Bug 4666 - Refuse machine password change is not obeyed
Summary: Refuse machine password change is not obeyed
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.10.6
Hardware: Other Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2007-05-28 00:25 UTC by Dmitry Melekhov
Modified: 2019-07-10 06:19 UTC (History)
4 users (show)

See Also:

Patch to obey Refus eMachine Change Password Policy (1.26 KB, patch)
2007-06-09 13:52 UTC, Simo Sorce
no flags Details
Work in progress for ADDC in master (21.60 KB, patch)
2019-07-10 06:17 UTC, Stefan Metzmacher
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry Melekhov 2007-05-28 00:25:44 UTC
If I set this windows domain members still can change passwords, I see this comparing smbpasswd with yesterday copy.
Comment 1 Guenther Deschner 2007-05-29 04:59:28 UTC
Just to get you correct: You want that domain members don't change their MACHINE account password (not the USER account passwords), as that is what the "refuse machine password change" policy is for. Correct?
Comment 2 Dmitry Melekhov 2007-05-29 05:03:42 UTC
Yes, this is correct.
I want PDC to reject password changes from machines.
Comment 3 Simo Sorce 2007-06-09 13:52:19 UTC
Created attachment 2744 [details]
Patch to obey Refus eMachine Change Password Policy

Can you test this patch and see if it fixes your problem?
Comment 4 Dmitry Melekhov 2007-06-13 23:49:17 UTC
unfortunately, machines still can change passwords :-(
Comment 5 Dmitry Melekhov 2007-06-21 22:43:14 UTC
more interesting is that I added debug output to this patched function and I see that it is never called for changing machine password...
Comment 6 Dmitry Melekhov 2007-08-29 22:26:23 UTC

Looks like I found right place for patch

--- samba-3.0.22.orig/source/rpc_server/srv_netlog_nt.c
+++ samba-3.0.22/source/rpc_server/srv_netlog_nt.c
@@ -463,6 +463,7 @@
        uint32 acct_ctrl;
        DOM_CRED cred_out;
        const uchar *old_pw;
+       uint32 refuse;

        if (!p->dc || !p->dc->authenticated) {
                return NT_STATUS_INVALID_HANDLE;
@@ -507,6 +508,14 @@
                return NT_STATUS_ACCOUNT_DISABLED;

+       if (pdb_get_account_policy(AP_REFUSE_MACHINE_PW_CHANGE, &refuse) && refuse) {
+                               DEBUG(1, ("Machine %s cannot change password now, "
+                                         "denied by Refuse Machine Password Change policy\n",
+                                         workstation));
+               pdb_free_sam(&sampass);
+               return NT_STATUS_ACCOUNT_RESTRICTION;
+       }
        /* Woah - what does this to to the credential chain ? JRA */
        cred_hash3( pwd, q_u->pwd, p->dc->sess_key, 0);

Hope it will be included in next release :-)
Comment 7 Gerald (Jerry) Carter (dead mail address) 2007-08-30 07:21:56 UTC
Please don't mark a bug as fixed until the change is made in 
the upstream code base.  Also, in the future please attach patches
and not include them inline.  Thanks.
Comment 8 Dmitry Melekhov 2007-09-10 06:27:38 UTC
Looks like NT_STATUS_ACCOUNT_RESTRICTION is wrong status code.
According to http://support.microsoft.com/kb/154501 
"future attempts to change the password are prevented (by returning a distinct status code)."
but machines try to change password again and again...
Comment 9 Dmitry Melekhov 2007-09-21 01:39:57 UTC
NT_STATUS_WRONG_PASSWORD is the best I found.
It  doesn't work as should, but machines tries to change password only at boot, i.e. once per day,not every 20 minutes :-) 
Comment 10 Stefan Metzmacher 2010-02-21 06:49:49 UTC
Shouldn't we fix that in 3.6.x?
Comment 11 SATOH Fumiyasu 2019-07-10 06:00:12 UTC
I want this option for Samba AD DC, not NT DC.
Comment 12 Stefan Metzmacher 2019-07-10 06:17:44 UTC
Created attachment 15297 [details]
Work in progress for ADDC in master