[Samba] Automatic change of machine passwords seems to brake trust relationship for Windows 7 clients

Stefan Oberwahrenbrock oberwahrenbrock at transdata.net
Tue Aug 10 04:45:17 MDT 2010

Hi Peter,

thanks for your detailed instructions for a workaround!

Just to get you right: Your proposals include changes for the win7-
clients _and_ the samba domain itself, correct? If it is possible, I 
would like to change only settings within the win7-clients (or server 
2008 R2 systems) and not the domain itself, because all other systems 
(XP, 2003, 2008) operate quite well for over one year now.

Besides, I also see the "DisablePasswordChange-Option" on Windows server-
systems (2003, 2008, 2008 R2) but I do not see a "RefusePasswordChange-
Option". According to MS knowledgebase (http://support.microsoft.com/?
scid=kb%3Ben-us%3B154501&x=7&y=6) it seems to me, that the 
"RefusePasswordChange-Option" was only intended to be used on older 
systems (NT4, 2000). Thus, I think it will be ineffective on "modern" 

I would like to here your comments.


Peter Rindfuss <rindfuss at wzb.eu> wrote in news:4C600628.2010602 at wzb.eu:

> On 2010-08-09 14:18, Stefan Oberwahrenbrock wrote:
>> We are observing the following phenomenon: After 30 days our Windows
>> 7 clients lose their trust relationship with the samba domain. We
>> think, that the automatic machine password change on these clients
>> fails. 
> I posted a message about the very same problem on July 15.
> I think it does not always happen after 30 days (or whatever the
> change interval is set to), but only occurs when the machine password
> change time has arrived and the computer is on, but not no one is
> logged on (i.e. the login box is shown).
> Since we are only starting to deploy Windows 7, we simply turned the 
> machine password change off in the registry of our imaged installation
> and the few real installations. We had no more problems afterwards.
> There are three ways to change the machine password behavior:
> Client-Registry:
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> DisablePasswordChange = dword:1
> or
> Client-Registry:
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> MaximumPasswordAge = dword:1000000
> or
> Server-Registry (if you have a Windows server)
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> RefusePasswordChange = dword:1
> With Samba + OpenLDAP, set
> sambaRefuseMachinePwdChange = 1
> in the sambaDomainName=.... entry.
> Peter

More information about the samba mailing list