RHEL 6.x Active Directory integration and machine password resets

Latest response

Apologies in advance as I have raised a similar topic in the Active Directory integration page but I am hoping it gets some more visibility here (and I have more details):

When joining a Linux server to a Windows active directory domain a machine account is created for the server. This machine account is essentially the same as a user account but for the server. By default 2000+ domains set a password expiry on the account of 30 days. This expiry isn't exactly the same as a user account expiry and regular/schedule resets are actually managed/reset by the server joining the domain.

This is where the questions start. When following "Integrating Red Hat Enterprise Linux 6 with Active Directory" configuration 3 "SSSD/Kerberos/LDAP" (a common configuration) the following occurs in regards to AD join:
- Minimal Samba configuration is created
- Server is joined to the domain using 'net ads join' which references the minimal Samba configuration

My concern is that when 'net ads join' creates the machine object in Active Directory it sets the PasswordNeverExpires property to true, this can be seen in Active Directory using the following PowerShell

Get-ADComputer -Properties PasswordNeverExpires -Filter {PasswordNeverExpires -eq $True} | FT Name

The problem with this is essentially two fold, having an 'account' in AD with a non-expiring password is a potential security conern, and possibly a red flag during audit, and secondly it makes it difficult to cleanup machine accounts which are generally cleaned up based on a property like PasswordLastSet ie. when servers haven't refreshed their password for X days/months.

In the Windows world the netlogon service handles this scheduled/regular password reset when the password has reached 30 days of age. This process is detailed on the following Microsoft page

Interestingly, I haven't been able to find much information on how this process occurs in Linux. From looking at AD joined Linux servers, it appears after the initial join the password reset never occurs (thus the PasswordNeverExpires option being set to ensure continued access).

I have read a suggestion that the Winbind service takes care of the regular password resets in Linux but I haven't been able to find any specific information on this. In the integration method outlined in the document, Winbind service isn't running and smb.conf is only used for the join. I tested running the Winbind service on a server with an 'expired' (older than 30 days) machine account and it didn't appear to update.

Interestingly while looking for an answer I also found the following comment on a squid wiki:

append the following to cron to regularly change the computer account password - Wiki note: Need to research if Samba does this automatically.

05  4  *   *   *     net rpc changetrustpw -d 1 | logger -t changetrustpw

In this configuration they are using cron to do the machine password reset daily (more frequently than required), but the note is essentially asking the same question, what service is responsible this regular/scheduled process?

There is an equivalent changetrustpw which resets the machine account in AD that can be tiggered with the following net ads command:

net ads changetrustpw

I have confirmed that this does exactly what you would expect Netlogon on Windows to do, the machine password is updated and the PasswordLastSet value is updated in Active Directory. So this is the command that needs to run (on a regular interval/schedule) but it appears nothing runs it at a regular interval.

Last point I wanted to mention was that I have seen Linux hosts joined to Active Directory using Centrify and they don't appear to have PasswordNeverExpires set.

So I am interested to know, what are people doing for Linux server machine account passwords in Active Directory? Can anyone else confirm that their AD joined servers have PasswordNeverExpires set?
How are people cleaning up old/expired Linux machine accounts from Active Directory (please ask your friendly Windows admin!)


Doing some more reading I found the following note in the msktutil (available in EPEL) documentation pages regarding machine account password expiry:

Password Expiry

Be aware that Windows machines will, by default, automatically change their account password every 30 days, and thus many domains have a 90-day password expiry window, after which your keytab will stop working. There are two ways to deal with this:

a) (Preferred): Make sure you're running a daily cron job to run msktutil --auto-update, which will change the password automatically 30 days after it was last changed and update the keytab.

b) (Not preferred): disable password expiry for the account via the --dont-expire-password option (or otherwise setting DONT_EXPIRE_PASSWORD flag in userAccountControl in AD). 

It suggests running a cronjob daily to auto update the password by calling the tool.. interestinly also advises against setting no expire too.