[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.

Stephen stephen at ogdenradar.com
Wed Apr 10 15:25:47 UTC 2019

To be honest, the 'Dynamic Bind' method doesn't seem that secure to me,
anybody could 'pretend' to be someone else.


True! I agree with you Rowland that is a weakness. Unfortunately that is 
a universal weakness shared by all password-based authentication 
methods. I guess you would have to go with SSH-style encryption keys and 
certificates to circumvent that problem entirely which might bamboozle 
ordinary website users.

Dynamic bind does remove the need to create an extra special omnipotent 
account with a never-expiring password though. So on that basis I am 
saying it is more secure (but not absolutely secure since there are no 
absolutes in life heh ;) )

Stephen Ellwood

More information about the samba mailing list