If I set this windows domain members still can change passwords, I see this comparing smbpasswd with yesterday copy.
Just to get you correct: You want that domain members don't change their MACHINE account password (not the USER account passwords), as that is what the "refuse machine password change" policy is for. Correct?
Yes, this is correct. I want PDC to reject password changes from machines.
Created attachment 2744 [details] Patch to obey Refus eMachine Change Password Policy Can you test this patch and see if it fixes your problem?
unfortunately, machines still can change passwords :-(
more interesting is that I added debug output to this patched function and I see that it is never called for changing machine password...
Hello! Looks like I found right place for patch --- samba-3.0.22.orig/source/rpc_server/srv_netlog_nt.c +++ samba-3.0.22/source/rpc_server/srv_netlog_nt.c @@ -463,6 +463,7 @@ uint32 acct_ctrl; DOM_CRED cred_out; const uchar *old_pw; + uint32 refuse; if (!p->dc || !p->dc->authenticated) { return NT_STATUS_INVALID_HANDLE; @@ -507,6 +508,14 @@ return NT_STATUS_ACCOUNT_DISABLED; } + if (pdb_get_account_policy(AP_REFUSE_MACHINE_PW_CHANGE, &refuse) && refuse) { + DEBUG(1, ("Machine %s cannot change password now, " + "denied by Refuse Machine Password Change policy\n", + workstation)); + pdb_free_sam(&sampass); + return NT_STATUS_ACCOUNT_RESTRICTION; + } + /* Woah - what does this to to the credential chain ? JRA */ cred_hash3( pwd, q_u->pwd, p->dc->sess_key, 0); Hope it will be included in next release :-)
Please don't mark a bug as fixed until the change is made in the upstream code base. Also, in the future please attach patches and not include them inline. Thanks.
Looks like NT_STATUS_ACCOUNT_RESTRICTION is wrong status code. According to http://support.microsoft.com/kb/154501 "future attempts to change the password are prevented (by returning a distinct status code)." but machines try to change password again and again...
NT_STATUS_WRONG_PASSWORD is the best I found. It doesn't work as should, but machines tries to change password only at boot, i.e. once per day,not every 20 minutes :-)
Shouldn't we fix that in 3.6.x?
I want this option for Samba AD DC, not NT DC.
Created attachment 15297 [details] Work in progress for ADDC in master