|

»

Samba - samba-technical

update_machine_account_password

View: New views

5 Messages — Rating Filter: Alert me

	update_machine_account_password by Matthieu Patou-5 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Andrew B, For a reason that I can't explain update_machine_account_password do not work properly to update the supplementalCredentials and that's why using smbclient for s4 against the updated tridge provision is failing (because it's provision use w2K8 domain level and everything is done so that aes is activated). I tried several trick and failed so a guru of this stuff is required. Note that setting the password with sbin/setpassword but things back in order (well once the kvno has been modified to put secrets.ldb and sam.ldb in sync) Could you have a look ? Matthieu.
	Re: update_machine_account_password by Matthieu Patou-5 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Andrew, Don't know it comes to my mind by I decided to make a test with -s parameter instead of --targetdir that is to say: ./scripting/bin/upgradeprovision -s /home/mat/tridge/etc/smb.conf instead of ./scripting/bin/upgradeprovision --targetdir /home/mat/tridge And now it's working. I am wondering what the -s trigger or set so that just using --target dir do not the same effet. Worth investigating, I guess I should remove the --targetdir option. Matthieu. On 27/11/2009 20:23, Matthieu Patou wrote: > Andrew B, > > For a reason that I can't explain update_machine_account_password do not > work properly to update the supplementalCredentials and that's why using > smbclient for s4 against the updated tridge provision is failing > (because it's provision use w2K8 domain level and everything is done so > that aes is activated). > > I tried several trick and failed so a guru of this stuff is required. > Note that setting the password with sbin/setpassword but things back in > order (well once the kvno has been modified to put secrets.ldb and > sam.ldb in sync) > > Could you have a look ? > > Matthieu.
	Re: update_machine_account_password by Andrew Bartlett :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, 2009-11-27 at 20:23 +0300, Matthieu Patou wrote: > Andrew B, > > For a reason that I can't explain update_machine_account_password do not > work properly to update the supplementalCredentials and that's why using > smbclient for s4 against the updated tridge provision is failing > (because it's provision use w2K8 domain level and everything is done so > that aes is activated). > > I tried several trick and failed so a guru of this stuff is required. > Note that setting the password with sbin/setpassword but things back in > order (well once the kvno has been modified to put secrets.ldb and > sam.ldb in sync) > > Could you have a look ? The easy answer it to simply use the same code as setpassword, whatever that is. (That way, we keep this script using well known and otherwise tested code). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc (196 bytes) Download Attachment
	Re: update_machine_account_password by Matthieu Patou-5 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 29/11/2009 10:02, Andrew Bartlett wrote: > On Fri, 2009-11-27 at 20:23 +0300, Matthieu Patou wrote: > >> Andrew B, >> >> For a reason that I can't explain update_machine_account_password do not >> work properly to update the supplementalCredentials and that's why using >> smbclient for s4 against the updated tridge provision is failing >> (because it's provision use w2K8 domain level and everything is done so >> that aes is activated). >> >> I tried several trick and failed so a guru of this stuff is required. >> Note that setting the password with sbin/setpassword but things back in >> order (well once the kvno has been modified to put secrets.ldb and >> sam.ldb in sync) >> >> Could you have a look ? >> > The easy answer it to simply use the same code as setpassword, whatever > that is. (That way, we keep this script using well known and otherwise > tested code). > > I tried also with the code of setpassword without success as I wrote in my other email on this thread what maid the password change succeed for the AES stuff is the fact that I used -s path_to_smb.conf when the database is not located in the default path. Matthieu.
	Re: update_machine_account_password by Andrew Bartlett :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sun, 2009-11-29 at 12:07 +0300, Matthieu Patou wrote: > On 29/11/2009 10:02, Andrew Bartlett wrote: > > On Fri, 2009-11-27 at 20:23 +0300, Matthieu Patou wrote: > > > >> Andrew B, > >> > >> For a reason that I can't explain update_machine_account_password do not > >> work properly to update the supplementalCredentials and that's why using > >> smbclient for s4 against the updated tridge provision is failing > >> (because it's provision use w2K8 domain level and everything is done so > >> that aes is activated). > >> > >> I tried several trick and failed so a guru of this stuff is required. > >> Note that setting the password with sbin/setpassword but things back in > >> order (well once the kvno has been modified to put secrets.ldb and > >> sam.ldb in sync) > >> > >> Could you have a look ? > >> > > The easy answer it to simply use the same code as setpassword, whatever > > that is. (That way, we keep this script using well known and otherwise > > tested code). > > > > > I tried also with the code of setpassword without success as I wrote in > my other email on this thread what maid the password change succeed for > the AES stuff is the fact that I used -s path_to_smb.conf when the > database is not located in the default path. Ahh, that would be a problem. We would be using the wrong realm and domain. We should store the domain in the @SAMBA_DSDB record, and build the realm from the default basedn. We should also reconsider whenever we use lp_ctx in ldb. But using the right smb.conf is also required, and is the short and long-term fix. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. signature.asc (196 bytes) Download Attachment