[Samba] Automatic change of machine passwords seems to brake trust relationship for Windows 7 clients
Stefan Oberwahrenbrock
oberwahrenbrock at transdata.net
Tue Aug 10 04:45:17 MDT 2010
Hi Peter,
thanks for your detailed instructions for a workaround!
Just to get you right: Your proposals include changes for the win7-
clients _and_ the samba domain itself, correct? If it is possible, I
would like to change only settings within the win7-clients (or server
2008 R2 systems) and not the domain itself, because all other systems
(XP, 2003, 2008) operate quite well for over one year now.
Besides, I also see the "DisablePasswordChange-Option" on Windows server-
systems (2003, 2008, 2008 R2) but I do not see a "RefusePasswordChange-
Option". According to MS knowledgebase (http://support.microsoft.com/?
scid=kb%3Ben-us%3B154501&x=7&y=6) it seems to me, that the
"RefusePasswordChange-Option" was only intended to be used on older
systems (NT4, 2000). Thus, I think it will be ineffective on "modern"
systems.
I would like to here your comments.
Greetings,
Stefan
Peter Rindfuss <rindfuss at wzb.eu> wrote in news:4C600628.2010602 at wzb.eu:
> On 2010-08-09 14:18, Stefan Oberwahrenbrock wrote:
>>
>> We are observing the following phenomenon: After 30 days our Windows
>> 7 clients lose their trust relationship with the samba domain. We
>> think, that the automatic machine password change on these clients
>> fails.
>
> I posted a message about the very same problem on July 15.
>
> I think it does not always happen after 30 days (or whatever the
> change interval is set to), but only occurs when the machine password
> change time has arrived and the computer is on, but not no one is
> logged on (i.e. the login box is shown).
>
> Since we are only starting to deploy Windows 7, we simply turned the
> machine password change off in the registry of our imaged installation
> and the few real installations. We had no more problems afterwards.
>
>
> There are three ways to change the machine password behavior:
>
> Client-Registry:
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> DisablePasswordChange = dword:1
>
> or
>
> Client-Registry:
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> MaximumPasswordAge = dword:1000000
>
> or
>
> Server-Registry (if you have a Windows server)
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> RefusePasswordChange = dword:1
>
> With Samba + OpenLDAP, set
> sambaRefuseMachinePwdChange = 1
> in the sambaDomainName=.... entry.
>
> Peter
More information about the samba
mailing list