[Samba] Key rollover on AD DC
rpenny at samba.org
Tue Aug 16 19:10:24 UTC 2022
On Tue, 2022-08-16 at 20:39 +0200, Christian Merten via samba wrote:
> Hello everyone,
> I am trying to rollover the most important keys of my samba setup
> following the instructions at
> While doing this I ran into two questions:
> 1.) I have two AD DCs, one on Debian Buster and one on Debian
> running samba versions 2:4.9.5+dfsg-5+deb10u3 and
> 2:4.13.13+dfsg-1~deb11u5 respectively. Currently I am trying to
> their machine passwords. On both systems I cloned the samba
> and tried to run the script source4/scripting/devel/chgtdcpass. On
> bullseye system (where a python3-samba package is installed)
> worked fine, the account password was successfully reset.
> But: On the buster system, I ran into a lot of problems. It
> about not finding the python3 module "samba". Unfortunately there is
> "python3-samba" package for buster, so I tried to install it via
> but this only installed an empty package. I also tried to remove the
> bin/ in the line
> sys.path.insert(0, "bin/python")
> and to run the script from the main directory of the repo, but I
> ran into "No module named samba.param".
> 2.) The documentation suggests using the chgkrbtgtpass script from
> samba repository. Is there any problem with using "samba-tool user
> setpassword krbtgt" instead?
The easiest way to do what you require, would be to demote a DC
(transferring any FSMO roles first), wipe the private directory
(usually /var/lib/samba/private on Debian) and then rejoin the DC. I
would also upgrade 'buster' to 'bullseye'.
More information about the samba