[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.

Stephen stephen at ogdenradar.com
Wed Apr 10 14:53:35 UTC 2019

On 10/04/2019 15:44, Rowland Penny via samba wrote:
> On Wed, 10 Apr 2019 15:21:13 +0100
> Stephen via samba <samba at lists.samba.org> wrote:
>> Hi all, I have a couple of Samba 4 DCs on my network and I created a
>> new service account LDAPReader on my DCs that my non-Samba
>> third-party services such as Redmine successfully use to access AD
>> via the LDAPS protocol.
>> I have a couple of questions that relate to having service account of
>> this nature implemented in Samba and I wondered if the group could
>> possibly provide some advice?
>> 1) Firstly, for a service account of this type I ideally want to
>> prevent the password expiring or manually being changed. There is a
>> facility to do this when you manually create an account in Windows
>> ADUC - there are two checkboxes "User cannot change password" and
>> "Password never expires". How would I replicate similar behaviour
>> when I do a create users at the command-line via samba-tool user
>> create - are there command-line switches for samba-tool user create
>> that provide such features? I ask is because I don't want password
>> expiry to ever occur for this special account because an
>> unanticipated expiry would then prevent access to all services using
>> LDAP for authentication.
>> 2) Could people provide guidance about security best practices with
>> such service "AD" accounts not intended for actual human use? Ideally
>> I want to prevent users actually logging in as LDAPReader, and I
>> obviously want it to have the absolute bare minimum of permissions
>> required.
>> Thanks
>> Stephen Ellwood
> Create the user with a random password and then set it to never expire,
> for info on how to this, try reading this page:
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9#Create_a_user_to_carry_out_the_updates
> That should you give an idea
> Rowland

Thanks Rowland, had a quick scan of the doc you mentioned and that 
sounds like exactly what I wanted to do. Half the battle with this stuff 
is knowing where to look in the documentation it seems :)

Thanks Again
Stephen Ellwood

More information about the samba mailing list