[Samba] Windows 7 machine trust accounts expiring
Peter Rindfuss
rindfuss at wzb.eu
Mon Oct 4 09:12:20 MDT 2010
On 2010-10-04 16:23, John Drescher wrote:
> On Thu, Jul 15, 2010 at 11:52 AM, Peter Rindfuss<rindfuss at wzb.eu> wrote:
>> There was an earlier thread about failing trust relationships between
>> Windows 7 and Samba. Since we occasionally experience the same problem with
>> Win 7 clients against a Samba 3.5.4 server, I investigated this a bit
>> further.
>>
>> I think it happens when
>> - the time to change the machine password has arrived
>> - the Win 7 machine is up, but no one is logged on (login box is shown on
>> the screen).
>>
>> To reproduce this, I reduced the machine password change interval to one day
>> on a test computer, then let the login prompt sit there for a day or so -
>> and indeed I could not log in anymore because of a trust relationship
>> failure. I will try this a couple more times.
>>
>> I hope this helps to find a remedy.
>>
>
> Did you ever solve this issue? How did you change the "machine
> password change interval"?
>
> I just had a single windows 7 box fail trust relationship and I saw
> that the last modify time in ldap for that account was August 30,
> 2010.
>
> John
Our solution: We disabled the machine password change on all win7
clients by setting
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
DisablePasswordChange = dword:1
We never had a single issue after that.
The "machine password change interval" can be set in the client's
registry with
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
MaximumPasswordAge = dword:n, n being a number of days.
Default is 30.
Instead "DisablePasswordChange = 1" we might have tried
"MaximumPasswordAge = 1000000", a million days.
Finally, we might have tried against an MS server
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
RefusePasswordChange = dword:1
Note that this is a server setting, not a client setting.
In Samba, it should translate to "sambaRefuseMachinePwdChange = 1" in LDAP.
Peter
More information about the samba
mailing list