Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Windows Password Change errors - also "machine accounts"

james g. wrote:
See below, my previous post on the same issue...
--

Additionally, changing passwords (whether via a three finger salute, or requiring users at login) seems to fail. However, while the Windows machine will report that the password change failed, attempts to login using the old password will now fail, as the password was actually changed.

This seems to be related to some recent patches from Microsoft, and the samba team is aware of them, as there has been discussion on their mailing lists about the problem. The solution seems to be to upgrade to samba 3.0.4, as the version shipping with Panther is 3.0.2.


On Jul 29, 2004, at 8:30 AM, Chad Morris wrote:

When I am logged into my PDC and try to change passwords from a
Windows machine I get the following error.

Unable to change the password on this account due to the following
error

1728: Remote Procedure Call (RPC) protocol error.

As James notes, the error reported for users changing their password
is a known problem due to Windows patch KB828741 which was fixed by the
Samba team in their 3.0.4 patch release. However the 10.3.4 Samba is
still 3.0.2 and thus has the problem. James also suggests upgrading
to Samba 3.0.4, but I wonder how easy that is given that Apple has
customized parts of Samba. I guess it might work easily if things like
Apple's authentication interface are only done via the Samba's interfaces
for extension. If someone has done this upgrade, I'd love to know the
details, because .....

I've found another password change issue. This time it's for the
"machine account" which each Windows client machine creates on the PDC
when it joins the domain. The reason for this account is that Windows
does not really recognize a machine as anything other than a vessel for
holding resources. All authentication is done on the basis of a "user"
so the machine creates an account for itself by suffixing $ to its Netbios
name. For example, a machine named FRED would have a "machine account"
named FRED$. This is normally not shown on a Windows PDC, but you can
see it in the Workgroup Manager's list of Windows Computers. And since
each account has a password, there's a need to have the "machine
account" password. These passwords are created when the machine joins
the domain and then are periodically updated.

What's happening on 10.3.4 is that the updating of machine account passwords
is also failing. You can see it on the Windows client in the System event
as a NETLOGON error recorded with event ID 3224:
Changing machine account password for account .....$ failed with the following error:
The stub received bad data.
0000: 0c 00 03 c0
These error codes are the same on both Win2K and WinXP.

This error is not due to KB828741. I took a Win2K machine and removed the patch.
After that user accounts could change passwords without getting the spurious
1728 error, but the machine account change still fails. (BTW you should keep
KB828741 on as it's there to plug a bad Windows RPC hole)

And now for the bad news...each of the Windows client machines in the domain is
retrying the password change every two hours... so once you have dozens of machines
in the domain, the PDC is going to be going through this dance constantly once
the clients get past their first week or so in the domain and believe that they
must now change their password. You can see this chatter in the Xserve's system
logs.

I only have 50-100 machines in the domain and so I can tolerate it for now,
but the Password Server is not a cheap service so it's not clear what would
happen in a larger domain.

However, please don't take the above as bashing Apple's PDC implementation.
I see these errors as incidental growing pains. Right now, the Xserve PDC is
the only way I can have a common user database amongst Linux, Mac, and Windows
without having to put a Windows AD in charge of everything.
_______________________________________________
macos-x-server mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macos-x-server
Do not post admin requests to the list. They will be ignored.
When responding to messages, please keep your quotes short.
References: 
 >Windows Password Change (From: Chad Morris <email@hidden>)
 >Re: Windows Password Change (From: Jason Deraleau <email@hidden>)
 >Re: Windows Password Change (From: Chad Morris <email@hidden>)
 >Re: Windows Password Change (From: "james g." <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.