LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] (no subject)

[ILUG] (no subject)

Kenn Humborg kenn at bluetree.ie
Thu Jan 24 13:45:57 GMT 2002 

> On Wed, 23 Jan 2002, Dave Airlie wrote:
>
> >
> > If you are running samba and the machine is the same name you
> can lock out
> > the NT portion of the machine from the W2K I think ...
> >
> > I remember if you had NT4 server and workstation on same machine and you
> > domain a/c one of them the other couldn't have the same name or
> the domain
> > server locked it out of the domain..
> >
> > Dave.
>
> out of curiosity.
> would grabbing the win2k/NT machines sys id from the reg & plonking that
> into samba's machine.sid (or whatever it's called) do anything to get
> around that?
> I know that as a rule you don't dick with this under NT as doing so
> without completely killing the box is somewhat of a black art, but with
> Samba you should have the ability to easily the change the machine
> domain account details.
> just a thought

It won't work with NT4, (but might with W2K).

Here's why:

1. When you first join an NT4 machine to a domain, the PDC and the
   local machine exchange a secret.  At various points (perhaps
   when the local machine rejoins the domain after reboot, or
   when a domain user logs on, don't know exactly) both machines
   update their copy of this secret according to some algorithm.

2. When the local machine boots and attempts to rejoin the domain,
   some handshaking goes one whereby the PDC makes sure that the
   shared secret held by the client machine matches what the PDC
   has.  If these are the same, then the machine is allowed to
   rejoin the domain.

3. If this doesn't match, then the PDC assumes that the machine
   is an imposter and you get the "trust relationship failed"
   (or some such) error.

You can see this by joining an NT4 box to a domain, saving off
an image of the complete machine, rebooting and logging in a
few times and then restoring the image.  The PDC won't give it
the time of day any more until you set up a new computer account
for it.

Real PITA when you're using imaging to test installations and
stuff on NT4.

Now, for some reason, W2K (on the client) with an NT4 PDC doesn't
seem to have this problem.  I've never had trouble re-joining an
NT4 domain from a W2K Pro box after restoring from an image.

This means that there is some back-door hack that convinces the
PDC to let the machine join even though the shared secret doesn't
match.  So in principle, NT4 could be modified to use this hack
too...  Which kind of blows massive holes through the domain
membership model.

Later,
Kenn

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell