Arturo Busleiman
2003-Nov-26 15:46 UTC
[Samba] My experience with samba/ldap and machine accounts
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is a snippet of an email I sent to Mark Taylor (who I contacted thru this list) today. I thought I should share this with you... I am the double >> and zero-> typer.> > On the other side, we've developed a new version of our DDS software > > (remember the novell+NT to Linux+openldap+samba migration?) and theyre > > going into production line today :) > > Cool, let me know how it goes...I stayed till 3am in the company that day. From 3pm to 3am :P - Everything went cool (over 3000 machine accounts), BUT I found a samba/ldap bug or something regarding machine accounts. DO ALWAYS BACKUP MACHINE ACCOUNTS THE FIRST TIME THEY ARE CREATED. (I mean, when an XP/2000 box joins the ldap domain, go and dump the ldif entry and keep it safe). If you update samba or ldap, XP/2000 can't join because something happens with the ldif entry, which invalidates it. Restoring the old set of ldif-machine-entries will solve the problem. Actually, the lmPassword and ntPassword attributes are scrambled and their values are no longer those of Domain Join-time. Dunno why it happens, this is somewhat documented (When updating blablabla, this may happen smbldap-howto I believe... but I'm not sure). Bye - -- Arturo Busleiman - [ i n t r a R e d e s s r l ] Piedras 264 - 2 A (C1070AAF) - Buenos Aires - ARGENTINA Te.: (54 11) 4342-0049 - http://www.intraredes.com/ mailto:arturo.busleiman@intraredes.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/xMrk04qvPI/BRvQRAoRzAJ4oSJ3exAOWbBkHtQYgQETc7bbuBgCfchJb PZwll1lvpx9soW6Q+JKuR4Y=d4u0 -----END PGP SIGNATURE-----
Adam Williams
2003-Nov-26 18:13 UTC
[Samba] My experience with samba/ldap and machine accounts
> This is a snippet of an email I sent to Mark Taylor (who I contacted thru > this list) today. I thought I should share this with you... > I am the double >> and zero-> typer. > > > On the other side, we've developed a new version of our DDS software > > > (remember the novell+NT to Linux+openldap+samba migration?) and theyre > > > going into production line today :) > > Cool, let me know how it goes......> Actually, the lmPassword and ntPassword attributes are scrambled and their > values are no longer those of Domain Join-time. Dunno why it happens, this > is somewhat documented (When updating blablabla, this may happen > smbldap-howto I believe... but I'm not sure).The workstation periodically changes the password, and does so when it first joins the domain. Before that it is a "well known" value. So you can't rejoin after joining without recreating the object.