[Samba] DC keep password from installation

Kees van Vloten keesvanvloten at gmail.com
Mon Nov 15 20:54:10 UTC 2021

On 15-11-2021 20:35, Andrew Bartlett via samba wrote:
> On Mon, 2021-11-15 at 17:04 +0100, Jeremy Guasco via samba wrote:
>> Hi everyone,
>> Our 4 DCs (samba 4.14) have kept their initial password (pwdLastSet)
>> since their setup 2 years ago.
>> All other computers from the domain rotate often their password.
>> We didn't use the "machine password timeout" var.
>> Is that a normal behavior or should we do something ?
> Sadly normal.  Ideally we would rotate those, and the krbtgt password,
> but currently we don't do that.
> Rotating DC passwords only, even if not the krbtgt, would be worthwile,
> but only if you can coax the DC into doing NTLM authentication
> outbound, but that isn't normally the case.
> But we really need to do both.
> Andrew Bartlett
For krbtgt I use the script provided in the samba git repo:


It is scheduled in cron to run monthly.

I have not seen anything for the DC password, though.

- Kees

More information about the samba mailing list