On Mon, 2021-11-15 at 17:04 +0100, Jeremy Guasco via samba wrote:> Hi everyone, > > Our 4 DCs (samba 4.14) have kept their initial password (pwdLastSet) > since their setup 2 years ago. > > All other computers from the domain rotate often their password. > > We didn't use the "machine password timeout" var. > > Is that a normal behavior or should we do something ?Sadly normal. Ideally we would rotate those, and the krbtgt password, but currently we don't do that. Rotating DC passwords only, even if not the krbtgt, would be worthwile, but only if you can coax the DC into doing NTLM authentication outbound, but that isn't normally the case. But we really need to do both. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
On 15-11-2021 20:35, Andrew Bartlett via samba wrote:> On Mon, 2021-11-15 at 17:04 +0100, Jeremy Guasco via samba wrote: >> Hi everyone, >> >> Our 4 DCs (samba 4.14) have kept their initial password (pwdLastSet) >> since their setup 2 years ago. >> >> All other computers from the domain rotate often their password. >> >> We didn't use the "machine password timeout" var. >> >> Is that a normal behavior or should we do something ? > Sadly normal. Ideally we would rotate those, and the krbtgt password, > but currently we don't do that. > > Rotating DC passwords only, even if not the krbtgt, would be worthwile, > but only if you can coax the DC into doing NTLM authentication > outbound, but that isn't normally the case. > > But we really need to do both. > > Andrew Bartlett >For krbtgt I use the script provided in the samba git repo: https://gitlab.com/samba-team/samba/raw/v<version>-stable/source4/scripting/devel/chgkrbtgtpass It is scheduled in cron to run monthly. I have not seen anything for the DC password, though. - Kees