[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.

Rowland Penny rpenny at samba.org
Wed Apr 10 14:44:03 UTC 2019

On Wed, 10 Apr 2019 15:21:13 +0100
Stephen via samba <samba at lists.samba.org> wrote:

> Hi all, I have a couple of Samba 4 DCs on my network and I created a
> new service account LDAPReader on my DCs that my non-Samba
> third-party services such as Redmine successfully use to access AD
> via the LDAPS protocol.
> I have a couple of questions that relate to having service account of 
> this nature implemented in Samba and I wondered if the group could 
> possibly provide some advice?
> 1) Firstly, for a service account of this type I ideally want to
> prevent the password expiring or manually being changed. There is a
> facility to do this when you manually create an account in Windows
> ADUC - there are two checkboxes "User cannot change password" and
> "Password never expires". How would I replicate similar behaviour
> when I do a create users at the command-line via samba-tool user
> create - are there command-line switches for samba-tool user create
> that provide such features? I ask is because I don't want password
> expiry to ever occur for this special account because an
> unanticipated expiry would then prevent access to all services using
> LDAP for authentication.
> 2) Could people provide guidance about security best practices with
> such service "AD" accounts not intended for actual human use? Ideally
> I want to prevent users actually logging in as LDAPReader, and I
> obviously want it to have the absolute bare minimum of permissions
> required.
> Thanks
> Stephen Ellwood

Create the user with a random password and then set it to never expire,
for info on how to this, try reading this page:


That should you give an idea


More information about the samba mailing list