On Friday, September 28, 2001 7:47 AM, Greg Zartman wrote: > When the machine leaves the samba domain and then tries to rejoin again, > it regenerates a new random machine password that doesn't match the > machine password in smbpasswd database.
<snip> > Good point... However,some type of transfer must take place in order > for machine passwords to be "reset" on a Win NT PDC. I guess this is where I am getting confused. I did some testing with a Win2000 Service Pack 2 client to confirm my thoughts, and here's what I found: With Samba as the PDC running with Dan Brown's How-To 2, you can join the domain, which created the unix and samba passwords, as well as adding the machine account in the e-smith accounts database. When you leave the domain and change to a workgroup, nothing is changed on the server side. When you re-join the domain, samba re-generates a different random password that it stores in smbpasswd, overwriting the previous password, and things proceed as normal. Presumably, some form of this new password is stored in the windows registry in the place of the previous one, since I had no trouble logging on with my domain user accounts. Next, I tried changing the computer name and joining the domain, which simply created a different machine account, as well as new unix and samba passwords. Again, I changed to a workgroup and then re-joined the domain, with the same results. Nothing was ever removed (at least to my knowledge) in the form of user accounts or passwords. Now for a *little* background on WinNT/2000 SIDs as I understand them. WinNT/2000 machines generate "partial" SIDs at install time that are based on who knows what, but they are intended to be somewhat unique. I say "partial" because the final piece of a SID is generated when the WinNT/2000 machine connects to a primary domain controller, and that final piece is generated by the server, not the client. This "final" SID is "unique across space and time" according to Microsoft. This is why cloning of WinNT/2000 machines (using Ghost, etc.) is much better before the original machine has connected to a domain. Otherwise, all the clones have to have major registry tweaks to make them unique. It looks like samba is simply re-generating this key portion of the SID and giving this back to the client to replace the original one. I may be over simplifying this whole issue, but the basics are accurate. Based on all this, I think that there is no real need to delete the machine accounts from the domain, except to keep the appropriate files and databases clean. David M. Brown Frick, Frick & Jetté Architects [EMAIL PROTECTED] -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
