Also as another data point there is another thread currently going on in this mailing list: https://lists.fedorahosted.org/archives/list/[email protected]/thread/LD754UXTSMZOJTGDQPO3KG67TKTFMARA/ that seems to imply that the machine password DOES need to be changed periodically.
I honestly don't know the answer on this one, again from my research it appears unless there is custom software in the AD that removes systems if their entries are not 'fresh' enough then machines should not need to have their passwords changed, it appears to be a client requirement in windows not an AD enforced requirement, see here: https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/ I certainly hope I am right on this one, otherwise I am going to have ~600 systems that are going to have a hell of a time logging in very soon :). I hope that adcli patches come through to RHEL soon so I can just have both the keytab and the secrets.tdb updated by one program and everything will be kept in sync. It would seem to me that it is a really good idea to change the machine password, but as mentioned right now there appears to be no reliable way to do that. -Erinn _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
