[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
Rowland Penny
rpenny at samba.org
Wed Apr 10 14:44:03 UTC 2019
On Wed, 10 Apr 2019 15:21:13 +0100
Stephen via samba <samba at lists.samba.org> wrote:
> Hi all, I have a couple of Samba 4 DCs on my network and I created a
> new service account LDAPReader on my DCs that my non-Samba
> third-party services such as Redmine successfully use to access AD
> via the LDAPS protocol.
>
> I have a couple of questions that relate to having service account of
> this nature implemented in Samba and I wondered if the group could
> possibly provide some advice?
>
> 1) Firstly, for a service account of this type I ideally want to
> prevent the password expiring or manually being changed. There is a
> facility to do this when you manually create an account in Windows
> ADUC - there are two checkboxes "User cannot change password" and
> "Password never expires". How would I replicate similar behaviour
> when I do a create users at the command-line via samba-tool user
> create - are there command-line switches for samba-tool user create
> that provide such features? I ask is because I don't want password
> expiry to ever occur for this special account because an
> unanticipated expiry would then prevent access to all services using
> LDAP for authentication.
>
> 2) Could people provide guidance about security best practices with
> such service "AD" accounts not intended for actual human use? Ideally
> I want to prevent users actually logging in as LDAPReader, and I
> obviously want it to have the absolute bare minimum of permissions
> required.
>
> Thanks
> Stephen Ellwood
>
>
Create the user with a random password and then set it to never expire,
for info on how to this, try reading this page:
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9#Create_a_user_to_carry_out_the_updates
That should you give an idea
Rowland
More information about the samba
mailing list