[Samba] 'Scripted' machine account renewal?!
Kees van Vloten
keesvanvloten at gmail.com
Sun Feb 25 11:42:49 UTC 2024
On 25-02-2024 11:56, Marco Gaiarin via samba wrote:
> I need to access the LDAP AD server from a debian box, but i don't need
> shares nor winbind.
>
> For a sake of simplicity i'm thinking to use machine account (-P).
There is "net changetrustpw" to do this.
When you domain-join the machine the machine password is managed by
winbind, so you don't need to this.
When you do not join the machine, there is no reason to have a machine
account.
If you just have a service that does LDAP-queries, I would create an
ordinary user-account for it (and start it's name e.g. with "svc_").
With this you decide easily how to manage the password. Or if you use
kerberos for this account, you can set the password with samba-tool to a
random very long value and use a SPN and keytab for authentication, no
hassle with passwords at all...
- Kees.
>
>
> I can join the box, but if i keep winbind and nmbd/smbd off, how can i renew
> machine account?
>
>
> Thanks.
>
More information about the samba
mailing list