MS Windows Workstation/Server Machine Trust Accounts
A Machine Trust Account is an account that is used to authenticate a client machine (rather than a user) to
the domain controller server. In Windows terminology, this is known as a “computer account.” The
purpose of the machine trust account is to prevent a rogue user and domain controller from colluding to gain
access to a domain member workstation.
The password of a Machine Trust Account acts as the shared secret for secure communication with the domain
controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from
joining the domain, participating in domain security operations, and gaining access to domain user/group
accounts. Windows NT/200x/XP Professional clients use machine trust accounts, but Windows 9x/Me/XP Home
clients do not. Hence, a Windows 9x/Me/XP Home client is never a true member of a domain because it does not
possess a Machine Trust Account, and, thus, has no shared secret with the domain controller.
A Windows NT4 PDC stores each Machine Trust Account in the Windows Registry.
The introduction of MS Windows 2000 saw the introduction of Active Directory,
the new repository for Machine Trust Accounts. A Samba PDC, however, stores
each Machine Trust Account in two parts,
A domain security account (stored in the
passdb backend) that has been configured in
smb.conf file. The precise nature of the account information that is stored depends on the type of
backend database that has been chosen.
The older format of this data is the
that contains the UNIX login ID, the UNIX user identifier (UID), and the
LanMan and NT-encrypted passwords. There is also some other information in
this file that we do not need to concern ourselves with here.
The two newer database types are called ldapsam and tdbsam. Both store considerably more data than the older
smbpasswd file did. The extra information enables new user account controls to be
A corresponding UNIX account, typically stored in
/etc/passwd. Work is in progress to
allow a simplified mode of operation that does not require UNIX user accounts, but this has not been a feature
of the early releases of Samba-3, and is not currently planned for release either.
There are three ways to create Machine Trust Accounts:
Manual creation from the UNIX/Linux command line. Here, both the Samba and
corresponding UNIX account are created by hand.
Using the MS Windows NT4 Server Manager, either from an NT4 domain member
server or using the Nexus toolkit available from the Microsoft Web site.
This tool can be run from any MS Windows machine as long as the user is
logged on as the administrator account.
“On-the-fly” creation. The Samba Machine Trust Account is automatically
created by Samba at the time the client is joined to the domain.
(For security, this is the recommended method.) The corresponding UNIX
account may be created automatically or manually.
Neither MS Windows NT4/200x/XP Professional, nor Samba, provide any method for enforcing the method of machine
trust account creation. This is a matter of the administrator's choice.