RHEL 6.x Active Directory integration and machine password resets

Latest response

Apologies in advance as I have raised a similar topic in the Active Directory integration page but I am hoping it gets some more visibility here (and I have more details):
https://access.redhat.com/articles/216933

When joining a Linux server to a Windows active directory domain a machine account is created for the server. This machine account is essentially the same as a user account but for the server. By default 2000+ domains set a password expiry on the account of 30 days. This expiry isn't exactly the same as a user account expiry and regular/schedule resets are actually managed/reset by the server joining the domain.

This is where the questions start. When following "Integrating Red Hat Enterprise Linux 6 with Active Directory" configuration 3 "SSSD/Kerberos/LDAP" (a common configuration) the following occurs in regards to AD join:
- Minimal Samba configuration is created
- Server is joined to the domain using 'net ads join' which references the minimal Samba configuration

My concern is that when 'net ads join' creates the machine object in Active Directory it sets the PasswordNeverExpires property to true, this can be seen in Active Directory using the following PowerShell

Get-ADComputer -Properties PasswordNeverExpires -Filter {PasswordNeverExpires -eq $True} | FT Name

The problem with this is essentially two fold, having an 'account' in AD with a non-expiring password is a potential security conern, and possibly a red flag during audit, and secondly it makes it difficult to cleanup machine accounts which are generally cleaned up based on a property like PasswordLastSet ie. when servers haven't refreshed their password for X days/months.

In the Windows world the netlogon service handles this scheduled/regular password reset when the password has reached 30 days of age. This process is detailed on the following Microsoft page
http://blogs.technet.com/b/askds/archive/2009/02/15/test2.aspx

Interestingly, I haven't been able to find much information on how this process occurs in Linux. From looking at AD joined Linux servers, it appears after the initial join the password reset never occurs (thus the PasswordNeverExpires option being set to ensure continued access).

I have read a suggestion that the Winbind service takes care of the regular password resets in Linux but I haven't been able to find any specific information on this. In the integration method outlined in the document, Winbind service isn't running and smb.conf is only used for the join. I tested running the Winbind service on a server with an 'expired' (older than 30 days) machine account and it didn't appear to update.

Interestingly while looking for an answer I also found the following comment on a squid wiki:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

append the following to cron to regularly change the computer account password - Wiki note: Need to research if Samba does this automatically.

05  4  *   *   *     net rpc changetrustpw -d 1 | logger -t changetrustpw

In this configuration they are using cron to do the machine password reset daily (more frequently than required), but the note is essentially asking the same question, what service is responsible this regular/scheduled process?

There is an equivalent changetrustpw which resets the machine account in AD that can be tiggered with the following net ads command:

net ads changetrustpw

I have confirmed that this does exactly what you would expect Netlogon on Windows to do, the machine password is updated and the PasswordLastSet value is updated in Active Directory. So this is the command that needs to run (on a regular interval/schedule) but it appears nothing runs it at a regular interval.

Last point I wanted to mention was that I have seen Linux hosts joined to Active Directory using Centrify and they don't appear to have PasswordNeverExpires set.

So I am interested to know, what are people doing for Linux server machine account passwords in Active Directory? Can anyone else confirm that their AD joined servers have PasswordNeverExpires set?
How are people cleaning up old/expired Linux machine accounts from Active Directory (please ask your friendly Windows admin!)

-edit-

Doing some more reading I found the following note in the msktutil (available in EPEL) documentation pages regarding machine account password expiry:

Password Expiry

Be aware that Windows machines will, by default, automatically change their account password every 30 days, and thus many domains have a 90-day password expiry window, after which your keytab will stop working. There are two ways to deal with this:

a) (Preferred): Make sure you're running a daily cron job to run msktutil --auto-update, which will change the password automatically 30 days after it was last changed and update the keytab.

b) (Not preferred): disable password expiry for the account via the --dont-expire-password option (or otherwise setting DONT_EXPIRE_PASSWORD flag in userAccountControl in AD). 

It suggests running a cronjob daily to auto update the password by calling the tool.. interestinly also advises against setting no expire too.

Responses

It appears this thread hasn't drawn too much interest, but I will continue updating it with what I find (unless I get some confirmation from RH?)

I just downloaded the source RPM of adcli from RHEL 7 and compiled it for RHEL 6. This tool appears far superior to the Samba 'net' method of joining but still creates the machine account in Active Directory with the property PasswordNeverExpires set to true.

Looking through the adcli documentation I also can't find any option to change this default configuration when joining.

Interestingly there also doesn't seem to be an equivalent to changetrustpw with adcli either. The closest thing I can find is:

adcli reset-computer

Which has some interesting documentation:
adcli reset-computer resets a computer account in the domain. If a the appropriate machien is currently joined to the domain, then it´s membership will be broken. The account must already exist. (sic)

I'll see if I can track down an authoritative response on this one for you.

What is the package name in RHEL6 to get adcli command?

They haven't added it as far as I can tell but Fedora Project has it upstream in EPEL respository: https://dl.fedoraproject.org/pub/epel/6/x86_64/repoview/adcli.html

It appears this was a known issue and is now addressed in RHEL 6.8.

From the release notes:

SSSD is now able to automatically renew the host credentials of Linux clients joined to AD
Certain Windows utilities can remove hosts from Active Directory (AD) after their password has not been updated for a long time. This is because these utilities consider such clients inactive.
With this feature, the host password of Linux clients joined to AD is regularly updated, which indicates the client is still actively used. As a result, Red Hat Enterprise Linux clients joined to AD are not removed in the described situation.

Link here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.8_Release_Notes/new_features_authentication_and_interoperability.html