[Samba] DC keep password from installation

Rowland Penny rpenny at samba.org
Mon Nov 15 21:04:52 UTC 2021


On Mon, 2021-11-15 at 21:54 +0100, Kees van Vloten via samba wrote:
> On 15-11-2021 20:35, Andrew Bartlett via samba wrote:
> > On Mon, 2021-11-15 at 17:04 +0100, Jeremy Guasco via samba wrote:
> > > Hi everyone,
> > > 
> > > Our 4 DCs (samba 4.14) have kept their initial password
> > > (pwdLastSet)
> > > since their setup 2 years ago.
> > > 
> > > All other computers from the domain rotate often their password.
> > > 
> > > We didn't use the "machine password timeout" var.
> > > 
> > > Is that a normal behavior or should we do something ?
> > Sadly normal.  Ideally we would rotate those, and the krbtgt
> > password,
> > but currently we don't do that.
> > 
> > Rotating DC passwords only, even if not the krbtgt, would be
> > worthwile,
> > but only if you can coax the DC into doing NTLM authentication
> > outbound, but that isn't normally the case.
> > 
> > But we really need to do both.
> > 
> > Andrew Bartlett
> > 
> For krbtgt I use the script provided in the samba git repo:
> 
> https://gitlab.com/samba-team/samba/raw/v<version>-stable/source4/scripting/devel/chgkrbtgtpass
> 
> It is scheduled in cron to run monthly.
> 
> I have not seen anything for the DC password, though.

Yes you have :-)

A computer (even a DC) is a user with an extra objectclass.

I will leave it up to you to workout out to change a computers
password.

Rowland





More information about the samba mailing list