[Samba] DC keep password from installation

Kees van Vloten keesvanvloten at gmail.com
Mon Nov 15 20:54:10 UTC 2021


On 15-11-2021 20:35, Andrew Bartlett via samba wrote:
> On Mon, 2021-11-15 at 17:04 +0100, Jeremy Guasco via samba wrote:
>> Hi everyone,
>>
>> Our 4 DCs (samba 4.14) have kept their initial password (pwdLastSet)
>> since their setup 2 years ago.
>>
>> All other computers from the domain rotate often their password.
>>
>> We didn't use the "machine password timeout" var.
>>
>> Is that a normal behavior or should we do something ?
> Sadly normal.  Ideally we would rotate those, and the krbtgt password,
> but currently we don't do that.
>
> Rotating DC passwords only, even if not the krbtgt, would be worthwile,
> but only if you can coax the DC into doing NTLM authentication
> outbound, but that isn't normally the case.
>
> But we really need to do both.
>
> Andrew Bartlett
>
For krbtgt I use the script provided in the samba git repo:

https://gitlab.com/samba-team/samba/raw/v<version>-stable/source4/scripting/devel/chgkrbtgtpass

It is scheduled in cron to run monthly.

I have not seen anything for the DC password, though.

- Kees




More information about the samba mailing list