Changing the domain admin password
in [Samba]
|
Prev: please wait for the user profile service...
Next: The user name could not be found when joining a samba domain
From: Steve Thompson on 29 Apr 2010 17:40 On Tue, 6 Apr 2010, Steve Thompson wrote: > Samba 3.x.y (various) on CentOS 5.4 x86_64 with the ldapsam backend; one PDC, > two BDC's and about a dozen member servers. The configuration file on each of > course specifies the "ldap admin dn" and each system has the associated > password specified with "smbpasswd -w". Question is: how often is the ldap > admin actually used for anything, such that if I change the real password > associated with the account, how much grace do I get before I have the run > "smbpasswd -w" on each member server, all without restarting smb? No-one responded to this, so I did a little experiment. I changed the password in the LDAP database for the account corresponding to ldap admin dn, and then changed the password in secrets.tdb on all my Linux member servers (+PDC+BDC) using "smbpasswd -w". Immediately (within a minute or so) all windows clients joined to the domain and logged in to a domain account hung. Changed the ldap admin dn password back to its former value, and all the clients continued from where they were with no apparent ill effects. So the question is: if the ldap admin dn password is changed, do the clients have to be rejoined to the domain? I'd really like to change this password periodically, so I hope that this is not the case. I've been unable to find any documentation that touches on this point. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: John Drescher on 29 Apr 2010 17:50 On Thu, Apr 29, 2010 at 5:37 PM, Steve Thompson <smt(a)vgersoft.com> wrote: > On Tue, 6 Apr 2010, Steve Thompson wrote: > >> Samba 3.x.y (various) on CentOS 5.4 x86_64 with the ldapsam backend; one >> PDC, two BDC's and about a dozen member servers. The configuration file on >> each of course specifies the "ldap admin dn" and each system has the >> associated password specified with "smbpasswd -w". Question is: how often is >> the ldap admin actually used for anything, such that if I change the real >> password associated with the account, how much grace do I get before I have >> the run "smbpasswd -w" on each member server, all without restarting smb? > > No-one responded to this, so I did a little experiment. I changed the > password in the LDAP database for the account corresponding to ldap admin > dn, and then changed the password in secrets.tdb on all my Linux member > servers (+PDC+BDC) using "smbpasswd -w". Immediately (within a minute or so) > all windows clients joined to the domain and logged in to a domain account > hung. Changed the ldap admin dn password back to its former value, and all > the clients continued from where they were with no apparent ill effects. So > the question is: if the ldap admin dn password is changed, do the clients > have to be rejoined to the domain? I'd really like to change this password > periodically, so I hope that this is not the case. I've been unable to find > any documentation that touches on this point. > I believe when I changed the ldap admin / Manager password I needed to restart the samba servers on the pdc and my 3 bdcs after updating the secrets on each machine. All has been well after this. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Steve Thompson on 30 Apr 2010 09:20
On Thu, 29 Apr 2010, John Drescher wrote: > On Thu, Apr 29, 2010 at 5:37 PM, Steve Thompson <smt(a)vgersoft.com> wrote: >> I changed the password in the LDAP database for the account >> corresponding to ldap admin dn, and then changed the password in >> secrets.tdb on all my Linux member servers (+PDC+BDC) using "smbpasswd >> -w". Immediately (within a minute or so) all windows clients joined to >> the domain and logged in to a domain account hung. > I believe when I changed the ldap admin / Manager password I needed to > restart the samba servers on the pdc and my 3 bdcs after updating the > secrets on each machine. All has been well after this. Yes, I did restart the samba server on the PDC and the two BDC's, but the clients hung anyway. Putting the password back the way it was allowed the clients to continue. I will need to build a test rig. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |