newbie Q: why need to readd machine to smbpasswd when rejoining domain?
Hazen Valliant-Saunders
hazen at potentia.ca
Wed Jan 3 20:34:27 GMT 2001
Hello
I've had to do the same a few times (and my clients are NT4 SP5 w/security)
as newbie Q, delete and re-add (At's how i also got the w2k clients on as
well) Just mentioning it.
-----Original Message-----
From: samba-ntdom-admin at us5.samba.org
[mailto:samba-ntdom-admin at us5.samba.org]On Behalf Of jeremy garber
Sent: Wednesday, January 03, 2001 1:58 PM
To: samba-ntdom at samba.org; mac at dgp.toronto.edu
Subject: Re: newbie Q: why need to readd machine to smbpasswd when
rejoining domain?
> I've noticed that I must delete and then re-add a Win* machine to
> private/smbpasswd any time I leave a given domain and then rejoin it. I
guess
> this has something to do with the regeneration of the SID, but I would
like to
> know why this is (and perhaps a way to avoid having to do this).
At least for WinNT 4.0 clients, the clients' netlogon service requests
a change of the machine's password entry (from the well known default
password) upon joining a domain (ok, after a reboot if you use the gui or
without a reboot if you use netdom... when the netlogon service starts)
with which samba complies.
When an NT client attempts to join a domain, it always expects it's well
known password (which no longer exists in smbpasswd after the first time
the machine joins the domain).
To stop this behavior, see
http://support.microsoft.com/support/kb/articles/Q154/5/01.asp
(i.e. change the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\Dis
ablePasswordChange
registry entry from 0 to 1)
Note the security warnings/implications.
>
> I'm using 2.2 from cvs, last synched somewhere in the middle of December.
We are currently testing 2.0.7, but I presume that the functionality would
be the same from samba's side since this is what an NT server would do (but
you can disable from the server side too with NT -- I haven't investigated
the
2.2 cvs conf options, but I haven't found a "refuse machine password change"
like option in 2.0.7).
Corrections to any of the above is welcome.
Jeremy Garber
Computer Engineer
Engineering College Computing
The University of Toledo
jgarber at eng.utoledo.edu
>
> --
> Maciej Kalisiak mac at dgp.toronto.edu www.dgp.toronto.edu/~mac
>
More information about the samba-ntdom
mailing list