[Samba] Disabling Machine Account password change

Florian Thiel thiel at medienzentrum-kassel.de
Thu Mar 11 08:52:35 GMT 2004

Matthieu Le Corre schrieb:
> Hash: SHA1
> Le mercredi 10 Mars 2004 16:39, Florian Thiel a écrit :
> > Hello!
> Hello ... 
> i think i've the same problem ....


> > This seems to be a problem with Win2K changing machine account passwords
> > every 30 days (according to MSDN). The server saves the password, the
> > client resets it and domain logon is impossible ever after.
> can you give me the URL reference where you see it ! i'm interested on the 
> subject !

Here it is:
It also proposes a bunch of solutions.

> > Now I want to disable this password changing. It is possible with a
> > Windows PDC using group policy (at least that's what Windows Admins told
> > me). I found for Samba it's hardcoded in the sources. Would it be
> > possible to make that an option for smb.conf? I'm not a C programming
> > professional so I'm afraid of hacking the Samba source (especially with no
> > similiar examples in the sources).
> >
> > Is there someone working on that kind of thing or are there any
> > implications I do not know about?
> Can you give me the location on the source where you see that

For samba-2.2.3a (the debian package) it is in

The string is in line 140 (RefusePasswordChange). This is the name of
the registry entry that (according to the MSDN article) has to be set on
the PDC in order to disable password changing. It seems to me that samba
returns NT_STATUS_NO_SUCH_FILE. It should be configurable to return the
value 1 (don't know in what format).

> mayby i've two solution ... 
> 1) juste backup the old passwd on your samba server en reinject it every night 

hmm, dirty hack!

> 2) a more clean ways to do :P : use  gpedit.msc on your win2k workstation 
> ( mmc componant) go to "windows parameter" "security setting" "local 
> policies" "security options" and enable " prevent system maintenance of 
> computer account password " .....
> not sur of the result ... but you can try ;)

We set the registry entry (see MSDN article) locally for a bunch of
machines. The problem is that we're deling with about 700 machines
spread out in the whole city. We are not able to disable the hard drive
protection remotely, so this would be tedious.

I would really like a clean centralized solution.


Florian Thiel - Medienzentrum Kassel
Systembetreuung Internet- und Kommunikationstechnik
Kasseler Schulen am Netz - http://www.medienzentrum-kassel.de

More information about the samba mailing list