[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
Jonathon Reinhart
jonathon.reinhart at gmail.com
Wed Apr 10 22:35:04 UTC 2019
Sorry to hop on an existing conversation but this seemed like a good
point to jump in with this question.
Say I have a service account, with a random password that is set to
never expire. What component is expected to periodically renew (or
request anew) the Kerberos TGT using that password? I see lots of
information about SSSD handling this, but less so with Samba.
Also, I understand that in Active Directory, Windows clients will
periodically change their computer account passwords. Is this correct?
If so, is there a "Samba way" of achieving this for a service account,
also?
Thanks!
Jonathon
On Wed, Apr 10, 2019 at 11:44 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
>
> On Wed, 10 Apr 2019 16:25:47 +0100
> Stephen via samba <samba at lists.samba.org> wrote:
>
> > To be honest, the 'Dynamic Bind' method doesn't seem that secure to
> > me, anybody could 'pretend' to be someone else.
> >
> > Rowland
> >
> > True! I agree with you Rowland that is a weakness. Unfortunately that
> > is a universal weakness shared by all password-based authentication
> > methods. I guess you would have to go with SSH-style encryption keys
> > and certificates to circumvent that problem entirely which might
> > bamboozle ordinary website users.
> >
> > Dynamic bind does remove the need to create an extra special
> > omnipotent account with a never-expiring password though. So on that
> > basis I am saying it is more secure (but not absolutely secure since
> > there are no absolutes in life heh ;) )
> >
> > Cheers
> > Stephen Ellwood
> >
> >
>
> I think I have already said this, but kerberos is much more secure than
> ldaps, the password never leaves the computer. As for SSH, you can use
> kerberos for this, no ssh keys or passwords.
>
> There is is nothing wrong with a service user with a never expiring
> password, just as long as you are using kerberos and the user never
> logs in anywhere.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list