Hi, we have a couple of Linux RHEL 5 samba servers in a domain, one as PDC and the other as BDC, and both with LDAP backends samba version is 3.0.28-1 We want pc clients can't change their machine password using sambaRefuseMachinePwdChange policy, so we set it to 1 in LDAP But pc clients still can change their passwords, and we don't see any acces to sambaRefuseMachinePwdChange attribute on LDAP logs. Is it not used in this version yet? Must we do something special to use it? Thanks in advance. Frank
Frank wrote:> Hi, > we have a couple of Linux RHEL 5 samba servers in a domain, one as PDC > and the other as BDC, and both with LDAP backends > samba version is 3.0.28-1 > We want pc clients can't change their machine password using > sambaRefuseMachinePwdChange policy, so we set it to 1 in LDAP > But pc clients still can change their passwords, and we don't see any > acces to sambaRefuseMachinePwdChange attribute on LDAP logs. > Is it not used in this version yet? Must we do something special to use it? >I saw the same thing in August of 2007: http://marc.info/?l=samba&m=118772246625319&w=2 Which was never replied to. Eric Roseme
LiPi -
2009-Mar-26 10:01 UTC
[Samba] sambaRefuseMachinePwdChange policy in samba 3.0.28 (PLEASE ANSWER)
I think that the sambaRefuseMachinePwdChange refers to the Machine Account password instead of Client Machine passwords: spanish: http://support.microsoft.com/kb/154501 english: http://support.microsoft.com/?scid=kb%3Ben-us%3B154501&x=6&y=6 The process is aproximately like this: 1) A machine account is created - (verified its a machine account because of the appended "$") 2) A password is set on the machine account 3) The domain join is tested doing a netlogon with the newly created account 4) The password is stored in the secret database. So, the client or user password is not the same than the machine password. I think... --- 2009/3/26 Frank <frank@si.ct.upc.edu>:> Hola, vaja, m'han enganxat. > Efectivament soc de serveis inform?tics del campus de Terrassa. > Tu est?s a algun centre de c?lcul? Si ho pots provar i ens dius que tal, ens > fas in favor. > Merci. > > Frank > > En/na LiPi - ha escrit: > > I will try it tomorrow with my ldap. > > Frank, Are you from the UPC? I'm there too, suposo que aix? > m'entendras, del campus de Terrassa veig. :p > > 2009/3/25 Frank <frank@si.ct.upc.edu>: > > > Thanks for your answer Eric, > > does someone else, those excellent gurus of Samba, can give us an answer? > Thanks. > > Frank > > En/na Eric Roseme ha escrit: > > > Frank wrote: > > > Hi, > we have a couple of Linux RHEL 5 samba servers in a domain, one as PDC > and the other as BDC, and both with LDAP backends > samba version is 3.0.28-1 > We want pc clients can't change their machine password using > sambaRefuseMachinePwdChange policy, so we set it to 1 in LDAP > But pc clients still can change their passwords, and we don't see any > acces to sambaRefuseMachinePwdChange attribute on LDAP logs. > Is it not used in this version yet? Must we do something special to use > it? > > > > I saw the same thing in August of 2007: > > http://marc.info/?l=samba&m=118772246625319&w=2 > > Which was never replied to. > > Eric Roseme > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: ?https://lists.samba.org/mailman/options/samba > > > > >