Automatic change of machine passwords seems to brake trust relationship for Windows 7 clients
in [Samba]
|
Prev: home share issue: //server/homes errs, while //server/<username> works
Next: Question re kerberos and plain password login
From: Stefan Oberwahrenbrock on 10 Aug 2010 06:50 Hi Peter, thanks for your detailed instructions for a workaround! Just to get you right: Your proposals include changes for the win7- clients _and_ the samba domain itself, correct? If it is possible, I would like to change only settings within the win7-clients (or server 2008 R2 systems) and not the domain itself, because all other systems (XP, 2003, 2008) operate quite well for over one year now. Besides, I also see the "DisablePasswordChange-Option" on Windows server- systems (2003, 2008, 2008 R2) but I do not see a "RefusePasswordChange- Option". According to MS knowledgebase (http://support.microsoft.com/? scid=kb%3Ben-us%3B154501&x=7&y=6) it seems to me, that the "RefusePasswordChange-Option" was only intended to be used on older systems (NT4, 2000). Thus, I think it will be ineffective on "modern" systems. I would like to here your comments. Greetings, Stefan Peter Rindfuss <rindfuss(a)wzb.eu> wrote in news:4C600628.2010602(a)wzb.eu: > On 2010-08-09 14:18, Stefan Oberwahrenbrock wrote: >> >> We are observing the following phenomenon: After 30 days our Windows >> 7 clients lose their trust relationship with the samba domain. We >> think, that the automatic machine password change on these clients >> fails. > > I posted a message about the very same problem on July 15. > > I think it does not always happen after 30 days (or whatever the > change interval is set to), but only occurs when the machine password > change time has arrived and the computer is on, but not no one is > logged on (i.e. the login box is shown). > > Since we are only starting to deploy Windows 7, we simply turned the > machine password change off in the registry of our imaged installation > and the few real installations. We had no more problems afterwards. > > > There are three ways to change the machine password behavior: > > Client-Registry: > HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters > DisablePasswordChange = dword:1 > > or > > Client-Registry: > HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters > MaximumPasswordAge = dword:1000000 > > or > > Server-Registry (if you have a Windows server) > HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters > RefusePasswordChange = dword:1 > > With Samba + OpenLDAP, set > sambaRefuseMachinePwdChange = 1 > in the sambaDomainName=.... entry. > > Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |