Vincent Callanan
2007-Mar-08 11:08 UTC
[Samba] Workstation SID Variability in Samba-Controlled Domains
Hi, Does SAMBA regularly re-negotiate SID identity with member workstations. If so, can this feature be disabled? I am given to understand that Microsoft domain controllers "regularly" re-negotiate SID updates with member workstations. There is an understandable security premise for doing this, however, it is a serious problem for installations which deploy workstation "self-restore" functionality using Norton Ghost or such like. After a few weeks, the self restore will not work because the original workstation SID is no longer current in the server machine database. It is then necessary to re-do the tedious domain re-join procedure, which defeats the whole purpose. BTW, I am new to SAMBA and extremely pleased thus far!!! Thanks to you guys for excellent work! Regards, Vincent Callanan
Michael Heydon
2007-Mar-08 23:52 UTC
[Samba] Workstation SID Variability in Samba-Controlled Domains
Hi Vincent,> Does SAMBA regularly re-negotiate SID identity with member workstations. If > so, can this feature be disabled? >I do not believe any server will change the SIDs however NT clients on a domain will change their machine account password. This is a function of the clients not the server.> It is then necessary to re-do the tedious domain re-join procedure, which defeats the whole purpose. >It is possible to reset the machine account password without rejoining the domain (i dont remember how off the top of my head, try googling "reset machine account password"). Having said that I guess you probably want a solution rather than a workaround. You could try disallowing the account password change rights (sambaPwdCanChange in ldap). This would mean that only the server needs to change however it may well cause problems when the password is more than 30 days old, the clients may refuse to connect if the password isnt reset. If you dont like the sounds of that, have a look in the local security policy of the clients, under Local Policies, Security Options there are a few options regarding machine account passwords. This is probably the safer (and correct) way of doing things. -- Michael Heydon