[Samba] disabling a computer account in Samba AD has no effect (different behavior than with Windows Server) : is it a bug or is it by design ?
chentaocredungtao at yahoo.com
Sun Feb 28 21:01:06 UTC 2021
Tests done with Samba 4.13.4
Steps to reproduce :
Expected behavior (tests done with a Windows 2012 AD/DC) :
1. Join a new computer to the domain
2. After rebooting the computer, before login, disable the computer
account in ADUC (Active Directory Users And Computers)
3. Try to log in with a domain user.
As expected, the user cannot log in (message "The security database
on the server does not have a computer account for this workstation
Now do the same tests with a Samba DC
Step 1. and 2. identical
At step 3., any domain user can log in the computer, even though the
computer account has been disabled
Note : it has nothing to do with the logon cache, it's a brand new
computer freshly joined to the domain, so the logon cache is empty
So, it appears that disabling a computer account in a Samba AD/DC has
absolutely no effect. Is this a bug, or is it by design ? And if it's by
design, why ?
More information about the samba