[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
rpenny at samba.org
Thu Apr 11 07:42:56 UTC 2019
On Wed, 10 Apr 2019 18:35:04 -0400
Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
> Sorry to hop on an existing conversation but this seemed like a good
> point to jump in with this question.
You really should have started a new thread ;-)
> Say I have a service account, with a random password that is set to
> never expire. What component is expected to periodically renew (or
> request anew) the Kerberos TGT using that password? I see lots of
> information about SSSD handling this, but less so with Samba.
You need to check the ticket and renew it if required, see here for how
I do it:
Samba user tickets are renewed by winbind if you have 'winbind refresh
tickets = yes' in smb.conf
> Also, I understand that in Active Directory, Windows clients will
> periodically change their computer account passwords. Is this correct?
Yes, Samba does it as well.
> If so, is there a "Samba way" of achieving this for a service account,
Not that I know, but if anyone does know a way, I am sure they will
More information about the samba