[Samba] Machine Login

[Nelson Vale]

Hi all,

In my system, samba (3.0.34) is configured as PDC with an LDAP backend and
has some user and machine accounts, and it all works fine. But recently I've
found out that if I remove one machine account from the LDAP server user
logins into the domain from that machine are still possible, even if the
machine login verification fails:

"...
[2009/05/05 19:34:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
  init_sam_from_ldap: Entry found for user: test
[2009/05/05 19:34:47, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [test] -> [test] -> [test]
succeeded
[2009/05/05 19:34:52, 1] smbd/service.c:make_connection_snum(1033)
  vmvista (192.168.100.198) connect to service netlogon initially as user
test (uid=1507, gid=1000) (pid 27646)
[2009/05/05 19:35:00, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
  get_md4pw: Workstation VMVISTA$: no account in domain
[2009/05/05 19:35:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
  _net_auth2: failed to get machine password for account VMVISTA$:
NT_STATUS_ACCESS_DENIED
[2009/05/05 19:35:06, 1] smbd/service.c:close_cnum(1230)
  vmvista (192.168.100.198) closed connection to service netlogon
[2009/05/05 19:36:40, 2] smbd/sesssetup.c:setup_new_vc_session(1214)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2009/05/05 19:36:40, 2] smbd/sesssetup.c:setup_new_vc_session(1214)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2009/05/05 19:36:40, 2] lib/smbldap.c:smbldap_open_connection(786)
  smbldap_open_connection: connection opened
[2009/05/05 19:36:41, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
  get_md4pw: Workstation VMVISTA$: no account in domain
[2009/05/05 19:36:41, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
..."

Is there a way to prevent users logins from machines that have been removed
from system?


Nelson Vale