, the virus would need to know a
> login/password with sufficient privilege to update the machine account via samba.
> 
> Could this be a hack or a virus? 
> 
> Or is there any setting in Windoze (registry or something) which would cause a
> machine to try to update its machine account in some way?
> 
> Or is there anything else which might cause this (eg: a difference in the time
> on samba and LDAP servers?)?
> 
> Sorry if this seems a but vague and lacking any more detail, but I am baffled
> myself.

Upgrade to the latest Samba, where this is fixed (that is, my hack
avoids the load issues).  I wonder if the fixes for the MS04-11 issues
might also have fixed this.

Andrew Bartlett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040609/c3575c22/attachment.bin

More information about the samba mailing list