On Tue, 6 Apr 2010, Steve Thompson wrote:
> Samba 3.x.y (various) on CentOS 5.4 x86_64 with the ldapsam backend; one
PDC,
> two BDC's and about a dozen member servers. The configuration file on
each of
> course specifies the "ldap admin dn" and each system has the
associated
> password specified with "smbpasswd -w". Question is: how often is
the ldap
> admin actually used for anything, such that if I change the real password
> associated with the account, how much grace do I get before I have the run
> "smbpasswd -w" on each member server, all without restarting smb?
No-one responded to this, so I did a little experiment. I changed the
password in the LDAP database for the account corresponding to ldap admin
dn, and then changed the password in secrets.tdb on all my Linux member
servers (+PDC+BDC) using "smbpasswd -w". Immediately (within a minute
or
so) all windows clients joined to the domain and logged in to a domain
account hung. Changed the ldap admin dn password back to its former value,
and all the clients continued from where they were with no apparent ill
effects. So the question is: if the ldap admin dn password is changed, do
the clients have to be rejoined to the domain? I'd really like to change
this password periodically, so I hope that this is not the case. I've been
unable to find any documentation that touches on this point.
Steve