Machine password timeout with security=ADS?
Henning Kristensen
henning.kristensen at gmail.com
Tue Apr 12 12:41:46 GMT 2005
Hello Everybody,
In our organisation we're purging (disabling) all machine accounts in
the Win2003-based AD that are inactive. Inactivity is defined as "a
machine that doesn't change its password in 120 days".
There's a "machine password timeout"-parameter in smb.conf and it
works splendid when we're running security=domain (no machine accounts
gets disabled). But we're configuring our new Samba's to run
security=ADS (to be able to use existing Windows groups for
authorization).
And when we're running security=ADS, then our Samba servers gets
marked at inactive and disabled in the AD.
I tried to dig into the code and found a snippet in the latest Samba
source (3.0.13):
smbd/process.c: (line 1402-1405)
if(global_machine_password_needs_changing &&
/* for ADS we need to do a regular ADS password change, not a
domain
password change */
lp_security() == SEC_DOMAIN) {
The comment on this snippet (and the code following it) seems to
indicate that nothing is done when running ADS.
Is this a known omission that is being worked on? Something worthy of
a bug report?
Kind regards / Henning Kristensen
More information about the samba-technical
mailing list