[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.

[Jonathon Reinhart]

On Thu, Apr 11, 2019, 03:43 Rowland Penny via samba <samba at lists.samba.org>
wrote:

> On Wed, 10 Apr 2019 18:35:04 -0400
> Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
>
> > Sorry to hop on an existing conversation but this seemed like a good
> > point to jump in with this question.
>
> You really should have started a new thread ;-)
>
> >
> > Say I have a service account, with a random password that is set to
> > never expire. What component is expected to periodically renew (or
> > request anew) the Kerberos TGT using that password? I see lots of
> > information about SSSD handling this, but less so with Samba.
>
> You need to check the ticket and renew it if required, see here for how
> I do it:
>
>
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9


That example answers a lot of questions, thank you!

So here, the service requests a new ticket on demand, just prior to its
interaction with AD. That makes sense to me; I was expecting a background
service that just kept the TGT up-to-date; something generic like that
might work well for an application without a scriptable call-out point.
Either way, that _KERBEROS function is a good template. It also corrected
my obvious mistake, and uses the keytab (not password) to acquire the TGT.

Samba user tickets are renewed by winbind if you have 'winbind refresh
> tickets = yes' in smb.conf
>
> >
> > Also, I understand that in Active Directory, Windows clients will
> > periodically change their computer account passwords. Is this correct?
>
> Yes, Samba does it as well.
>

Which component does this? I don't see anything that indicates it is
winbind.

> If so, is there a "Samba way" of achieving this for a service account,
> > also?
>
> Not that I know, but if anyone does know a way, I am sure they will
> chime in.
>
> Rowland
>

Thanks,
Jonathon

>