thr3ads.net - samba - [Samba] disabling a computer account in Samba AD has no effect (different behavior than with Windows Server) : is it a bug or is it by design ? [Feb 2021]

If this information is useful, please help other people find it:
Share via:

Chentao Credungtao

2021-Feb-28 21:01 UTC

[Samba] disabling a computer account in Samba AD has no effect (different behavior than with Windows Server) : is it a bug or is it by design ?

Hello,

Tests done with Samba 4.13.4

Steps to reproduce :


Expected behavior (tests done with a Windows 2012 AD/DC) :

1. Join a new computer to the domain

2. After rebooting the computer, before login, disable the computer 
account in ADUC (Active Directory Users And Computers)

3. Try to log in with a domain user.
 ??? As expected, the user cannot log in (message "The security database 
on the server does not have a computer account for this workstation 
trust relationship")


Now do the same tests with a Samba DC

Step 1. and 2. identical

At step 3., any domain user can log in the computer, even though the 
computer account has been disabled
Note : it has nothing to do with the logon cache, it's a brand new 
computer freshly joined to the domain, so the logon cache is empty


So, it appears that disabling a computer account in a Samba AD/DC has 
absolutely no effect. Is this a bug, or is it by design ? And if it's by 
design, why ?


Thanks

samba - Feb 2021 - disabling a computer account in Samba AD has no effect (different behavior than with Windows Server) : is it a bug or is it by design ?

[Samba] disabling a computer account in Samba AD has no effect (different behavior than with Windows Server) : is it a bug or is it by design ?