On Wed, 23 Apr 2025 14:35:16 +0200 Kacper Wirski via samba <samba at lists.samba.org> wrote:> What is the best approach to change samba ad dc's own password? > Windows machines change periodically, linux domain members can simply > re-join domain, but when it comes to DC's I can't find any > recommended steps? Is re-joining domain as domain controller viable > and doesn't create issues? > > I'm using lastest samba on debian bookworm from packages, not just > quite ready to update to the backports version, so it's still 4.17. > > Regards, > > Kacper > >Depends which password you are referring to, a computers or the krbtgt user. First is easy, logon to the computer, then run: sudo net ads changetrustpw For krbtgt, then read this: https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_reset_krbtgt.html Rowland
I'm using for this the script from Kees, to find here: https://github.com/kvvloten/samba_integrations/tree/main/domain_controller/manage_scripts This does both for you, changing the DC computer password and the krbtgt password. Regards Ingo https://github.com/WAdama Rowland Penny via samba schrieb am 23.04.2025 um 15:32:> On Wed, 23 Apr 2025 14:35:16 +0200 > Kacper Wirski via samba <samba at lists.samba.org> wrote: > >> What is the best approach to change samba ad dc's own password? >> Windows machines change periodically, linux domain members can simply >> re-join domain, but when it comes to DC's I can't find any >> recommended steps? Is re-joining domain as domain controller viable >> and doesn't create issues? >> >> I'm using lastest samba on debian bookworm from packages, not just >> quite ready to update to the backports version, so it's still 4.17. >> >> Regards, >> >> Kacper >> >> > Depends which password you are referring to, a computers or the krbtgt > user. > > First is easy, logon to the computer, then run: > > sudo net ads changetrustpw > > For krbtgt, then read this: > > https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_reset_krbtgt.html > > Rowland > > >
Thank You, I already changed krbtgt, I meant computer account. Does changing domain controller password with this command require restart of samba service, won't it interrupt replication between controllers etc.? I have 3 dc's in my environment, that's why I'm asking. Regards, Kacper W dniu 23.04.2025 o?15:32, Rowland Penny via samba pisze:> On Wed, 23 Apr 2025 14:35:16 +0200 > Kacper Wirski via samba<samba at lists.samba.org> wrote: > >> What is the best approach to change samba ad dc's own password? >> Windows machines change periodically, linux domain members can simply >> re-join domain, but when it comes to DC's I can't find any >> recommended steps? Is re-joining domain as domain controller viable >> and doesn't create issues? >> >> I'm using lastest samba on debian bookworm from packages, not just >> quite ready to update to the backports version, so it's still 4.17. >> >> Regards, >> >> Kacper >> >> > Depends which password you are referring to, a computers or the krbtgt > user. > > First is easy, logon to the computer, then run: > > sudo net ads changetrustpw > > For krbtgt, then read this: > > https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_reset_krbtgt.html > > Rowland > > >-- Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie antywirusowe Avast. www.avast.com
Hello, net ads changetrustpw this command works fine on domain members, but on domain controller there is hard fail with: ads_change_trust_account_password: Machine account password change only supported on a DOMAIN_MEMBER W dniu 23.04.2025 o?15:32, Rowland Penny via samba pisze:> net ads changetrustpw-- Ta wiadomo?? e-mail zosta?a sprawdzona pod k?tem wirus?w przez oprogramowanie antywirusowe Avast. www.avast.com