My first experience with SSSD for SFTP authentication was having a higly
critical system's authentication going off because I didn't know about adcli,
so I didn't install it. After exactly 30 days, the AD server changed that
machine account's password, but the linux server didn't. Those were rough days.
So, I'm pretty sure that updating the machine account's password is a must
unless you disable password age on your AD
domain:https://support.microsoft.com/en-us/help/154501/how-to-disable-automatic-machine-account-password-changes
Regarding the smb.conf, for some reason I never got "kerberos method = system
keytab" to work. I had to set either "kerberos method = dedicated keytab"or
"kerberos method = secrets and keytab" along with the keytab's path.
Looks like samba can't find the "system tab", even though it's in
/etc/krb5.keytab.
I will consider this set up and let you know if I ever get it working.
Em sexta-feira, 12 de outubro de 2018 17:23:01 BRT, Erinn Looney-Triggs
<erinn.looneytri...@gmail.com> escreveu:
Also as another data point there is another thread currently going on in this
mailing list:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/LD754UXTSMZOJTGDQPO3KG67TKTFMARA/
that seems to imply that the machine password DOES need to be changed
periodically.
I honestly don't know the answer on this one, again from my research it appears
unless there is custom software in the AD that removes systems if their entries
are not 'fresh' enough then machines should not need to have their passwords
changed, it appears to be a client requirement in windows not an AD enforced
requirement, see here:
https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/
I certainly hope I am right on this one, otherwise I am going to have ~600
systems that are going to have a hell of a time logging in very soon :). I hope
that adcli patches come through to RHEL soon so I can just have both the keytab
and the secrets.tdb updated by one program and everything will be kept in sync.
It would seem to me that it is a really good idea to change the machine
password, but as mentioned right now there appears to be no reliable way to do
that.
-Erinn
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
