samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: [Samba] Automatic change of machine passwords seems

[Samba] Automatic change of machine passwords seems to brake trust relationship for Windows 7 clients

From: Stefan Oberwahrenbrock <oberwahrenbrock_at_nospam>
Date: Mon Aug 09 2010 - 12:18:32 GMT
To: samba@lists.samba.org

Hello!

We are observing the following phenomenon: After 30 days our Windows 7
clients lose their trust relationship with the samba domain. We think, that
the automatic machine password change on these clients fails. As a result
of this, the trust relationship is broken and the machine has to be re-
joined. The default value for this password change is 30 days - the value
can be modified with the local group policy (German system:
Computerkonfiguration -> Windows-Einstellungen -> Sicherheitseinstellungen
-> Lokale Richtlinien -> Sicherheitsoptionen -> Domänenmitglied:
Maximalalter von Computerkontenkennwörtern). It should be able to raise
this value, but that would just be workaround and no solution for the
cause.

We have many client running different versions of Windows (XP,2003,2008)
which change their machine passwords on a regualar basis. They manage to do
this without any registry/GPO tweaks.

Some more details on the involved software components: The Windows 7
clients only have the two registry changes mentioned in the samba wiki
(http://wiki.samba.org/index.php/Windows7). The initial join and the re-
join always succeeds. We are running Sernet Samba 3.5.2-27 on Debian 5.0,
LDAP-based PDC/BDC scenario. When the problem occurs, we are watching log
line like "_netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client NAME machine account NAME$" - but
messages like these also occure regularly in combination with some
machines, which do not have any problems.

Can anybody confirm this behaviour or provide suggestions for a
solution/explanation?

Thanks and greetings,
Stefan Oberwahrenbrock

-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba