On Wed, 2004-06-09 at 06:34, Chris Bradshaw wrote: > Hi.... > > I am using Samba 3.0.2 with LDAP as the passdb backend for both user accounts > and for machine accounts. > > I have noticed something which looks a bit strange. It seems that at least some > machines (I don't think all machines, but can't be sure as of yet) appear to be > having sambaPwdCanChange and sambaPwdLastChange modified in their account entry > in the LDAP tree..... > > I thought that the only time any machine account attributes would be > added/altered is when the machine account is initially added.
No, machines will change their password regularly. I noticed this issue, and added a check/hack to make such a change (which does not actually change the password) a no-op. > One machine seems to be having these attributes in its machine account altered > every 15 minutes.....other machines seem to only have this occur once or twice. > > Another strange thing I have noticed is that for all of these machines, both the > sambaLMPassword and sambaNTPassword hashes are identical.....I thought that > these would/should always be different (open to correction on this ;-).... For historical reasons, Samba sets the NT and LM passwords to the new NT machine account password, on a machine password change. > Everything seems to work OK, but this is generating some load on our LDAP > servers (master and replicas) and also I am concerned that perhaps we have been > hacked or perhaps a Windoze virus is causing this to happen. > > However, I am not aware of any viruses which attack an NT domain server and > cause machine accounts to be altered.....besides, the virus would need to know a > login/password with sufficient privilege to update the machine account via samba. > > Could this be a hack or a virus? > > Or is there any setting in Windoze (registry or something) which would cause a > machine to try to update its machine account in some way? > > Or is there anything else which might cause this (eg: a difference in the time > on samba and LDAP servers?)? > > Sorry if this seems a but vague and lacking any more detail, but I am baffled > myself. Upgrade to the latest Samba, where this is fixed (that is, my hack avoids the load issues). I wonder if the fixes for the MS04-11 issues might also have fixed this. Andrew Bartlett
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba