[Samba] disabling a computer account in Samba AD has no effect (different behavior than with Windows Server) : is it a bug or is it by design ?

Chentao Credungtao chentaocredungtao at yahoo.com
Sun Feb 28 21:01:06 UTC 2021


Tests done with Samba 4.13.4

Steps to reproduce :

Expected behavior (tests done with a Windows 2012 AD/DC) :

1. Join a new computer to the domain

2. After rebooting the computer, before login, disable the computer 
account in ADUC (Active Directory Users And Computers)

3. Try to log in with a domain user.
     As expected, the user cannot log in (message "The security database 
on the server does not have a computer account for this workstation 
trust relationship")

Now do the same tests with a Samba DC

Step 1. and 2. identical

At step 3., any domain user can log in the computer, even though the 
computer account has been disabled
Note : it has nothing to do with the logon cache, it's a brand new 
computer freshly joined to the domain, so the logon cache is empty

So, it appears that disabling a computer account in a Samba AD/DC has 
absolutely no effect. Is this a bug, or is it by design ? And if it's by 
design, why ?


More information about the samba mailing list