samba - Jan 2003 - Workstation Trust Accounts

On Thu, Jan 23, 2003 at 03:46:26PM +0100, Nicki Messerschmidt, Linksystem
Muenchen GmbH wrote:
> Hi there,
> I have a really ugly problem, which, as I know is partially selfmade.
> But to the problem:
> I have five servers running samba-2.2.3a-12 (latest Debian Woody
> release) which are controlled by one master server. All of the five
> servers act as pdc for an own nt-domain. Now to keep the administrative
> work as low as possible I have this one master server. Via this server
> we/our customer adds/deletes all user accounts. This works as expected
> and cvs is my friend here. The users can change their passwords via nt,
> because the scripts for "passwd program" manage this part.
Set 'domain master = no', but 'domain logons = yes', on all of
the "PDCs"
except the master.  In an NT4-style domain, it's really not feasible to
have more than one *primary* domain controller.

-- 
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20030123/871c2a53/attachment.bin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Langasek wrote:
> Nicki Messerschmidt wrote:
>>> Steve Langasek wrote:
>>>> Let me guess. If I do it this way samba acts as a pdc but the
>>>> clients do not try to update their accounts? Are there any
>>>> drawbacks using this technique?
>>> That makes them act as BDCs instead of all trying to be a PDC.
>>> Trying to deploy multiple PDCs in an NT4 domain and syncing
>>> between them will introduce nasty race conditions that should
>>> be avoided.
>> But we don't have multiple PDCs in _one_ domain. We have five
>> PDCs in _five_ domains plus one master server which acts as
>> "administrative" Server where all Useraccounts are entered
but
>> which has no samba running. Does it still work then, if I let
>> the now PDCs be BDCs?
> Then I don't understand what problem you're having.  What isn't
> working in this scenario?  Are you trying to synchronize the
> machine accounts between the domains?  (If you're doing that,
> *why* do you have separate domains?)
There are seperate domain because it is a company which consinsts of
many companys and is geographicaly spread via town. There is one boss
who wants to be able to create useraccounts on one machine via webmin
(don't ask why). And the problem is that if user A changes his password
via nt it gets distributed to all other servers which in turn "forget"
the changed workstation trust account passwords. But I think, that I
just have to disable this "feature" on every machine... Or is there an
equivalent to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
\RefusePasswordChange=1
in smb.conf?

Cheers and thanks
Nicki

- --
Linksystem Muenchen GmbH                          info@link-m.de
Schloerstrasse 10                           http://www.link-m.de
80634 Muenchen                              Tel. 089 / 890 518-0
We make the Net work.                       Fax 089 / 890 518-77

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
Comment: Get my key at: https://www.link-m.de/pgp/n.messerschmidt.asc

iQA/AwUBPjFwtOs1nPm17iBDEQK2OQCglbBVWCwAl875x7HYBJlsdnLDpoIAnj12
l2LbOaMUVYCcrjeNlYENmlVu
=5Ldj
-----END PGP SIGNATURE-----

Hi there,
I have a really ugly problem, which, as I know is partially selfmade.
But to the problem:
I have five servers running samba-2.2.3a-12 (latest Debian Woody
release) which are controlled by one master server. All of the five
servers act as pdc for an own nt-domain. Now to keep the administrative
work as low as possible I have this one master server. Via this server
we/our customer adds/deletes all user accounts. This works as expected
and cvs is my friend here. The users can change their passwords via nt,
because the scripts for "passwd program" manage this part. But (!) now
our machines start to change their workstation trust account
"passwords"
and for this I found no possibility to execute a script if this happens.
Does anyone of you know how I can handle this problem? And I don't want
to update to samba 3.0 with ldap (as in: [1]).

[1]
http://groups.google.de/groups?hl=de&lr=&ie=UTF-8&oe=UTF-8&threadm=20030
116115009%24613a%40gated-at.bofh.it&rnum=2&prev=/groups%3Fhl%3Dde%26lr%3
D%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dsmbpasswd%2Bworkstation%2Btrust%2Bacco
unt


Cheers
Nicki

--
Linksystem Muenchen GmbH                          info@link-m.de
Schloerstrasse 10                           http://www.link-m.de
80634 Muenchen                              Tel. 089 / 890 518-0
We make the Net work.                       Fax 089 / 890 518-77