Re: [Samba] Daily changetrustpw breaks authentication

--===============0510242972==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=-p3Z26sMANr/iDg3mfNdt"


--=-p3Z26sMANr/iDg3mfNdt
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Wed, 2006-03-15 at 16:59 -0600, Jim Moser wrote:
> Anyone have any thoughts on this? Is changetrustpw even required? Are=20
> other people using it with success?

No, it's not required (but perhaps a good security idea). =20

Samba 3.0 sets the 'password does not expire' bit when joining, and
doesn't change the password, particularly against AD. =20

Samba 3.0 doesn't store the previous password, so in some situations we
could break due to changing the password on one, while still talking to
a different server. This creates a race, where we correctly detect that
something broke the credentials chain, but can't correctly set it up
again.

(Samba4 doesn't yet use the previous password either, but stores it).

Doing the change daily seems overkill to me, and creates a greater
chance of the race.=20

I hope that clarifies things a bit better.

Andrew Bartlett

--=20
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net

--=-p3Z26sMANr/iDg3mfNdt
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQBEGgYaz4A8Wyi0NrsRAqUiAJ9CCMxbuheszOHxBeX9JG vxlU7byACfWuKL
UYlYfgxIqFSCGrTlmAV0FY4=
=4Fk6
-----END PGP SIGNATURE-----

--=-p3Z26sMANr/iDg3mfNdt--


--===============0510242972==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--===============0510242972==--