Mikko Kortelainen
2003-Jan-16 11:43 UTC
[Samba] Samba BDCs and machine trust account passwords
I have a problem with machine trust accounts breaking in a purely Samba controlled domain. I have one master Samba server acting as a PDC, and three slave servers in different networks. The UNIX user account information is updated by means of NIS, and smbpasswd gets rsync'ed to the slave servers whenever there is a change in the file. All this works without problems at all times. When I attach workstations to the domain, everything works fine for a while. But after a certain time (a few hours to a few weeks) the workstations start complaining that the machine trust account with the domain is broken. In fact, in the log files it says that the authentication fails because the password challenge and response are different, so it really seems that the password that the workstation has is different from the one Samba has. This problem comes up only within the networks of the slave servers, the network of the master server has never had any problems (it has been up and running more than 6 months without problems now). Could this mean that the workstation thinks it has changed its trust account password successfully, while the Samba server still has the old password? How often do the Windowstations change their trust account passwords? Would it be possible for a workstation to negotiate a new password with a SLAVE server, that would be overwritten whenever the master sends a new copy of smbpasswd to the slaves? Do I have to have a script at the slave servers that update the master server's smbpasswd whenever there's a change in their own files? Can I do this with the "unix password sync" and "passwd program" and "passwd chat" smb.conf-options? Or is there a way to tell Samba not to change the password in the local smbpasswd, but hand it to the master server instead? Can "password server" option do this? Mikko Kortelainen mikko.kortelainen@hut.fi
Andrew Bartlett
2003-Jan-16 12:37 UTC
[Samba] Samba BDCs and machine trust account passwords
On Thu, 2003-01-16 at 22:48, Mikko Kortelainen wrote:> I have a problem with machine trust accounts breaking in a purely Samba > controlled domain. I have one master Samba server acting as a PDC, and > three slave servers in different networks. The UNIX user account > information is updated by means of NIS, and smbpasswd gets rsync'ed to > the slave servers whenever there is a change in the file. All this works > without problems at all times. > > When I attach workstations to the domain, everything works fine for a > while. But after a certain time (a few hours to a few weeks) the > workstations start complaining that the machine trust account with the > domain is broken. In fact, in the log files it says that the > authentication fails because the password challenge and response are > different, so it really seems that the password that the workstation has > is different from the one Samba has. This problem comes up only within > the networks of the slave servers, the network of the master server has > never had any problems (it has been up and running more than 6 months > without problems now). > > Could this mean that the workstation thinks it has changed its trust > account password successfully, while the Samba server still has the old > password? > > How often do the Windowstations change their trust account passwords?Once per week.> Would it be possible for a workstation to negotiate a new password with > a SLAVE server, that would be overwritten whenever the master sends a > new copy of smbpasswd to the slaves?Are you sure that your slaves are configured as BDCs? It smells to me like they think their local server is the PDC. The sync then kills their password.> Do I have to have a script at the slave servers that update the master > server's smbpasswd whenever there's a change in their own files? Can I > do this with the "unix password sync" and "passwd program" and "passwd > chat" smb.conf-options? Or is there a way to tell Samba not to change > the password in the local smbpasswd, but hand it to the master server > instead? Can "password server" option do this?If your local servers think they are PDCs, and you cannot get your machines to talk to the real PDC directly, then look into replicated LDAP, Samba 3.0 and rebinds. (or the patch that has been on the samba-technical list recently). That will cause the slave servers to contact the master to update the password. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20030116/0f629812/attachment.bin
Mikko Kortelainen
2003-Jan-16 13:23 UTC
[Samba] Samba BDCs and machine trust account passwords
>> Would it be possible for a workstation to negotiate a new password >> with a SLAVE server, that would be overwritten whenever the master >> sends a new copy of smbpasswd to the slaves?> Are you sure that your slaves are configured as BDCs? It smells to > me like they think their local server is the PDC. The sync then > kills their password.Here's (what I think is) the essential part from my SLAVE smb.conf: security = user domain logons = yes domain master = no os level = 64 local master = yes preferred master = yes The MASTER configuration is the same except that the "domain master" is set to yes. I've understood that the above configuration causes the workstations to send their password updates to the MASTER. Am I wrong? If I am, is there any way in 2.2.7 to correct this (either so that the workstations change their passwords directly with the master, or that the slave sends an update message to the master automatically). Or do I have to go to 3.0 and LDAP? (which I'd rather not prefer, yet) My users have no problems changing their user account passwords from anywhere, so there must be a difference in the way these two things work...? Mikko Kortelainen mikko.kortelainen@hut.fi -----Alkuper?inen viesti----- L?hett?j?: samba-admin@lists.samba.org [mailto:samba-admin@lists.samba.org] Puolesta Andrew Bartlett L?hetetty: 16. tammikuuta 2003 14:40 Vastaanottaja: Mikko Kortelainen Kopio: samba@lists.samba.org Aihe: Re: [Samba] Samba BDCs and machine trust account passwords On Thu, 2003-01-16 at 22:48, Mikko Kortelainen wrote:> I have a problem with machine trust accounts breaking in a purely > Samba controlled domain. I have one master Samba server acting as a > PDC, and three slave servers in different networks. The UNIX user > account information is updated by means of NIS, and smbpasswd gets > rsync'ed to the slave servers whenever there is a change in the file. > All this works without problems at all times. > > When I attach workstations to the domain, everything works fine for a > while. But after a certain time (a few hours to a few weeks) the > workstations start complaining that the machine trust account with the > domain is broken. In fact, in the log files it says that the > authentication fails because the password challenge and response are > different, so it really seems that the password that the workstation > has is different from the one Samba has. This problem comes up only > within the networks of the slave servers, the network of the master > server has never had any problems (it has been up and running more > than 6 months without problems now). > > Could this mean that the workstation thinks it has changed its trust > account password successfully, while the Samba server still has the > old password? > > How often do the Windowstations change their trust account passwords?Once per week.> Would it be possible for a workstation to negotiate a new password > with a SLAVE server, that would be overwritten whenever the master > sends a new copy of smbpasswd to the slaves?Are you sure that your slaves are configured as BDCs? It smells to me like they think their local server is the PDC. The sync then kills their password.> Do I have to have a script at the slave servers that update the master > server's smbpasswd whenever there's a change in their own files? Can I > do this with the "unix password sync" and "passwd program" and "passwd > chat" smb.conf-options? Or is there a way to tell Samba not to change > the password in the local smbpasswd, but hand it to the master server > instead? Can "password server" option do this?If your local servers think they are PDCs, and you cannot get your machines to talk to the real PDC directly, then look into replicated LDAP, Samba 3.0 and rebinds. (or the patch that has been on the samba-technical list recently). That will cause the slave servers to contact the master to update the password. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net