Machine password timeout with security=ADS?

Henning Kristensen henning.kristensen at
Tue Apr 12 12:41:46 GMT 2005

Hello Everybody, 

In our organisation we're purging (disabling) all machine accounts in
the Win2003-based AD that are inactive. Inactivity is defined as "a
machine that doesn't change its password in 120 days".

There's a "machine password timeout"-parameter in smb.conf and it
works splendid when we're running security=domain (no machine accounts
gets disabled). But we're configuring our new Samba's to run
security=ADS (to be able to use existing Windows groups for

And when we're running security=ADS, then our Samba servers gets
marked at inactive and disabled in the AD.

I tried to dig into the code and found a snippet in the latest Samba 
source (3.0.13):

smbd/process.c: (line 1402-1405)

  if(global_machine_password_nee­ds_changing && 
    /* for ADS we need to do a regular ADS password change, not a 
       password change */ 
      lp_security() == SEC_DOMAIN) { 

The comment on this snippet (and the code following it) seems to
indicate that nothing is done when running ADS.

Is this a known omission that is being worked on? Something worthy of
a bug report?

Kind regards / Henning Kristensen

More information about the samba-technical mailing list