[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
Rowland Penny
rpenny at samba.org
Thu Apr 11 07:42:56 UTC 2019
On Wed, 10 Apr 2019 18:35:04 -0400
Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
> Sorry to hop on an existing conversation but this seemed like a good
> point to jump in with this question.
You really should have started a new thread ;-)
>
> Say I have a service account, with a random password that is set to
> never expire. What component is expected to periodically renew (or
> request anew) the Kerberos TGT using that password? I see lots of
> information about SSSD handling this, but less so with Samba.
You need to check the ticket and renew it if required, see here for how
I do it:
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
Samba user tickets are renewed by winbind if you have 'winbind refresh
tickets = yes' in smb.conf
>
> Also, I understand that in Active Directory, Windows clients will
> periodically change their computer account passwords. Is this correct?
Yes, Samba does it as well.
> If so, is there a "Samba way" of achieving this for a service account,
> also?
Not that I know, but if anyone does know a way, I am sure they will
chime in.
Rowland
More information about the samba
mailing list