Rpvs> On 14/07/2020 17:25, Gregory Sloop via samba wrote:>> Rpvs> On 14/07/2020 16:51, Gregory Sloop via samba wrote: >>>> Yeah, I could setup an extra XCP box - but at smaller setups, it really seems like overkill. >>>> So, it sounds like restores of the VM work "fine." >>>> How often do machine accounts reset their passwords? >> Rpvs> Every 30 days, though this is adjustable, but not recommended >>>> [This is the one that is most likely to be problematic. Rejoining the domain means a new profile. And that's a big PITA on the client side.] >>>> User password changes can simply be handled by the admin resetting them, or the like. Machine accounts? Not so straight-forward, at least not that I'm aware of - unless there's some way to "reset" the computer account password and sync with the workstation. >> Rpvs> You do know that a computer is a user with an extra objectclass ?>> Rpvs> Rowland>> Yeah, I do know that. >> But that seems like a *completely pointless* observation if there's not some way to re-sync the "machine" account password on the station with a new password on the AD-DC. If there's a way, I'm all ears. If there's not, then who cares - what's the point in even bringing it up?>> It feels like >> Bystander: "Hey drowning man, there's a way you don't have to drown, you know!" >> Drowning man: "Yeah?! Crikey! How about telling me about that, instead of just telling me I don't have to drown!" >> Bystander "I just wanted you to know 'bout my technical superiority!" >> Drowning man: "Can I drown now?" >> :)>> -GregRpvs> Hey 'Drowning man': Rpvs> samba-tool user setpassword computer_name$ --random-password So, you're telling me that if I restore an AD (VM) to a prior point (lets say from a backup from a week ago), *after* the computer account has changed it's password, I can simply do "samba-tool user setpassword computer_name$ --random-password" and then that Windows station will be able to connect again, without needing to rejoin the domain? [And thus, keep the same user profile as before, etc.] If true, that's pretty cool. Rpvs> This will work, but I don't recommend doing it, Samba will change the Rpvs> password every 30 days. Yes, but I wouldn't be needing to do this, except in the case of my hypothetical disaster where I need to restore the AD domain from a backup from before - and now the computer account on the PC doesn't match the computer account in AD. Rpvs> Rowland -Greg
Rpvs>> On 14/07/2020 17:25, Gregory Sloop via samba wrote:>>> Rpvs> On 14/07/2020 16:51, Gregory Sloop via samba wrote: >>>>> Yeah, I could setup an extra XCP box - but at smaller setups, it really seems like overkill. >>>>> So, it sounds like restores of the VM work "fine." >>>>> How often do machine accounts reset their passwords? >>> Rpvs> Every 30 days, though this is adjustable, but not recommended >>>>> [This is the one that is most likely to be problematic. Rejoining the domain means a new profile. And that's a big PITA on the client side.] >>>>> User password changes can simply be handled by the admin resetting them, or the like. Machine accounts? Not so straight-forward, at least not that I'm aware of - unless there's some way to "reset" the computer account password and sync with the workstation. >>> Rpvs> You do know that a computer is a user with an extra objectclass ?>>> Rpvs> Rowland>>> Yeah, I do know that. >>> But that seems like a *completely pointless* observation if there's not some way to re-sync the "machine" account password on the station with a new password on the AD-DC. If there's a way, I'm all ears. If there's not, then who cares - what's the point in even bringing it up?>>> It feels like >>> Bystander: "Hey drowning man, there's a way you don't have to drown, you know!" >>> Drowning man: "Yeah?! Crikey! How about telling me about that, instead of just telling me I don't have to drown!" >>> Bystander "I just wanted you to know 'bout my technical superiority!" >>> Drowning man: "Can I drown now?" >>> :)>>> -GregRpvs>> Hey 'Drowning man': Rpvs>> samba-tool user setpassword computer_name$ --random-password GSvs> So, you're telling me that if I restore an AD (VM) to a prior GSvs> point (lets say from a backup from a week ago), *after* the GSvs> computer account has changed it's password, I can simply do GSvs> "samba-tool user setpassword computer_name$ --random-password" GSvs> and then that Windows station will be able to connect again, GSvs> without needing to rejoin the domain? [And thus, keep the same user profile as before, etc.] I thought you'd reply Rowland, but alas. This method doesn't make sense to me. When you join PC to the domain, you connect as an "admin" user [a user that has domain join rights] and AD and the computer exchange a PSK/Secret - this, from what I can tell, is the "password" on the computer account in AD. If you change this password in AD, I don't see how the computer will "get" this shared secret. Essentially the computer should lose its connection to the domain, and its SID etc - because it can't communicate to AD since the shared secret [password] doesn't match any more. So, how do you get the "shared" secret back on the PC that matches the secret for the computer account on in AD? The only way I know how to do it, is to remove the computer from the domain and rejoin. [But that's not resetting the computer account. It's nuking the old one and starting over.] Am I missing something? -Greg
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Gregory Sloop via samba > Verzonden: woensdag 15 juli 2020 1:18 > Aan: Gregory Sloop via samba > Onderwerp: Re: [Samba] DC disaster recovery > > >...> > So, how do you get the "shared" secret back on the PC that > matches the secret for the computer account on in AD?Not, you create a new from within the PC.> The only way I know how to do it, is to remove the computer > from the domain and rejoin. [But that's not resetting the > computer account. It's nuking the old one and starting over.] > > Am I missing something?ipconfig/registerdns Should do it. Greetz, Louis
Well, that's pretty nifty. Where/how did you find that out? [Perhaps I'm just like Caveman Thag, and way out of my depth, but I've never seen that before.] -Greg LPHvBvs>>> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Gregory Sloop via samba >> Verzonden: woensdag 15 juli 2020 1:18 >> Aan: Gregory Sloop via samba >> Onderwerp: Re: [Samba] DC disaster recoveryLPHvBvs> ...>> So, how do you get the "shared" secret back on the PC that >> matches the secret for the computer account on in AD?LPHvBvs> Not, you create a new from within the PC.>> The only way I know how to do it, is to remove the computer >> from the domain and rejoin. [But that's not resetting the >> computer account. It's nuking the old one and starting over.]>> Am I missing something?LPHvBvs> ipconfig/registerdns LPHvBvs> Should do it. LPHvBvs> Greetz, LPHvBvs> Louis
that...? registerdns, ow that dates back to even WinXP..? Damn, im getting old...? :-./? Greetz,? Louis ? Van: Gregory Sloop [mailto:gregs at sloop.net] Verzonden: woensdag 15 juli 2020 19:46 Aan: L.P.H. van Belle via samba; L.P.H. van Belle Onderwerp: Re: [Samba] DC disaster recovery Well, that's pretty nifty. Where/how did you find that out? [Perhaps I'm just like Caveman Thag, and way out of my depth, but I've never seen that before.] -Greg LPHvBvs> ?>> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Gregory Sloop via samba >> Verzonden: woensdag 15 juli 2020 1:18 >> Aan: Gregory Sloop via samba >> Onderwerp: Re: [Samba] DC disaster recoveryLPHvBvs> ... ?>> So, how do you get the "shared" secret back on the PC that >> matches the secret for the computer account on in AD?LPHvBvs> Not, you create a new from within the PC.>> The only way I know how to do it, is to remove the computer >> from the domain and rejoin. [But that's not resetting the >> computer account. It's nuking the old one and starting over.]>> Am I missing something?LPHvBvs> ipconfig/registerdns LPHvBvs> Should do it. LPHvBvs> Greetz, LPHvBvs> Louis