[Samba] Workstation SID Variability in Samba-Controlled Domains
Michael Heydon
michaelh at jaswin.com.au
Thu Mar 8 23:50:54 GMT 2007
Hi Vincent,
> Does SAMBA regularly re-negotiate SID identity with member workstations. If
> so, can this feature be disabled?
>
I do not believe any server will change the SIDs however NT clients on a
domain will change their machine account password. This is a function of
the clients not the server.
> It is then necessary to re-do the tedious domain re-join procedure, which defeats the whole purpose.
>
It is possible to reset the machine account password without rejoining
the domain (i dont remember how off the top of my head, try googling
"reset machine account password").
Having said that I guess you probably want a solution rather than a
workaround. You could try disallowing the account password change rights
(sambaPwdCanChange in ldap). This would mean that only the server needs
to change however it may well cause problems when the password is more
than 30 days old, the clients may refuse to connect if the password isnt
reset.
If you dont like the sounds of that, have a look in the local security
policy of the clients, under Local Policies, Security Options there are
a few options regarding machine account passwords. This is probably the
safer (and correct) way of doing things.
-- Michael Heydon
More information about the samba
mailing list