[Samba] Changing the domain admin password

John Drescher drescherjm at gmail.com
Thu Apr 29 15:45:02 MDT 2010

On Thu, Apr 29, 2010 at 5:37 PM, Steve Thompson <smt at vgersoft.com> wrote:
> On Tue, 6 Apr 2010, Steve Thompson wrote:
>> Samba 3.x.y (various) on CentOS 5.4 x86_64 with the ldapsam backend; one
>> PDC, two BDC's and about a dozen member servers. The configuration file on
>> each of course specifies the "ldap admin dn" and each system has the
>> associated password specified with "smbpasswd -w". Question is: how often is
>> the ldap admin actually used for anything, such that if I change the real
>> password associated with the account, how much grace do I get before I have
>> the run "smbpasswd -w" on each member server, all without restarting smb?
> No-one responded to this, so I did a little experiment. I changed the
> password in the LDAP database for the account corresponding to ldap admin
> dn, and then changed the password in secrets.tdb on all my Linux member
> servers (+PDC+BDC) using "smbpasswd -w". Immediately (within a minute or so)
> all windows clients joined to the domain and logged in to a domain account
> hung. Changed the ldap admin dn password back to its former value, and all
> the clients continued from where they were with no apparent ill effects. So
> the question is: if the ldap admin dn password is changed, do the clients
> have to be rejoined to the domain? I'd really like to change this password
> periodically, so I hope that this is not the case. I've been unable to find
> any documentation that touches on this point.

I believe when I changed the ldap admin / Manager password I needed to
restart the samba servers on the pdc and my 3 bdcs after updating the
secrets on each machine. All has been well after this.


More information about the samba mailing list