[Samba] Key rollover on AD DC
Rowland Penny
rpenny at samba.org
Tue Aug 16 19:10:24 UTC 2022
On Tue, 2022-08-16 at 20:39 +0200, Christian Merten via samba wrote:
> Hello everyone,
>
> I am trying to rollover the most important keys of my samba setup
> following the instructions at
>
> https://wiki.samba.org/index.php/Samba_Security_Documentation#Key_rollover
>
> While doing this I ran into two questions:
>
> 1.) I have two AD DCs, one on Debian Buster and one on Debian
> Bullseye
> running samba versions 2:4.9.5+dfsg-5+deb10u3 and
> 2:4.13.13+dfsg-1~deb11u5 respectively. Currently I am trying to
> rollover
> their machine passwords. On both systems I cloned the samba
> repository
> and tried to run the script source4/scripting/devel/chgtdcpass. On
> the
> bullseye system (where a python3-samba package is installed)
> everything
> worked fine, the account password was successfully reset.
>
> But: On the buster system, I ran into a lot of problems. It
> complained
> about not finding the python3 module "samba". Unfortunately there is
> no
> "python3-samba" package for buster, so I tried to install it via
> pip3,
> but this only installed an empty package. I also tried to remove the
> bin/ in the line
>
> sys.path.insert(0, "bin/python")
>
> and to run the script from the main directory of the repo, but I
> still
> ran into "No module named samba.param".
>
> 2.) The documentation suggests using the chgkrbtgtpass script from
> the
> samba repository. Is there any problem with using "samba-tool user
> setpassword krbtgt" instead?
The easiest way to do what you require, would be to demote a DC
(transferring any FSMO roles first), wipe the private directory
(usually /var/lib/samba/private on Debian) and then rejoin the DC. I
would also upgrade 'buster' to 'bullseye'.
Rowland
More information about the samba
mailing list