[Samba] Workstation SID Variability in Samba-Controlled Domains

Michael Heydon michaelh at jaswin.com.au
Thu Mar 8 23:50:54 GMT 2007

Hi Vincent,

> Does SAMBA regularly re-negotiate SID identity with member workstations. If
> so, can this feature be disabled?
I do not believe any server will change the SIDs however NT clients on a 
domain will change their machine account password. This is a function of 
the clients not the server.

> It is then necessary to re-do the tedious domain re-join procedure, which defeats the whole purpose.
It is possible to reset the machine account password without rejoining 
the domain (i dont remember how off the top of my head, try googling 
"reset machine account password").

Having said that I guess you probably want a solution rather than a 
workaround. You could try disallowing the account password change rights 
(sambaPwdCanChange in ldap). This would mean that only the server needs 
to change however it may well cause problems when the password is more 
than 30 days old, the clients may refuse to connect if the password isnt 

If you dont like the sounds of that, have a look in the local security 
policy of the clients, under Local Policies, Security Options there are 
a few options regarding machine account passwords. This is probably the 
safer (and correct) way of doing things.

-- Michael Heydon

More information about the samba mailing list