Hi Tobias
the computer password is set when the computer is joined to DC
the computer also change it periodically
this password must be synced between the compter and the DC else user
can not login to the domain
changing the password with samba-tool, you will have different value on
the computer and on the DC
so user will not be able to log in anymore
using computer password for radius allow joined computers to connect to
network before user login.
else computer must wait for user to login to perform radius auth...
but you should not change the password with samba-tool
regards
Le 02/04/2020 ? 10:54, Tobias Kirchhofer via samba a
?crit?:> Maybe my question was to specific :)
>
> More general: does anybody know something about the ?Computer
> Password? in Samba? For what is it needed by default?
>
> Thanks,
>
> Tobias
>
> On 31 Mar 2020, at 12:09, Tobias Kirchhofer via samba wrote:
>
>> Hi,
>>
>> we work on authenticating computers via 802.1x with Samba AD as
>> backend of Radius. Everything looks promising.
>>
>> We ask ourselves if it is a good idea to use the machine account
>> which are created by joining a computer to the AD.
>>
>> We can change machine account passwords with `samba-tool user
>> setpassword COMPUTERNAME$` This works, we have SUCCESS with
>> `eapol_test` on the Radius server.
>>
>> The question is if it is save to set and use the machine account
>> password. Microsoft says a lot about this password:
>> https://adsecurity.org/?p=280
>>
>> Does someone has an opinion or/and experience on that?
>>
>
>
--
Arnaud FLORENT
IRIS Technologies