On 25-02-2024 11:56, Marco Gaiarin via samba wrote:> I need to access the LDAP AD server from a debian box, but i don't need > shares nor winbind. > > For a sake of simplicity i'm thinking to use machine account (-P).There is "net changetrustpw" to do this. When you domain-join the machine the machine password is managed by winbind, so you don't need to this. When you do not join the machine, there is no reason to have a machine account. If you just have a service that does LDAP-queries, I would create an ordinary user-account for it (and start it's name e.g. with "svc_"). With this you decide easily how to manage the password. Or if you use kerberos for this account, you can set the password with samba-tool to a random very long value and use a SPN and keytab for authentication, no hassle with passwords at all... - Kees.> > > I can join the box, but if i keep winbind and nmbd/smbd off, how can i renew > machine account? > > > Thanks. >
Mandi! Kees van Vloten via samba In chel di` si favelave...>> For a sake of simplicity i'm thinking to use machine account (-P). > There is "net changetrustpw" to do this.Ok, i've missed that. Thanks.> If you just have a service that does LDAP-queries, I would create an > ordinary user-account for it (and start it's name e.g. with "svc_").This is my first options, i was only speculating...> With this you decide easily how to manage the password. Or if you use > kerberos for this account, you can set the password with samba-tool to a > random very long value and use a SPN and keytab for authentication, no > hassle with passwords at all...Interesting... i supposed that still Kerberos ticket have to be 'upgraded', so... there's really a way to generate a 'permanent' kerberos ticket? Some info on how to do this? Thanks. -- In amore ci vuole fortuna, ma anche un bel culo non guasta. (Fabio Fazio)
Mandi! Kees van Vloten via samba In chel di` si favelave...> There is "net changetrustpw" to do this.I've correctly just joined the firewall to the domain, i can check join status: root at vfwacpn1:~# net ads testjoin Join is OK but if i try to renew credentials i catch: root at vfwacpn1:~# net ads changetrustpw -I 10.172.1.8 Changing password for principal: vfwacpn1$@AD.MYDOMAIN.IT Password change failed: No more connections can be made to this remote computer at this time because the computer has already accepted the maximum number of connections. Thanks. -- Microsoft is to Software as McDonalds is to Cuisine.