samba - Feb 2024 - 'Scripted' machine account renewal?!

I need to access the LDAP AD server from a debian box, but i don't need
shares nor winbind.

For a sake of simplicity i'm thinking to use machine account (-P).


I can join the box, but if i keep winbind and nmbd/smbd off, how can i renew
machine account?


Thanks.

-- 
  M.C.S.E: Minesweeper Consultant & Solitaire Expert

On 25-02-2024 11:56, Marco Gaiarin via samba wrote:
> I need to access the LDAP AD server from a debian box, but i don't need
> shares nor winbind.
>
> For a sake of simplicity i'm thinking to use machine account (-P).
There is "net changetrustpw" to do this.

When you domain-join the machine the machine password is managed by 
winbind, so you don't need to this.

When you do not join the machine, there is no reason to have a machine 
account.

If you just have a service that does LDAP-queries, I would create an 
ordinary user-account for it (and start it's name e.g. with
"svc_").
With this you decide easily how to manage the password. Or if you use 
kerberos for this account, you can set the password with samba-tool to a 
random very long value and use a SPN and keytab for authentication, no 
hassle with passwords at all...

- Kees.
>
>
> I can join the box, but if i keep winbind and nmbd/smbd off, how can i
renew
> machine account?
>
>
> Thanks.
>