[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.

Rowland Penny rpenny at samba.org
Wed Apr 10 15:44:02 UTC 2019

On Wed, 10 Apr 2019 16:25:47 +0100
Stephen via samba <samba at lists.samba.org> wrote:

> To be honest, the 'Dynamic Bind' method doesn't seem that secure to
> me, anybody could 'pretend' to be someone else.
> Rowland
> True! I agree with you Rowland that is a weakness. Unfortunately that
> is a universal weakness shared by all password-based authentication 
> methods. I guess you would have to go with SSH-style encryption keys
> and certificates to circumvent that problem entirely which might
> bamboozle ordinary website users.
> Dynamic bind does remove the need to create an extra special
> omnipotent account with a never-expiring password though. So on that
> basis I am saying it is more secure (but not absolutely secure since
> there are no absolutes in life heh ;) )
> Cheers
> Stephen Ellwood

I think I have already said this, but kerberos is much more secure than
ldaps, the password never leaves the computer. As for SSH, you can use
kerberos for this, no ssh keys or passwords.

There is is nothing wrong with a service user with a never expiring
password, just as long as you are using kerberos and the user never
logs in anywhere.


More information about the samba mailing list