Our organisation purges servers that aren't active (that is, does not change their machine password in 120 days). The password-change works fine when running security=domain, but seems not work with security=ADS. I tried to dig into the code and found a snippet in the latest Samba source (3.0.13): smbd/process.c: (line 1402-1405) if(global_machine_password_needs_changing && /* for ADS we need to do a regular ADS password change, not a domain password change */ lp_security() == SEC_DOMAIN) { The comment on this snippet (and the code following it) seems to indicate that nothing is done when running ADS. In a reply on samba-technical dated Apr 14, 2005 4:40 PM, Volker wrote: It's a known problem, yes. It will be addressed during my ongoing work in winbind in Samba trunk, but to make sure that it's not forgotten, better add a bugzilla entry. Kind regards / Henning Kristensen
later