[Samba] Daily changetrustpw breaks authentication
Andrew Bartlett
abartlet at samba.org
Fri Mar 17 00:43:06 GMT 2006
On Wed, 2006-03-15 at 16:59 -0600, Jim Moser wrote:
> Anyone have any thoughts on this? Is changetrustpw even required? Are
> other people using it with success?
No, it's not required (but perhaps a good security idea).
Samba 3.0 sets the 'password does not expire' bit when joining, and
doesn't change the password, particularly against AD.
Samba 3.0 doesn't store the previous password, so in some situations we
could break due to changing the password on one, while still talking to
a different server. This creates a race, where we correctly detect that
something broke the credentials chain, but can't correctly set it up
again.
(Samba4 doesn't yet use the previous password either, but stores it).
Doing the change daily seems overkill to me, and creates a greater
chance of the race.
I hope that clarifies things a bit better.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20060317/ddcb6304/attachment.bin
More information about the samba
mailing list