newbie Q: why need to readd machine to smbpasswd when rejoining domain?

[jeremy garber]

> I've noticed that I must delete and then re-add a Win* machine to
> private/smbpasswd any time I leave a given domain and then rejoin it.  I guess
> this has something to do with the regeneration of the SID, but I would like to
> know why this is (and perhaps a way to avoid having to do this).

At least for WinNT 4.0 clients, the clients' netlogon service requests
a change of the machine's password entry (from the well known default
password) upon joining a domain (ok, after a reboot if you use the gui or
without a reboot if you use netdom... when the netlogon service starts)
with which samba complies.
When an NT client attempts to join a domain, it always expects it's well
known password (which no longer exists in smbpasswd after the first time
the machine joins the domain).

To stop this behavior, see
http://support.microsoft.com/support/kb/articles/Q154/5/01.asp
(i.e. change the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
registry entry from 0 to 1)

Note the security warnings/implications.

> 
> I'm using 2.2 from cvs, last synched somewhere in the middle of December.

We are currently testing 2.0.7, but I presume that the functionality would
be the same from samba's side since this is what an NT server would do (but
you can disable from the server side too with NT -- I haven't investigated the
2.2 cvs conf options, but I haven't found a "refuse machine password change"
like option in 2.0.7).

Corrections to any of the above is welcome.

Jeremy Garber
Computer Engineer
Engineering College Computing
The University of Toledo

jgarber at eng.utoledo.edu

> 
> -- 
> Maciej Kalisiak		mac at dgp.toronto.edu	www.dgp.toronto.edu/~mac
>