[Samba] Key rollover on AD DC

Christian Merten cmerten at mathi.uni-heidelberg.de
Tue Aug 16 18:39:49 UTC 2022

Hello everyone,

I am trying to rollover the most important keys of my samba setup 
following the instructions at


While doing this I ran into two questions:

1.) I have two AD DCs, one on Debian Buster and one on Debian Bullseye 
running samba versions 2:4.9.5+dfsg-5+deb10u3 and 
2:4.13.13+dfsg-1~deb11u5 respectively. Currently I am trying to rollover 
their machine passwords. On both systems I cloned the samba repository 
and tried to run the script source4/scripting/devel/chgtdcpass. On the 
bullseye system (where a python3-samba package is installed) everything 
worked fine, the account password was successfully reset.

But: On the buster system, I ran into a lot of problems. It complained 
about not finding the python3 module "samba". Unfortunately there is no 
"python3-samba" package for buster, so I tried to install it via pip3, 
but this only installed an empty package. I also tried to remove the 
bin/ in the line

sys.path.insert(0, "bin/python")

and to run the script from the main directory of the repo, but I still 
ran into "No module named samba.param".

2.) The documentation suggests using the chgkrbtgtpass script from the 
samba repository. Is there any problem with using "samba-tool user 
setpassword krbtgt" instead?

Best regards

More information about the samba mailing list