[Samba] Change computer password

Mon Apr 6 11:09:21 UTC 2020

On 2 Apr 2020, at 16:06, Arnaud FLORENT via samba wrote:

> Hi Tobias
>
> the computer password is set when the computer is joined to DC
>
> the computer also change it periodically
>
>
> this password must be synced between the compter and the DC else user 
> can not login to the domain
>
>
> changing the password with samba-tool, you will have different value 
> on the computer and on the DC
>
> so user will not be able to log in anymore
>
>
>
> using computer password for radius allow joined computers to connect 
> to network before user login.
>
> else computer must wait for user to login to perform radius auth...
>
>
> but you should not change the password with samba-tool

Okay, now i got it. Computer password is something internal, not useful 
for our use case. Would be harmful if we use it :)

The problem ist that macOS does need a profile for doing 802.1x. We need 
a user and a password for that profile. It has to be installed on the 
mac initially and „static“. Therefore it cannot be the domain user. 
We wanted to avoid to maintain separat user accounts as „dummy 
computer accounts“ but it seems that we have to go that way.

Do you have another idea?

Merci,
Tobias

> regards
>
>
> Le 02/04/2020 à 10:54, Tobias Kirchhofer via samba a écrit :
>> Maybe my question was to specific :)
>>
>> More general: does anybody know something about the „Computer 
>> Password“ in Samba? For what is it needed by default?
>>
>> Thanks,
>>
>> Tobias
>>
>> On 31 Mar 2020, at 12:09, Tobias Kirchhofer via samba wrote:
>>
>>> Hi,
>>>
>>> we work on authenticating computers via 802.1x with Samba AD as 
>>> backend of Radius. Everything looks promising.
>>>
>>> We ask ourselves if it is a good idea to use the machine account 
>>> which are created by joining a computer to the AD.
>>>
>>> We can change machine account passwords with `samba-tool user 
>>> setpassword COMPUTERNAME$` This works, we have SUCCESS with 
>>> `eapol_test` on the Radius server.
>>>
>>> The question is if it is save to set and use the machine account 
>>> password. Microsoft says a lot about this password: 
>>> https://adsecurity.org/?p=280
>>>
>>> Does someone has an opinion or/and experience on that?
>>>
>>
>>
> -- 
> Arnaud FLORENT
> IRIS Technologies
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
collect at shift.agency