samba - Aug 2010 - Automatic change of machine passwords seems to brake trust relationship for Windows 7 clients

Hello!

We are observing the following phenomenon: After 30 days our Windows 7 
clients lose their trust relationship with the samba domain. We think, that 
the automatic machine password change on these clients fails. As a result 
of this, the trust relationship is broken and the machine has to be re-
joined. The default value for this password change is 30 days - the value 
can be modified with the local group policy (German system: 
Computerkonfiguration -> Windows-Einstellungen -> Sicherheitseinstellungen
-> Lokale Richtlinien -> Sicherheitsoptionen -> Dom?nenmitglied: 
Maximalalter von Computerkontenkennw?rtern). It should be able to raise 
this value, but that would just be workaround and no solution for the 
cause.

We have many client running different versions of Windows (XP,2003,2008) 
which change their machine passwords on a regualar basis. They manage to do 
this without any registry/GPO tweaks.

Some more details on the involved software components: The Windows 7 
clients only have the two registry changes mentioned in the samba wiki 
(http://wiki.samba.org/index.php/Windows7). The initial join and the re-
join always succeeds. We are running Sernet Samba 3.5.2-27 on Debian 5.0, 
LDAP-based PDC/BDC scenario. When the problem occurs, we are watching log 
line like "_netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client NAME machine account NAME$" - but  
messages like these also occure regularly in combination with some 
machines, which do not have any problems.

Can anybody confirm this behaviour or provide suggestions for a 
solution/explanation?

Thanks and greetings,
Stefan Oberwahrenbrock

On 2010-08-09 14:18, Stefan Oberwahrenbrock wrote:
>
> We are observing the following phenomenon: After 30 days our Windows 7
> clients lose their trust relationship with the samba domain. We think, that
> the automatic machine password change on these clients fails.
I posted a message about the very same problem on July 15.

I think it does not always happen after 30 days (or whatever the change 
interval is set to), but only occurs when the machine password change 
time has arrived and the computer is on, but not no one is logged on 
(i.e. the login box is shown).

Since we are only starting to deploy Windows 7, we simply turned the 
machine password change off in the registry of our imaged installation 
and the few real installations. We had no more problems afterwards.


There are three ways to change the machine password behavior:

Client-Registry:
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
DisablePasswordChange = dword:1

or

Client-Registry:
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
MaximumPasswordAge = dword:1000000

or

Server-Registry (if you have a Windows server)
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
RefusePasswordChange = dword:1

With Samba + OpenLDAP, set
sambaRefuseMachinePwdChange = 1
in the sambaDomainName=.... entry.

Peter

Hi Peter,

thanks for your detailed instructions for a workaround!

Just to get you right: Your proposals include changes for the win7-
clients _and_ the samba domain itself, correct? If it is possible, I 
would like to change only settings within the win7-clients (or server 
2008 R2 systems) and not the domain itself, because all other systems 
(XP, 2003, 2008) operate quite well for over one year now.

Besides, I also see the "DisablePasswordChange-Option" on Windows
server-
systems (2003, 2008, 2008 R2) but I do not see a "RefusePasswordChange-
Option". According to MS knowledgebase (http://support.microsoft.com/?
scid=kb%3Ben-us%3B154501&x=7&y=6) it seems to me, that the 
"RefusePasswordChange-Option" was only intended to be used on older 
systems (NT4, 2000). Thus, I think it will be ineffective on "modern" 
systems.

I would like to here your comments.

Greetings,
Stefan


Peter Rindfuss <rindfuss at wzb.eu> wrote in news:4C600628.2010602 at
wzb.eu:
> On 2010-08-09 14:18, Stefan Oberwahrenbrock wrote:
>>
>> We are observing the following phenomenon: After 30 days our Windows
>> 7 clients lose their trust relationship with the samba domain. We
>> think, that the automatic machine password change on these clients
>> fails. 
> 
> I posted a message about the very same problem on July 15.
> 
> I think it does not always happen after 30 days (or whatever the
> change interval is set to), but only occurs when the machine password
> change time has arrived and the computer is on, but not no one is
> logged on (i.e. the login box is shown).
> 
> Since we are only starting to deploy Windows 7, we simply turned the 
> machine password change off in the registry of our imaged installation
> and the few real installations. We had no more problems afterwards.
> 
> 
> There are three ways to change the machine password behavior:
> 
> Client-Registry:
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> DisablePasswordChange = dword:1
> 
> or
> 
> Client-Registry:
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> MaximumPasswordAge = dword:1000000
> 
> or
> 
> Server-Registry (if you have a Windows server)
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> RefusePasswordChange = dword:1
> 
> With Samba + OpenLDAP, set
> sambaRefuseMachinePwdChange = 1
> in the sambaDomainName=.... entry.
> 
> Peter

> There are three ways to change the machine password behavior:
>
> Client-Registry:
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> DisablePasswordChange = dword:1
>
> or
>
> Client-Registry:
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> MaximumPasswordAge = dword:1000000
>