[Samba] DC disaster recovery

Gregory Sloop gregs at sloop.net
Tue Jul 14 23:17:48 UTC 2020

Rpvs>> On 14/07/2020 17:25, Gregory Sloop via samba wrote:

>>> Rpvs> On 14/07/2020 16:51, Gregory Sloop via samba wrote:
>>>>> Yeah, I could setup an extra XCP box - but at smaller setups, it really seems like overkill.
>>>>> So, it sounds like restores of the VM work "fine."
>>>>> How often do machine accounts reset their passwords?
>>> Rpvs> Every 30 days, though this is adjustable, but not recommended
>>>>> [This is the one that is most likely to be problematic. Rejoining the domain means a new profile. And that's a big PITA on the client side.]
>>>>> User password changes can simply be handled by the admin resetting them, or the like. Machine accounts? Not so straight-forward, at least not that I'm aware of - unless there's some way to "reset" the computer account password and sync with the workstation.
>>> Rpvs> You do know that a computer is a user with an extra objectclass ?

>>> Rpvs> Rowland

>>> Yeah, I do know that.
>>> But that seems like a *completely pointless* observation if there's not some way to re-sync the "machine" account password on the station with a new password on the AD-DC. If there's a way, I'm all ears. If there's not, then who cares - what's the point in even bringing it up?

>>> It feels like
>>> Bystander: "Hey drowning man, there's a way you don't have to drown, you know!"
>>> Drowning man: "Yeah?! Crikey! How about telling me about that, instead of just telling me I don't have to drown!"
>>> Bystander "I just wanted you to know 'bout my technical superiority!"
>>> Drowning man: "Can I drown now?"
>>> :)

>>> -Greg

Rpvs>> Hey 'Drowning man':

Rpvs>> samba-tool user setpassword computer_name$ --random-password

GSvs> So, you're telling me that if I restore an AD (VM) to a prior
GSvs> point (lets say from a backup from a week ago), *after* the
GSvs> computer account has changed it's password, I can simply do
GSvs> "samba-tool user setpassword computer_name$ --random-password"
GSvs> and then that Windows station will be able to connect again,
GSvs> without needing to rejoin the domain? [And thus, keep the same user profile as before, etc.]

I thought you'd reply Rowland, but alas. This method doesn't make sense to me.

When you join PC to the domain, you connect as an "admin" user [a user that has domain join rights] and AD and the computer exchange a PSK/Secret - this, from what I can tell, is the "password" on the computer account in AD. If you change this password in AD, I don't see how the computer will "get" this shared secret. Essentially the computer should lose its connection to the domain, and its SID etc - because it can't communicate to AD since the shared secret [password] doesn't match any more.

So, how do you get the "shared" secret back on the PC that matches the secret for the computer account on in AD?
The only way I know how to do it, is to remove the computer from the domain and rejoin. [But that's not resetting the computer account. It's nuking the old one and starting over.]

Am I missing something?


More information about the samba mailing list