[Samba] winbind: machine password timeout and keytab

Johan Hattne johan at hattne.se
Tue Feb 18 19:14:38 UTC 2020


Dear all;

Is it possible to refresh the machine password in an AD setup while also 
using a keytab for verifying secrets?  As far as I can see machine 
password updates (as controlled by "machine password timeout") are 
disabled when a keytab is in use (in particular, when "kerberos method = 
secrets and keytab"), but without an up-to-date keytab e.g. single 
sign-on with SSH won't work.

Is there any way around this, short of running a cron job to refresh 
machine passwords and then update the keytab?  I find that the 
cron-solution suffers from race conditions in a CTDB setup.

// Best wishes; Johan



More information about the samba mailing list