[Samba] DC keep password from installation
Rowland Penny
rpenny at samba.org
Mon Nov 15 21:04:52 UTC 2021
On Mon, 2021-11-15 at 21:54 +0100, Kees van Vloten via samba wrote:
> On 15-11-2021 20:35, Andrew Bartlett via samba wrote:
> > On Mon, 2021-11-15 at 17:04 +0100, Jeremy Guasco via samba wrote:
> > > Hi everyone,
> > >
> > > Our 4 DCs (samba 4.14) have kept their initial password
> > > (pwdLastSet)
> > > since their setup 2 years ago.
> > >
> > > All other computers from the domain rotate often their password.
> > >
> > > We didn't use the "machine password timeout" var.
> > >
> > > Is that a normal behavior or should we do something ?
> > Sadly normal. Ideally we would rotate those, and the krbtgt
> > password,
> > but currently we don't do that.
> >
> > Rotating DC passwords only, even if not the krbtgt, would be
> > worthwile,
> > but only if you can coax the DC into doing NTLM authentication
> > outbound, but that isn't normally the case.
> >
> > But we really need to do both.
> >
> > Andrew Bartlett
> >
> For krbtgt I use the script provided in the samba git repo:
>
> https://gitlab.com/samba-team/samba/raw/v<version>-stable/source4/scripting/devel/chgkrbtgtpass
>
> It is scheduled in cron to run monthly.
>
> I have not seen anything for the DC password, though.
Yes you have :-)
A computer (even a DC) is a user with an extra objectclass.
I will leave it up to you to workout out to change a computers
password.
Rowland
More information about the samba
mailing list