[Samba] Windows 7 machine trust accounts expiring

Peter Rindfuss rindfuss at wzb.eu
Mon Oct 4 09:12:20 MDT 2010

On 2010-10-04 16:23, John Drescher wrote:
> On Thu, Jul 15, 2010 at 11:52 AM, Peter Rindfuss<rindfuss at wzb.eu>  wrote:
>> There was an earlier thread about failing trust relationships between
>> Windows 7 and Samba. Since we occasionally experience the same problem with
>> Win 7 clients against a Samba 3.5.4 server, I investigated this a bit
>> further.
>> I think it happens when
>> - the time to change the machine password has arrived
>> - the Win 7 machine is up, but no one is logged on (login box is shown on
>> the screen).
>> To reproduce this, I reduced the machine password change interval to one day
>> on a test computer, then let the login prompt sit there for a day or so -
>> and indeed I could not log in anymore because of a trust relationship
>> failure. I will try this a couple more times.
>> I hope this helps to find a remedy.
> Did you ever solve this issue? How did you change the "machine
> password change interval"?
> I just had a single windows 7 box fail trust relationship and I saw
> that the last modify time in ldap for that account was August 30,
> 2010.
> John

Our solution: We disabled the machine password change on all win7 
clients by setting
  DisablePasswordChange = dword:1
We never had a single issue after that.

The "machine password change interval" can be set in the client's 
registry with
  MaximumPasswordAge = dword:n, n being a number of days.
Default is 30.

Instead "DisablePasswordChange = 1" we might have tried
"MaximumPasswordAge = 1000000", a million days.

Finally, we might have tried against an MS server
  RefusePasswordChange = dword:1
Note that this is a server setting, not a client setting.
In Samba, it should translate to "sambaRefuseMachinePwdChange = 1" in LDAP.


More information about the samba mailing list