samba-users August 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] Automatic change of machine passwords s

Re: [Samba] Automatic change of machine passwords seems to brake trust relationship for Windows 7 clients

From: Stefan Oberwahrenbrock <oberwahrenbrock_at_nospam>
Date: Tue Aug 10 2010 - 10:45:17 GMT
To: samba@lists.samba.org

Hi Peter,

thanks for your detailed instructions for a workaround!

Just to get you right: Your proposals include changes for the win7-
clients _and_ the samba domain itself, correct? If it is possible, I
would like to change only settings within the win7-clients (or server
2008 R2 systems) and not the domain itself, because all other systems
(XP, 2003, 2008) operate quite well for over one year now.

Besides, I also see the "DisablePasswordChange-Option" on Windows server-
systems (2003, 2008, 2008 R2) but I do not see a "RefusePasswordChange-
Option". According to MS knowledgebase (http://support.microsoft.com/?
scid=kb%3Ben-us%3B154501&x=7&y=6) it seems to me, that the
"RefusePasswordChange-Option" was only intended to be used on older
systems (NT4, 2000). Thus, I think it will be ineffective on "modern"
systems.

I would like to here your comments.

Greetings,
Stefan

Peter Rindfuss <rindfuss@wzb.eu> wrote in news:4C600628.2010602@wzb.eu:

> On 2010-08-09 14:18, Stefan Oberwahrenbrock wrote:
>>
>> We are observing the following phenomenon: After 30 days our Windows
>> 7 clients lose their trust relationship with the samba domain. We
>> think, that the automatic machine password change on these clients
>> fails.
>
> I posted a message about the very same problem on July 15.
>
> I think it does not always happen after 30 days (or whatever the
> change interval is set to), but only occurs when the machine password
> change time has arrived and the computer is on, but not no one is
> logged on (i.e. the login box is shown).
>
> Since we are only starting to deploy Windows 7, we simply turned the
> machine password change off in the registry of our imaged installation
> and the few real installations. We had no more problems afterwards.
>
>
> There are three ways to change the machine password behavior:
>
> Client-Registry:
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> DisablePasswordChange = dword:1
>
> or
>
> Client-Registry:
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> MaximumPasswordAge = dword:1000000
>
> or
>
> Server-Registry (if you have a Windows server)
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> RefusePasswordChange = dword:1
>
> With Samba + OpenLDAP, set
> sambaRefuseMachinePwdChange = 1
> in the sambaDomainName=.... entry.
>
> Peter

-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba