[Samba] sambaNTPassword does NOT write to master LDAP when machines auto change the values

Paul Hanson Paul.Hanson at e-spida.com
Mon Dec 12 12:48:01 GMT 2005

We have SuSE SLES9 servers with LDAP master/slave replication (24

All working fine -joining domain etc.

The problem I am having is PC's at remote sites (BDC) with a local
replica (OpenLDAP) periodically change the
sambaNTPassword/sambaLMPassword on there own and write to the local LDAP
server and do NOT follow the referral to the master.

I have written scripts to force the sambaNTPassword attribute to be
re-synchronised but the attribute becomes a different value - at a
variable timeframe.

Further investigation suggests that NT/W2K/W2K3/XP have different times
when they auto change the sambaNTPassword vaue - (avoid replay
attacks??). However 3.0.14a that is distributed/updated on SLES9 only
writes this info to the local BDC and not the centre/MASTER.

7 days for NT 4, 30 days for W2K/XP is the default policy for the
machines to auto change the sambaNTPassword/sambaLMPassword.

I have also noticed that using pdbedit to change a value will change the
local OpenLDAP server and not follow the referral to the master. So that
changes at the BDC's are out of sync with respect to the master.

Joining the domain works great and replicates ALL attributes correctly
(inc sambaNTPassword) FYI - This is the fix by local admins to allow
machines to connect to the domain again.

Can you help on this subject - this is causing major issues with
machines moving sites!!!

Best Regards Paul Hanson try { document.title =
document.getElementById("subject").innerHTML; } catch (e) { }

More information about the samba mailing list