[Samba] Key rollover on AD DC

Rowland Penny rpenny at samba.org
Tue Aug 16 19:10:24 UTC 2022

On Tue, 2022-08-16 at 20:39 +0200, Christian Merten via samba wrote:
> Hello everyone,
> I am trying to rollover the most important keys of my samba setup 
> following the instructions at
> https://wiki.samba.org/index.php/Samba_Security_Documentation#Key_rollover
> While doing this I ran into two questions:
> 1.) I have two AD DCs, one on Debian Buster and one on Debian
> Bullseye 
> running samba versions 2:4.9.5+dfsg-5+deb10u3 and 
> 2:4.13.13+dfsg-1~deb11u5 respectively. Currently I am trying to
> rollover 
> their machine passwords. On both systems I cloned the samba
> repository 
> and tried to run the script source4/scripting/devel/chgtdcpass. On
> the 
> bullseye system (where a python3-samba package is installed)
> everything 
> worked fine, the account password was successfully reset.
> But: On the buster system, I ran into a lot of problems. It
> complained 
> about not finding the python3 module "samba". Unfortunately there is
> no 
> "python3-samba" package for buster, so I tried to install it via
> pip3, 
> but this only installed an empty package. I also tried to remove the 
> bin/ in the line
> sys.path.insert(0, "bin/python")
> and to run the script from the main directory of the repo, but I
> still 
> ran into "No module named samba.param".
> 2.) The documentation suggests using the chgkrbtgtpass script from
> the 
> samba repository. Is there any problem with using "samba-tool user 
> setpassword krbtgt" instead?

The easiest way to do what you require, would be to demote a DC
(transferring any FSMO roles first), wipe the private directory
(usually /var/lib/samba/private on Debian) and then rejoin the DC. I
would also upgrade 'buster' to 'bullseye'.


More information about the samba mailing list