[Samba] DC keep password from installation
Andrew Bartlett
abartlet at samba.org
Mon Nov 15 22:21:25 UTC 2021
On Mon, 2021-11-15 at 21:54 +0100, Kees van Vloten via samba wrote:
> On 15-11-2021 20:35, Andrew Bartlett via samba wrote:
> > On Mon, 2021-11-15 at 17:04 +0100, Jeremy Guasco via samba wrote:
> > > Hi everyone,
> > >
> > > Our 4 DCs (samba 4.14) have kept their initial password
> > > (pwdLastSet)
> > > since their setup 2 years ago.
> > >
> > > All other computers from the domain rotate often their password.
> > >
> > > We didn't use the "machine password timeout" var.
> > >
> > > Is that a normal behavior or should we do something ?
> > Sadly normal. Ideally we would rotate those, and the krbtgt
> > password,
> > but currently we don't do that.
> >
> > Rotating DC passwords only, even if not the krbtgt, would be
> > worthwile,
> > but only if you can coax the DC into doing NTLM authentication
> > outbound, but that isn't normally the case.
> >
> > But we really need to do both.
> >
> > Andrew Bartlett
> >
> For krbtgt I use the script provided in the samba git repo:
>
> https://gitlab.com/samba-team/samba/raw/v<version>-stable/source4/scripting/devel/chgkrbtgtpass
>
> It is scheduled in cron to run monthly.
>
> I have not seen anything for the DC password, though.
https://gitlab.com/samba-team/samba/-/blob/master/source4/scripting/devel/chgtdcpass
Don't run more often than every 7 days as there is a 7 day renweal
lifetime by default. "kdc:renewal lifetime" in smb.conf.
Note that few operate with this so it is untested as to what happens if
Samba is running with this - should be fine, but just test.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba
mailing list