[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
Stephen
stephen at ogdenradar.com
Wed Apr 10 14:21:13 UTC 2019
Hi all, I have a couple of Samba 4 DCs on my network and I created a new
service account LDAPReader on my DCs that my non-Samba third-party
services such as Redmine successfully use to access AD via the LDAPS
protocol.
I have a couple of questions that relate to having service account of
this nature implemented in Samba and I wondered if the group could
possibly provide some advice?
1) Firstly, for a service account of this type I ideally want to prevent
the password expiring or manually being changed. There is a facility to
do this when you manually create an account in Windows ADUC - there are
two checkboxes "User cannot change password" and "Password never
expires". How would I replicate similar behaviour when I do a create
users at the command-line via samba-tool user create - are there
command-line switches for samba-tool user create that provide such
features? I ask is because I don't want password expiry to ever occur
for this special account because an unanticipated expiry would then
prevent access to all services using LDAP for authentication.
2) Could people provide guidance about security best practices with such
service "AD" accounts not intended for actual human use? Ideally I want
to prevent users actually logging in as LDAPReader, and I obviously want
it to have the absolute bare minimum of permissions required.
Thanks
Stephen Ellwood
More information about the samba
mailing list