[Samba] Daily changetrustpw breaks authentication

Andrew Bartlett abartlet at samba.org
Fri Mar 17 00:43:06 GMT 2006

On Wed, 2006-03-15 at 16:59 -0600, Jim Moser wrote:
> Anyone have any thoughts on this?  Is changetrustpw even required?  Are 
> other people using it with success?

No, it's not required (but perhaps a good security idea).  

Samba 3.0 sets the 'password does not expire' bit when joining, and
doesn't change the password, particularly against AD.  

Samba 3.0 doesn't store the previous password, so in some situations we
could break due to changing the password on one, while still talking to
a different server.  This creates a race, where we correctly detect that
something broke the credentials chain, but can't correctly set it up

(Samba4 doesn't yet use the previous password either, but stores it).

Doing the change daily seems overkill to me, and creates a greater
chance of the race. 

I hope that clarifies things a bit better.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20060317/ddcb6304/attachment.bin

More information about the samba mailing list