KRBTGT isn't even Samba specific, the same applies to all Active
Directory setups:
>
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn745899(v=ws.11)
> https://adsecurity.org/?p=483
On 2018-01-23 15:51, lists via samba wrote:> Hi,
>
> I'd like to report something here, so it will not happen to others.
>
> We moved all disabled users in our samba AD to a dedicated folder in
> ADUC, which we called 'disabled'.
>
> A little while after we did that, our network started 'falling
apart'.
> Some things still worked, others did not. I could for example no longer
> start ADUC, some users could not logon or map drives, etc, etc.
>
> From samba's point of view everything was still running, replication
was
> happening, etc, etc. No idea where to start looking.
>
> Until my colleage told me about this moving of disabled accounts from
> CN=Users into OU=disabled.
>
> Turned out he had also moved the disabled account "krbtgt", and
this had
> caused our network to fall apart. Luckily his ADUC window was still open
> and functional, so we could move this account back into CN=Users, and
> everything started working again.
>
> So, our advise: don't move that account! :-)
>
--
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz | https://www.tao-digital.at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20180123/fcb2819b/signature.sig>