samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] Automatic change of machine passwords s

Re: [Samba] Automatic change of machine passwords seems to brake trust relationship for Windows 7 clients

From: Peter Rindfuss <rindfuss_at_nospam>
Date: Mon Aug 09 2010 - 13:44:08 GMT
To: samba@lists.samba.org

On 2010-08-09 14:18, Stefan Oberwahrenbrock wrote:
>
> We are observing the following phenomenon: After 30 days our Windows 7
> clients lose their trust relationship with the samba domain. We think, that
> the automatic machine password change on these clients fails.

I posted a message about the very same problem on July 15.

I think it does not always happen after 30 days (or whatever the change
interval is set to), but only occurs when the machine password change
time has arrived and the computer is on, but not no one is logged on
(i.e. the login box is shown).

Since we are only starting to deploy Windows 7, we simply turned the
machine password change off in the registry of our imaged installation
and the few real installations. We had no more problems afterwards.

There are three ways to change the machine password behavior:

Client-Registry:
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
DisablePasswordChange = dword:1

or

Client-Registry:
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
MaximumPasswordAge = dword:1000000

or

Server-Registry (if you have a Windows server)
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
RefusePasswordChange = dword:1

With Samba + OpenLDAP, set
sambaRefuseMachinePwdChange = 1
in the sambaDomainName=.... entry.

Peter
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba