[Samba] Howto set/reset/reaad computer account password with samba-4.9.x examples?

Rowland Penny rpenny at samba.org
Wed Jan 16 22:19:41 UTC 2019

On Wed, 16 Jan 2019 22:03:29 +0100
Oliver Rath via samba <samba at lists.samba.org> wrote:

> Hi list,
> I want to perform a domain join of a computer to a given machine
> account with reusing it, not overwriting. For this I think, it is the
> right way (for a unattend.xml) to use the <machinePassword> described
> here:
> https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-unattendedjoin-identification#child-elements
> in the new feature list of samba 4.9.x is written "The 'samba-tool
> computer' command allow manipulation of computer accounts including
> creating a new computer and resetting the password. This allows an
> 'offline join' of a member server or workstation to the Samba AD
> domain."
> Unfortunatly I dont find any example for
>   * resetting the password (the "setpassword" from user command doesnt
>     work, maybe simply --password?)

It does work, did you forget the '$' on the end of the computer name ?

e.g. samba-tool user setpassword --filter=samaccountname=Computer$

I think you would need to use this with '--random-password'

>   * creating a computer with a given machine password (maybe simply
>     --password,too ?)

You cannot do that, you need to create the computer and then set the

>   * reading the machine password from AD (there i found some old
> variant which didnt work, tested with Win81-clients)

I think you would have to export a keytab for the new computer, pass
this to the new computer and then kinit with this and then do the join
with kerberos.


More information about the samba mailing list