On Mon, 2021-11-15 at 17:04 +0100, Jeremy Guasco via samba
wrote:> Hi everyone,
>
> Our 4 DCs (samba 4.14) have kept their initial password (pwdLastSet)
> since their setup 2 years ago.
>
> All other computers from the domain rotate often their password.
>
> We didn't use the "machine password timeout" var.
>
> Is that a normal behavior or should we do something ?
Sadly normal. Ideally we would rotate those, and the krbtgt password,
but currently we don't do that.
Rotating DC passwords only, even if not the krbtgt, would be worthwile,
but only if you can coax the DC into doing NTLM authentication
outbound, but that isn't normally the case.
But we really need to do both.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions