[Authentication] keytab and pw expiration
Sumit Bose
sbose at redhat.com
Wed Sep 28 09:44:08 UTC 2016
On Wed, Sep 28, 2016 at 10:45:10AM +0200, Stephan Müller wrote:
> Hi all,
>
> I joined my linux Box into a Win2012 AD via "realm join" everything ok, so
> far. What about machine account password expiration, will the generated
> keytab file eventually expire?
Technically the machine account password expires, but by default AD does
not enforce a renewal in contrast to user accounts. Nevertheless there
are tools which try to detect unused host by checking when the machine
account password was renewed the last time and remove the host if this
time is longer than a configurable threshold. Btw, other tools might use
the dynamic DNS update for this, search for 'DNS Scavenging' for
details.
> Do I have to keep it up to date, if so how?
Since version 1.13.4 SSSD can renew the machine account password with
the help of adcli-0.8 or later.
Iirc Samba can do automatic updates as well, but you have to run smbd
together with winbind to make it work.
You can use adcli-0.8 or later, Samba's net utility or msktutil to renew
the machine account password and update the keytab manually.
HTH
bye,
Sumit
>
> Cheers Stephan
> _______________________________________________
> Authentication mailing list
> Authentication at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/authentication
More information about the Authentication
mailing list