Discussion:
[Samba] Disabling Machine Account password change
Florian Thiel
2004-03-10 21:39:44 UTC
Permalink
Hello!

We have a school environment with Debian servers and Win2K clients.
There are about 700 clients and 30 servers. There is piece of hardware
installed on all clients the resets the changes made to the local disk
at reboot.

This seems to be a problem with Win2K changing machine account passwords
every 30 days (according to MSDN). The server saves the password, the
client resets it and domain logon is impossible ever after.

Now I want to disable this password changing. It is possible with a
Windows PDC using group policy (at least that's what Windows Admins told
me). I found for Samba it's hardcoded in the sources. Would it be
possible to make that an option for smb.conf? I'm not a C programming
professional so I'm afraid of hacking the Samba source (especially with no
similiar examples in the sources).

Is there someone working on that kind of thing or are there any
implications I do not know about?

Thanks in advance,
Florian
--
Florian Thiel - Medienzentrum Kassel
Systembetreuung Internet- und Kommunikationstechnik
Kasseler Schulen am Netz - http://www.medienzentrum-kassel.de
Matthieu Le Corre
2004-03-10 23:04:32 UTC
Permalink
Post by Florian Thiel
Hello!
Hello ...
i think i've the same problem ....
Post by Florian Thiel
We have a school environment with Debian servers and Win2K clients.
There are about 700 clients and 30 servers. There is piece of hardware
installed on all clients the resets the changes made to the local disk
at reboot.
we are working with disk image ..but the problem is the same !
Post by Florian Thiel
This seems to be a problem with Win2K changing machine account passwords
every 30 days (according to MSDN). The server saves the password, the
client resets it and domain logon is impossible ever after.
can you give me the URL reference where you see it ! i'm interested on the
subject !
Post by Florian Thiel
Now I want to disable this password changing. It is possible with a
Windows PDC using group policy (at least that's what Windows Admins told
me). I found for Samba it's hardcoded in the sources. Would it be
possible to make that an option for smb.conf? I'm not a C programming
professional so I'm afraid of hacking the Samba source (especially with no
similiar examples in the sources).
Is there someone working on that kind of thing or are there any
implications I do not know about?
Can you give me the location on the source where you see that

mayby i've two solution ...
1) juste backup the old passwd on your samba server en reinject it every night
2) a more clean ways to do :P : use gpedit.msc on your win2k workstation
( mmc componant) go to "windows parameter" "security setting" "local
policies" "security options" and enable " prevent system maintenance of
computer account password " .....
not sur of the result ... but you can try ;)
Post by Florian Thiel
Thanks in advance,
Florian
--
Florian Thiel - Medienzentrum Kassel
Systembetreuung Internet- und Kommunikationstechnik
Kasseler Schulen am Netz - http://www.medienzentrum-kassel.de
- --
Matthieu Le Corre
------------------------------
CIE -- UFR sciences
Universit? de Nantes
02-51-12-58-65
Florian Thiel
2004-03-11 14:53:03 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Florian Thiel
Hello!
Hello ...
i think i've the same problem ....
[...]
Post by Florian Thiel
This seems to be a problem with Win2K changing machine account passwords
every 30 days (according to MSDN). The server saves the password, the
client resets it and domain logon is impossible ever after.
can you give me the URL reference where you see it ! i'm interested on the
subject !
Here it is:
http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;175468
It also proposes a bunch of solutions.
Post by Florian Thiel
Now I want to disable this password changing. It is possible with a
Windows PDC using group policy (at least that's what Windows Admins told
me). I found for Samba it's hardcoded in the sources. Would it be
possible to make that an option for smb.conf? I'm not a C programming
professional so I'm afraid of hacking the Samba source (especially with no
similiar examples in the sources).
Is there someone working on that kind of thing or are there any
implications I do not know about?
Can you give me the location on the source where you see that
For samba-2.2.3a (the debian package) it is in
source/rpc_server/srv_reg_net.c

The string is in line 140 (RefusePasswordChange). This is the name of
the registry entry that (according to the MSDN article) has to be set on
the PDC in order to disable password changing. It seems to me that samba
returns NT_STATUS_NO_SUCH_FILE. It should be configurable to return the
value 1 (don't know in what format).
mayby i've two solution ...
1) juste backup the old passwd on your samba server en reinject it every night
hmm, dirty hack!
2) a more clean ways to do :P : use gpedit.msc on your win2k workstation
( mmc componant) go to "windows parameter" "security setting" "local
policies" "security options" and enable " prevent system maintenance of
computer account password " .....
not sur of the result ... but you can try ;)
We set the registry entry (see MSDN article) locally for a bunch of
machines. The problem is that we're deling with about 700 machines
spread out in the whole city. We are not able to disable the hard drive
protection remotely, so this would be tedious.

I would really like a clean centralized solution.

HTH,
Florian
--
Florian Thiel - Medienzentrum Kassel
Systembetreuung Internet- und Kommunikationstechnik
Kasseler Schulen am Netz - http://www.medienzentrum-kassel.de
Matthieu Le Corre
2004-03-11 15:28:32 UTC
Permalink
Post by Florian Thiel
For samba-2.2.3a (the debian package) it is in
source/rpc_server/srv_reg_net.c
The string is in line 140 (RefusePasswordChange). This is the name of
the registry entry that (according to the MSDN article) has to be set on
the PDC in order to disable password changing. It seems to me that samba
returns NT_STATUS_NO_SUCH_FILE. It should be configurable to return the
value 1 (don't know in what format).
hums.... it seems to be only the existence of the reg keys ....
but i don't kown if samba know how to deal with this if keys registered to
1 ....
Post by Florian Thiel
Post by Matthieu Le Corre
mayby i've two solution ...
1) juste backup the old passwd on your samba server en reinject it every night
hmm, dirty hack!
sure ... but centralized one ;)

- --
Matthieu Le Corre
------------------------------
CIE -- UFR sciences
Universit? de Nantes
02-51-12-58-65
Gerald (Jerry) Carter
2004-03-11 19:15:18 UTC
Permalink
Florian Thiel wrote:

| We set the registry entry (see MSDN article) locally for a bunch of
| machines. The problem is that we're deling with about 700 machines
| spread out in the whole city. We are not able to disable the hard drive
| protection remotely, so this would be tedious.
|
| I would really like a clean centralized solution.

The MS kb artcile mentions the RefusrPasswordChange
reg value. You could add this to the hardcoded registry
paths than Samba supports.





cheers, jerry
- ----------------------------------------------------------------------
Hewlett-Packard ------------------------- http://www.hp.com
SAMBA Team ---------------------- http://www.samba.org
GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song" --Switchfoot (2003)
Florian Thiel
2004-03-11 20:43:34 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
| We set the registry entry (see MSDN article) locally for a bunch of
| machines. The problem is that we're deling with about 700 machines
| spread out in the whole city. We are not able to disable the hard drive
| protection remotely, so this would be tedious.
|
| I would really like a clean centralized solution.
The MS kb artcile mentions the RefusrPasswordChange
reg value. You could add this to the hardcoded registry
paths than Samba supports.
Yes, that's the idea. The problem is that I'm not feeling able to do
this on my own. Is there a samba developer around? I think it shouldn't
be too hard if you know the structures. I'm not even sure what value
Windows expect in return...

Florian
--
Florian Thiel - Medienzentrum Kassel
Systembetreuung Internet- und Kommunikationstechnik
Kasseler Schulen am Netz - http://www.medienzentrum-kassel.de
Gerald (Jerry) Carter
2004-03-11 22:00:32 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Florian Thiel wrote:

|> The MS kb artcile mentions the RefusrPasswordChange
|> reg value. You could add this to the hardcoded registry
|> paths than Samba supports.
|
| Yes, that's the idea. The problem is that I'm not feeling able
| to do this on my own. Is there a samba developer around?
| I think it shouldn't be too hard if you know the structures.
| I'm not even sure what value Windows expect in return...

Try this patch (i only guarantee it to compile).
(stripped was the mailing list ). Should apply to
any 3.0 version.



cheers, jerry
- ----------------------------------------------------------------------
Hewlett-Packard ------------------------- http://www.hp.com
SAMBA Team ---------------------- http://www.samba.org
GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song" --Switchfoot (2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAUI0QIR7qMdg1EfYRAk6xAKCSLTt7xQw1bbFB9qP/DnJFaCEyoQCgnDTH
VDAlzSb5F4XrrfL1XVdRNVQ=
=H9L2
-----END PGP SIGNATURE-----
-------------- next part --------------
Index: rpc_server/srv_reg_nt.c
===================================================================
RCS file: /data/cvs/samba/source/rpc_server/srv_reg_nt.c,v
retrieving revision 1.17.2.10
diff -u -r1.17.2.10 srv_reg_nt.c
--- rpc_server/srv_reg_nt.c 23 Jul 2003 12:33:58 -0000 1.17.2.10
+++ rpc_server/srv_reg_nt.c 11 Mar 2004 15:58:11 -0000
@@ -373,12 +373,14 @@
/* couple of hard coded registry values */

if ( strequal(name, "RefusePasswordChange") ) {
- if ( (val = (REGISTRY_VALUE*)malloc(sizeof(REGISTRY_VALUE))) == NULL ) {
- DEBUG(0,("_reg_info: malloc() failed!\n"));
- return NT_STATUS_NO_MEMORY;
- }
- ZERO_STRUCTP( val );
+ uint32 dwValue = 0x1;
+
+ regval_ctr_addvalue(&regvals, "RefusePasswordChange", REG_DWORD,
+ (const char*)&dwValue, sizeof(dwValue));
+ val = dup_registry_value( regval_ctr_specific_value( &regvals, 0 ) );

+ status = NT_STATUS_OK;
+
goto out;
}
Florian Thiel
2004-03-12 13:37:10 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
|> The MS kb artcile mentions the RefusrPasswordChange
|> reg value. You could add this to the hardcoded registry
|> paths than Samba supports.
|
| Yes, that's the idea. The problem is that I'm not feeling able
| to do this on my own. Is there a samba developer around?
| I think it shouldn't be too hard if you know the structures.
| I'm not even sure what value Windows expect in return...
Try this patch (i only guarantee it to compile).
(stripped was the mailing list ). Should apply to
any 3.0 version.
Thanks. Looks like it should also apply to Samba 2.2. Do you think it
would be working for Samba2? And most important: Can you think of a way
to test it reliably? Setting the clients to a low change interval comes
into mind...

Florian
--
Florian Thiel - Medienzentrum Kassel
Systembetreuung Internet- und Kommunikationstechnik
Kasseler Schulen am Netz - http://www.medienzentrum-kassel.de
Matthieu Le Corre
2004-03-15 21:01:13 UTC
Permalink
Look at the options :
"machine password timeout"
on the samba server ;)

"
machine password timeout = seconds

Default: 604,800

Allowable values: number of seconds

Sets the period between (NT domain) machine password changes. Default is 1
week, or 604,800 seconds.
"

mayby this help ;)
Post by Florian Thiel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
|> The MS kb artcile mentions the RefusrPasswordChange
|> reg value. You could add this to the hardcoded registry
|> paths than Samba supports.
|
| Yes, that's the idea. The problem is that I'm not feeling able
| to do this on my own. Is there a samba developer around?
| I think it shouldn't be too hard if you know the structures.
| I'm not even sure what value Windows expect in return...
Try this patch (i only guarantee it to compile).
(stripped was the mailing list ). Should apply to
any 3.0 version.
Thanks. Looks like it should also apply to Samba 2.2. Do you think it
would be working for Samba2? And most important: Can you think of a way
to test it reliably? Setting the clients to a low change interval comes
into mind...
Florian
--
Florian Thiel - Medienzentrum Kassel
Systembetreuung Internet- und Kommunikationstechnik
Kasseler Schulen am Netz - http://www.medienzentrum-kassel.de
- --
Matthieu Le Corre
------------------------------
CIE -- UFR sciences
Universit? de Nantes
02-51-12-58-65
Andrew Bartlett
2004-03-16 02:48:57 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
"machine password timeout"
on the samba server ;)
"
machine password timeout = seconds
Default: 604,800
Allowable values: number of seconds
Sets the period between (NT domain) machine password changes. Default is 1
week, or 604,800 seconds.
"
mayby this help ;)
This is not relevent for a Samba PDC, the client chooses when to change the password.

The only thing a DC can do is set a system policy.

Andrew Bartlett
Gerald (Jerry) Carter
2004-03-15 22:03:46 UTC
Permalink
Post by Florian Thiel
Thanks. Looks like it should also apply to Samba 2.2. Do you think it
would be working for Samba2? And most important: Can you think of a way
to test it reliably? Setting the clients to a low change interval comes
into mind...
That's the best way I can think of.




cheers, jerry
----------------------------------------------------------------------
Hewlett-Packard ------------------------- http://www.hp.com
SAMBA Team ---------------------- http://www.samba.org
GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song" --Switchfoot (2003)
Stumpfl Markus
2004-03-11 12:47:02 UTC
Permalink
Hi,

what you could try (I've set it that way and works fine - for now ;-)):

open 'gpedit.msc'
\Computerconfiguration\Windows Settings\Security Settings\Local
Settings\Security Options\Domain Member: Maximum Age of Computer
Passwords
set that to 999 (maximum). So you should be fine for some time...

Normally in Windows if you set something like that to 0, than it would
be disabled and the Computer-Password would be never reset but because
Samba handles that otherwise... (at least what I know of)

Markus
-----Urspr?ngliche Nachricht-----
Auftrag von Matthieu Le Corre
Gesendet: Mittwoch, 10. M?rz 2004 18:09
Betreff: Re: [Samba] Disabling Machine Account password change
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Florian Thiel
Hello!
Hello ...
i think i've the same problem ....
Post by Florian Thiel
We have a school environment with Debian servers and Win2K clients.
There are about 700 clients and 30 servers. There is piece of
hardware
Post by Florian Thiel
installed on all clients the resets the changes made to the local
disk
Post by Florian Thiel
at reboot.
we are working with disk image ..but the problem is the same !
Post by Florian Thiel
This seems to be a problem with Win2K changing machine account
passwords
Post by Florian Thiel
every 30 days (according to MSDN). The server saves the password,
the
Post by Florian Thiel
client resets it and domain logon is impossible ever after.
can you give me the URL reference where you see it ! i'm interested on
the
subject !
Post by Florian Thiel
Now I want to disable this password changing. It is possible with a
Windows PDC using group policy (at least that's what Windows Admins
told
Post by Florian Thiel
me). I found for Samba it's hardcoded in the sources. Would it be
possible to make that an option for smb.conf? I'm not a C
programming
Post by Florian Thiel
professional so I'm afraid of hacking the Samba source (especially
with
no
Post by Florian Thiel
similiar examples in the sources).
Is there someone working on that kind of thing or are there any
implications I do not know about?
Can you give me the location on the source where you see that
mayby i've two solution ...
1) juste backup the old passwd on your samba server en reinject it
every
night
2) a more clean ways to do :P : use gpedit.msc on your win2k
workstation
( mmc componant) go to "windows parameter" "security setting" "local
policies" "security options" and enable " prevent system maintenance
of
computer account password " .....
not sur of the result ... but you can try ;)
Post by Florian Thiel
Thanks in advance,
Florian
--
Florian Thiel - Medienzentrum Kassel
Systembetreuung Internet- und Kommunikationstechnik
Kasseler Schulen am Netz - http://www.medienzentrum-kassel.de
- --
Matthieu Le Corre
------------------------------
CIE -- UFR sciences
Universit? de Nantes
02-51-12-58-65
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAT0vDHj6Gj+ly9W4RAhjvAKDpvk2ygntMitwmbAvKcE7NtRGE7QCfahSG
MwlbQ+Wrue8E5KXaa36y0xs=
=XKFR
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Florian Thiel
2004-03-19 15:49:25 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
| Ooops, my fault. I only read the last line and thought
| you meant setting the clients is the best way to get rid
| of the whole problem. In fact you spoke of testing. Sure!
| Shame on me....
no problem. Let me know kif it works though. Would be
good to know whether I should look at the including the
patch in the main tree or just as a side item.
In Samba2 it does not compile.

Compiler output:

-------
Compiling rpc_server/srv_netlog_nt.c
Compiling rpc_server/srv_pipe_hnd.c
Compiling rpc_server/srv_reg.c
Compiling rpc_server/srv_reg_nt.c
rpc_server/srv_reg_nt.c: In function `_reg_info':
rpc_server/srv_reg_nt.c:143: `regvals' undeclared (first use in this
function)
rpc_server/srv_reg_nt.c:143: (Each undeclared identifier is reported only
once
rpc_server/srv_reg_nt.c:143: for each function it appears in.)
rpc_server/srv_reg_nt.c:145: `val' undeclared (first use in this function)
make: *** [rpc_server/srv_reg_nt.o] Error 1
-------


Code after patching:


"source/rpc_server/srv_reg_nt.c"
-----------------------
if (!uni_key || !buf)
return NT_STATUS_NO_MEMORY;

if ( strequal(name, "RefusePasswordChange") ) {
uint32 dwValue = 0x1;

regval_ctr_addvalue(&regvals, "RefusePasswordChange", REG_DWORD,
(const char*)&dwValue, sizeof(dwValue));
val = dup_registry_value( regval_ctr_specific_value( &regvals, 0 ) );

status = NT_STATUS_OK;

goto out;
}

-----------------------

Does that help?
--
Florian Thiel - Medienzentrum Kassel
Systembetreuung Internet- und Kommunikationstechnik
Kasseler Schulen am Netz - http://www.medienzentrum-kassel.de
Gerald (Jerry) Carter
2004-03-19 22:34:34 UTC
Permalink
Post by Matthieu Le Corre
-------
Compiling rpc_server/srv_netlog_nt.c
Compiling rpc_server/srv_pipe_hnd.c
Compiling rpc_server/srv_reg.c
Compiling rpc_server/srv_reg_nt.c
rpc_server/srv_reg_nt.c:143: `regvals' undeclared (first use in this
function)
rpc_server/srv_reg_nt.c:143: (Each undeclared identifier is reported only
once
rpc_server/srv_reg_nt.c:143: for each function it appears in.)
rpc_server/srv_reg_nt.c:145: `val' undeclared (first use in this function)
make: *** [rpc_server/srv_reg_nt.o] Error 1
-------
That patch will only work for Samba 3. I use to have a patch for
the regval stuff in 2.2 but can't find it anymore. Sorry.
I thought you were running 3.0 ?





cheers, jerry
----------------------------------------------------------------------
Hewlett-Packard ------------------------- http://www.hp.com
SAMBA Team ---------------------- http://www.samba.org
GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song" --Switchfoot (2003)
Loading...