[Samba] 'Scripted' machine account renewal?!
Rowland Penny
rpenny at samba.org
Thu Jun 6 09:41:32 UTC 2024
On Thu, 6 Jun 2024 11:13:45 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:
> I think I finally figured out, what the issue is:
>
> When you do: 'net ads -P changetrustpw', it will change the password
> on the DC and update the local secret store to use the new password.
>
> However with each new machine password, a new version (kvno) of the
> keytabs in /etc/krb5.keytab is required. The above command does not
> update your keytab file and as a result subsequent calls to change
> the machine password will fail. Other things that make use of a
> keytab for authentication (such as kerberized NFS) will also fail,
> but on most machines you will probably not notice that you have
> outdated keytabs in the keytab file.
>
> The simple solution is to update the keytabs with:
>
> for kt in $(net ads keytab list | awk 'NR> 1 {sub(/@.+/, "") ;print
> $3}' | sort -u); do
> net ads keytab add $kt
> done
>
> Now everything is back in sync and works as expected.
>
> I heard work was being done to have winbind updating the machine
> password regularly. I don't know if it is already in 4.20 or still
> waiting to go into mainline and land in one of the next versions of
> Samba. That would make the above obsolete :-)
>
There is a bug for this:
https://bugzilla.samba.org/show_bug.cgi?id=13429
Rowland
More information about the samba
mailing list