HPE Community
Operating System - HP-UX
1822513 Members
2584 Online
109642 Solutions
New Discussion юеВ

Samba 3.X Domain Member (old Style) - How to Periodically refresh Machine Account?

 
SOLVED
Go to solution
Alzhy
Honored Contributor

тАО03-31-2008 05:24 AM

тАО03-31-2008 05:24 AM

Samba 3.X Domain Member (old Style) - How to Periodically refresh Machine Account?

Greetings!

My Samba 3.X services on HP-UX 11.11 are domain members (SECURITY = DOMAIN, old style, joined via "net rpc oldjoin"). Our Windows Domain Admins aer asking if there is a way for these Samba nodes to periodically "reset" their "machine accounts" on the domain. It seems our domain has a policy for a "machine account" to expire/get-flagged after 90 days.

Thanks!
Hakuna Matata.
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

тАО03-31-2008 06:32 AM

тАО03-31-2008 06:32 AM

Re: Samba 3.X Domain Member (old Style) - How to Periodically refresh Machine Account?

Shalom,

The Windows Domain administrators should handle the reset themselves. The machine accounts reside in the windows domain and that is what they are talking about

They need to let you know, because if you have the same accounts on HP-UX and are mapping the id's your systems could be thrown out of the domain by the windows admins doing their reset.

This is particularly fun with Kerberos, where the kinit command will suddenly fail if the windows machine account for the system is updated.

Strictly speaking machine accounts are not needed on the Unix side. They are created by the net join when the Unix system joins the domain.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Heironimus
Honored Contributor

тАО03-31-2008 09:05 AM

тАО03-31-2008 09:05 AM

Solution

Re: Samba 3.X Domain Member (old Style) - How to Periodically refresh Machine Account?

They probably mean changing the machine account password in the domain, though many Windows admins somehow don't know that's going on behind the scenes when domain members "check in" or "refresh" their memberships. I think you want "net rpc changetrustpw" to tell Samba to do that.
Reply
Alzhy
Honored Contributor

тАО03-31-2008 09:11 AM

тАО03-31-2008 09:11 AM

Re: Samba 3.X Domain Member (old Style) - How to Periodically refresh Machine Account?

Heironimus,
Thanks.. I was just actually about to mention that the "net" man pages do mention that option. There is also however a "CHANGESECRETPW":

CHANGESECRETPW
This command allows the Samba machine account password to be set from
an external application to a machine account password that has already
been stored in Active Directory. DO NOT USE this command unless you
know exactly what you are doing. The use of this command requires that
the force flag (-f) be used also. There will be NO command prompt.
Whatever information is piped into stdin, either by typing at the com-
mand line or otherwise, will be stored as the literal machine pass-
word. Do NOT use this without care and attention as it will overwrite
a legitimate machine password without warning. YOU HAVE BEEN WARNED.

Can I actually script this "NET RPC CHANGETRUSTPW" thingy?
Hakuna Matata.
0 Kudos
Reply
Heironimus
Honored Contributor

тАО03-31-2008 09:51 AM

тАО03-31-2008 09:51 AM

Re: Samba 3.X Domain Member (old Style) - How to Periodically refresh Machine Account?

I think changetrustpw will generate a new random password and go through the whole password change process automatically, so scripting shouldn't be a problem.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.