Re: [Samba] Samba 2.2.8 is failing on change machine accountpassword

2003-03-28 Thread Andrew Bartlett 
On Fri, 2003-03-28 at 19:44, Hansjoerg Maurer wrote:
 Hi,
 
 I have the sampe problem with
 security=domain
 but it occurs with older samba versions to.
 (Solaris 8, NT4 PDC)
 I have tried serveral setting (upper/lowercase of Domainname (in 
 workgroup and smbpasswd command),
 adding it via smbpasswd with/without creating the machine account at the 
 NT4 domain before.
 It works for one week after adding the Samba server to the domain
 With
 
 machine password timeout = 900
 
 you can decrease the time until the problem occurs from one week to eg. 
 15 min for
 testing purposes.

If you run 'smbpasswd -t' it should do it on demand.

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 2.2.8 is failing on change machine accountpassword

2003-03-28 Thread Andrew Bartlett 
On Fri, 2003-03-28 at 23:44, Eric Boehm wrote:
 On Fri, Mar 28, 2003 at 10:00:47PM +1100, Andrew Bartlett wrote:
  Andrew == Andrew Bartlett [EMAIL PROTECTED] writes:
 
 Andrew On Fri, 2003-03-28 at 19:44, Hansjoerg Maurer wrote:
 
 Andrew If you run 'smbpasswd -t' it should do it on demand.
 
 That doesn't seem to work

I didn't say it would work, just that it would be easier to debug :-)

 smbpasswd -t AMERICASE
 2003/03/28 07:40:32 : change_trust_account_password: Failed to change password for 
 domain AMERICASE.
 
 I do have a debug level 10 log of the attempt but there really isn't
 much more information in it. I really do think this might be a bug. If
 anyone has been able to get this to work, I would appreciate hearing
 about it. If there are other steps I can take to help debug/fix this,
 I am willing to take those steps.
 
 Doesn't this present a potential security issue if the machine
 password never changes?

Small - basically if the 'bad guy' can figure out the password by
cryptographic or network brute force before you change it, yes.  If he
is listening on the connection always anyway, then they will observe the
password change.

In short - keep it secret, and it's not too bad.

 [2003/03/27 15:33:15, 5, pid=25400] lib/util.c:(291)
   smb_bcc=0
 [2003/03/27 15:33:15, 6, pid=25400] lib/util_sock.c:(518)
   write_socket(10,39)
 [2003/03/27 15:33:15, 6, pid=25400] lib/util_sock.c:(521)
   write_socket(10,39) wrote 39
 [2003/03/27 15:34:15, 3, pid=25400] smbd/sec_ctx.c:(329)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
 [2003/03/27 15:34:15, 5, pid=25400] smbd/uid.c:(217)
   change_to_root_user: now uid=(0,0) gid=(0,0)
 [2003/03/27 15:34:15, 10, pid=25400] smbd/process.c:(1137)
   timeout_processing: checking to see if machine account password need changing.
 [2003/03/27 15:34:15, 10, pid=25400] smbd/process.c:(1167)
   timeout_processing: machine account password last change time = (1046645657) Sun, 
 02 Mar 2003 17:54:17 EST.
 [2003/03/27 15:34:15, 0, pid=25400] rpc_client/cli_trust.c:(46)
   domain_client_validate: unable to fetch domain sid.

This certainly looks like an issue.

Have you tried rejoining the domain?

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba