RFC: Add some functionality to net ads changetrustpw

Noel Power NoPower at suse.com
Wed Nov 13 16:50:23 UTC 2019

On 13/11/2019 16:01, Rowland penny via samba-technical wrote:
> On 13/11/2019 15:23, Noel Power wrote:
>> On 13/11/2019 15:05, Rowland penny via samba-technical wrote:
>>> On 13/11/2019 14:26, Noel Power via samba-technical wrote:
>>>> Hi,
>>>> I have a patch here resulting from a customer request where they
>>>> wish to
>>>> be able to periodically run a command to trust pw after a number of
>>>> days
>>>> has expired (so something they can run in cron job) The would be
>>>> something similar to what winbind does with 'machine password timeout'
>>>> param. So this is something to be used when winbind isn't used.
>>> Now I am probably missing something here, but doesn't kerberos use the
>>> machine password (which means ads) and this means winbind must be
>>> running (at least from 4.8.0)
>> I don't recall which samba version this was reported against, but then
>> again I am not entirely sure about if it isn't possible to run without
>> winbind in more recent versions.
>> Also I believe it's possible to run with sssd and no winbind
> Sorry, but you must have missed the 'using sssd with Samba is no
> longer supported' discussion. If you use 'security = ADS' or 'security
> = domain' with Samba >= 4.8.0, you must run winbind, see here:
> https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed
yep I missed that,

also still "'machine password timeout' works only with a subset of the
'kerberos method' values"

so I think it is still maybe useful


More information about the samba-technical mailing list