[Samba] DC keep password from installation

Andrew Bartlett abartlet at samba.org
Mon Nov 15 19:35:00 UTC 2021

On Mon, 2021-11-15 at 17:04 +0100, Jeremy Guasco via samba wrote:
> Hi everyone,
> Our 4 DCs (samba 4.14) have kept their initial password (pwdLastSet) 
> since their setup 2 years ago.
> All other computers from the domain rotate often their password.
> We didn't use the "machine password timeout" var.
> Is that a normal behavior or should we do something ?

Sadly normal.  Ideally we would rotate those, and the krbtgt password,
but currently we don't do that.

Rotating DC passwords only, even if not the krbtgt, would be worthwile,
but only if you can coax the DC into doing NTLM authentication
outbound, but that isn't normally the case.

But we really need to do both.

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list