Chris Bradshaw
2004-Jun-08 20:40 UTC
[Samba] Samba, LDAP and machine account weirdness....
Hi.... I am using Samba 3.0.2 with LDAP as the passdb backend for both user accounts and for machine accounts. I have noticed something which looks a bit strange. It seems that at least some machines (I don't think all machines, but can't be sure as of yet) appear to be having sambaPwdCanChange and sambaPwdLastChange modified in their account entry in the LDAP tree..... I thought that the only time any machine account attributes would be added/altered is when the machine account is initially added. One machine seems to be having these attributes in its machine account altered every 15 minutes.....other machines seem to only have this occur once or twice. Another strange thing I have noticed is that for all of these machines, both the sambaLMPassword and sambaNTPassword hashes are identical.....I thought that these would/should always be different (open to correction on this ;-).... Everything seems to work OK, but this is generating some load on our LDAP servers (master and replicas) and also I am concerned that perhaps we have been hacked or perhaps a Windoze virus is causing this to happen. However, I am not aware of any viruses which attack an NT domain server and cause machine accounts to be altered.....besides, the virus would need to know a login/password with sufficient privilege to update the machine account via samba. Could this be a hack or a virus? Or is there any setting in Windoze (registry or something) which would cause a machine to try to update its machine account in some way? Or is there anything else which might cause this (eg: a difference in the time on samba and LDAP servers?)? Sorry if this seems a but vague and lacking any more detail, but I am baffled myself. If anyone has any suggestions or advice I would be most grateful. Thanx in advance. Chris Bradshaw
Andrew Bartlett
2004-Jun-09 13:45 UTC
[Samba] Samba, LDAP and machine account weirdness....
On Wed, 2004-06-09 at 06:34, Chris Bradshaw wrote:> Hi.... > > I am using Samba 3.0.2 with LDAP as the passdb backend for both user accounts > and for machine accounts. > > I have noticed something which looks a bit strange. It seems that at least some > machines (I don't think all machines, but can't be sure as of yet) appear to be > having sambaPwdCanChange and sambaPwdLastChange modified in their account entry > in the LDAP tree..... > > I thought that the only time any machine account attributes would be > added/altered is when the machine account is initially added.No, machines will change their password regularly. I noticed this issue, and added a check/hack to make such a change (which does not actually change the password) a no-op.> One machine seems to be having these attributes in its machine account altered > every 15 minutes.....other machines seem to only have this occur once or twice. > > Another strange thing I have noticed is that for all of these machines, both the > sambaLMPassword and sambaNTPassword hashes are identical.....I thought that > these would/should always be different (open to correction on this ;-)....For historical reasons, Samba sets the NT and LM passwords to the new NT machine account password, on a machine password change.> Everything seems to work OK, but this is generating some load on our LDAP > servers (master and replicas) and also I am concerned that perhaps we have been > hacked or perhaps a Windoze virus is causing this to happen. > > However, I am not aware of any viruses which attack an NT domain server and > cause machine accounts to be altered.....besides, the virus would need to know a > login/password with sufficient privilege to update the machine account via samba. > > Could this be a hack or a virus? > > Or is there any setting in Windoze (registry or something) which would cause a > machine to try to update its machine account in some way? > > Or is there anything else which might cause this (eg: a difference in the time > on samba and LDAP servers?)? > > Sorry if this seems a but vague and lacking any more detail, but I am baffled > myself.Upgrade to the latest Samba, where this is fixed (that is, my hack avoids the load issues). I wonder if the fixes for the MS04-11 issues might also have fixed this. Andrew Bartlett -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040609/c3575c22/attachment.bin
Hi.... Thanx for the reply....I am now using 3.0.4. A few questions tho'....see below:>No, machines will change their password regularly. I noticed this >issue, and added a check/hack to make such a change (which does not >actually change the password) a no-op.Is the change interval set anywhere (eg: in the registry)? Is it always 15 mins? (as I was seeing). Also, if I were using a local smbpasswd file (and I had not upgraded to 3.0.4) does this mean that the machine account entries would be regularly updated in this file? Or is the 'phenomenon' restricted only to Samba + LDAP? Thanx for your help. Chris. _________________________________________________________________ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail