Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




Samba HowTo Guide
Prev Home Next

MS Windows Workstation/Server Machine Trust Accounts

A Machine Trust Account is an account that is used to authenticate a client machine (rather than a user) to the domain controller server. In Windows terminology, this is known as a “computer account.” The purpose of the machine trust account is to prevent a rogue user and domain controller from colluding to gain access to a domain member workstation.

The password of a Machine Trust Account acts as the shared secret for secure communication with the domain controller. This is a security feature to prevent an unauthorized machine with the same NetBIOS name from joining the domain, participating in domain security operations, and gaining access to domain user/group accounts. Windows NT/200x/XP Professional clients use machine trust accounts, but Windows 9x/Me/XP Home clients do not. Hence, a Windows 9x/Me/XP Home client is never a true member of a domain because it does not possess a Machine Trust Account, and, thus, has no shared secret with the domain controller.

A Windows NT4 PDC stores each Machine Trust Account in the Windows Registry. The introduction of MS Windows 2000 saw the introduction of Active Directory, the new repository for Machine Trust Accounts. A Samba PDC, however, stores each Machine Trust Account in two parts, as follows:

  • A domain security account (stored in the passdb backend) that has been configured in the smb.conf file. The precise nature of the account information that is stored depends on the type of backend database that has been chosen.

    The older format of this data is the smbpasswd database that contains the UNIX login ID, the UNIX user identifier (UID), and the LanMan and NT-encrypted passwords. There is also some other information in this file that we do not need to concern ourselves with here.

    The two newer database types are called ldapsam and tdbsam. Both store considerably more data than the older smbpasswd file did. The extra information enables new user account controls to be implemented.

  • A corresponding UNIX account, typically stored in /etc/passwd. Work is in progress to allow a simplified mode of operation that does not require UNIX user accounts, but this has not been a feature of the early releases of Samba-3, and is not currently planned for release either.

There are three ways to create Machine Trust Accounts:

  • Manual creation from the UNIX/Linux command line. Here, both the Samba and corresponding UNIX account are created by hand.

  • Using the MS Windows NT4 Server Manager, either from an NT4 domain member server or using the Nexus toolkit available from the Microsoft Web site. This tool can be run from any MS Windows machine as long as the user is logged on as the administrator account.

  • On-the-fly” creation. The Samba Machine Trust Account is automatically created by Samba at the time the client is joined to the domain. (For security, this is the recommended method.) The corresponding UNIX account may be created automatically or manually.

Neither MS Windows NT4/200x/XP Professional, nor Samba, provide any method for enforcing the method of machine trust account creation. This is a matter of the administrator's choice.

Samba HowTo Guide
Prev Home Next

  Published under the terms fo the GNU General Public License Design by Interspire