[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.

Stephen stephen at ogdenradar.com
Wed Apr 10 14:21:13 UTC 2019

Hi all, I have a couple of Samba 4 DCs on my network and I created a new 
service account LDAPReader on my DCs that my non-Samba third-party 
services such as Redmine successfully use to access AD via the LDAPS 

I have a couple of questions that relate to having service account of 
this nature implemented in Samba and I wondered if the group could 
possibly provide some advice?

1) Firstly, for a service account of this type I ideally want to prevent 
the password expiring or manually being changed. There is a facility to 
do this when you manually create an account in Windows ADUC - there are 
two checkboxes "User cannot change password" and "Password never 
expires". How would I replicate similar behaviour when I do a create 
users at the command-line via samba-tool user create - are there 
command-line switches for samba-tool user create that provide such 
features? I ask is because I don't want password expiry to ever occur 
for this special account because an unanticipated expiry would then 
prevent access to all services using LDAP for authentication.

2) Could people provide guidance about security best practices with such 
service "AD" accounts not intended for actual human use? Ideally I want 
to prevent users actually logging in as LDAPReader, and I obviously want 
it to have the absolute bare minimum of permissions required.

Stephen Ellwood

More information about the samba mailing list