[Samba] 'Scripted' machine account renewal?!
Kees van Vloten
keesvanvloten at gmail.com
Mon Feb 26 22:17:38 UTC 2024
On 26-02-2024 22:54, Marco Gaiarin via samba wrote:
> Mandi! Kees van Vloten via samba
> In chel di` si favelave...
>
>>> For a sake of simplicity i'm thinking to use machine account (-P).
>> There is "net changetrustpw" to do this.
> Ok, i've missed that. Thanks.
>
>
>> If you just have a service that does LDAP-queries, I would create an
>> ordinary user-account for it (and start it's name e.g. with "svc_").
> This is my first options, i was only speculating...
>
>
>> With this you decide easily how to manage the password. Or if you use
>> kerberos for this account, you can set the password with samba-tool to a
>> random very long value and use a SPN and keytab for authentication, no
>> hassle with passwords at all...
> Interesting... i supposed that still Kerberos ticket have to be 'upgraded',
> so... there's really a way to generate a 'permanent' kerberos ticket?
>
> Some info on how to do this? Thanks.
kstart do exactly that, it manages and refreshes the ticket for long
running processes. On Debian it is available as a package, the home page
is here https://www.eyrie.org/~eagle/software/kstart/
- Kees.
>
More information about the samba
mailing list