[Samba] Key rollover on AD DC
Christian Merten
cmerten at mathi.uni-heidelberg.de
Tue Aug 16 18:39:49 UTC 2022
Hello everyone,
I am trying to rollover the most important keys of my samba setup
following the instructions at
https://wiki.samba.org/index.php/Samba_Security_Documentation#Key_rollover
While doing this I ran into two questions:
1.) I have two AD DCs, one on Debian Buster and one on Debian Bullseye
running samba versions 2:4.9.5+dfsg-5+deb10u3 and
2:4.13.13+dfsg-1~deb11u5 respectively. Currently I am trying to rollover
their machine passwords. On both systems I cloned the samba repository
and tried to run the script source4/scripting/devel/chgtdcpass. On the
bullseye system (where a python3-samba package is installed) everything
worked fine, the account password was successfully reset.
But: On the buster system, I ran into a lot of problems. It complained
about not finding the python3 module "samba". Unfortunately there is no
"python3-samba" package for buster, so I tried to install it via pip3,
but this only installed an empty package. I also tried to remove the
bin/ in the line
sys.path.insert(0, "bin/python")
and to run the script from the main directory of the repo, but I still
ran into "No module named samba.param".
2.) The documentation suggests using the chgkrbtgtpass script from the
samba repository. Is there any problem with using "samba-tool user
setpassword krbtgt" instead?
Best regards
Christian
More information about the samba
mailing list