Samba refusing connection after machine account password change

Andrew Bartlett abartlet at
Fri Apr 1 01:23:05 MDT 2011

On Sat, 2011-03-26 at 14:57 +0000, Sam Liddicott wrote:
> I have noticed that using samba4 client on a windows 2003 domain, if I 
> sneakily change the samba machine account on the domain controller using:
> net user machine$ new-password /domain
> that ldbsearch -U machine -P `mymachinepw` to the domain controller will 
> work (using the old password), but kinit will fail right away.
> I mention it here because some of the same concepts seem to be involved 
> and it may help.
> Sam
I think this is due to a 'feature' of Windows that allows the previous
password to be used over NTLM for at time, simulating the behaviour that
kerberos ticket caches have. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.

More information about the samba-technical mailing list