[ILUG] (no subject)
kenn at bluetree.ie
Thu Jan 24 13:45:57 GMT 2002
> On Wed, 23 Jan 2002, Dave Airlie wrote:
> > If you are running samba and the machine is the same name you
> can lock out
> > the NT portion of the machine from the W2K I think ...
> > I remember if you had NT4 server and workstation on same machine and you
> > domain a/c one of them the other couldn't have the same name or
> the domain
> > server locked it out of the domain..
> > Dave.
> out of curiosity.
> would grabbing the win2k/NT machines sys id from the reg & plonking that
> into samba's machine.sid (or whatever it's called) do anything to get
> around that?
> I know that as a rule you don't dick with this under NT as doing so
> without completely killing the box is somewhat of a black art, but with
> Samba you should have the ability to easily the change the machine
> domain account details.
> just a thought
It won't work with NT4, (but might with W2K).
1. When you first join an NT4 machine to a domain, the PDC and the
local machine exchange a secret. At various points (perhaps
when the local machine rejoins the domain after reboot, or
when a domain user logs on, don't know exactly) both machines
update their copy of this secret according to some algorithm.
2. When the local machine boots and attempts to rejoin the domain,
some handshaking goes one whereby the PDC makes sure that the
shared secret held by the client machine matches what the PDC
has. If these are the same, then the machine is allowed to
rejoin the domain.
3. If this doesn't match, then the PDC assumes that the machine
is an imposter and you get the "trust relationship failed"
(or some such) error.
You can see this by joining an NT4 box to a domain, saving off
an image of the complete machine, rebooting and logging in a
few times and then restoring the image. The PDC won't give it
the time of day any more until you set up a new computer account
Real PITA when you're using imaging to test installations and
stuff on NT4.
Now, for some reason, W2K (on the client) with an NT4 PDC doesn't
seem to have this problem. I've never had trouble re-joining an
NT4 domain from a W2K Pro box after restoring from an image.
This means that there is some back-door hack that convinces the
PDC to let the machine join even though the shared secret doesn't
match. So in principle, NT4 could be modified to use this hack
too... Which kind of blows massive holes through the domain
More information about the ILUG