Web lists-archives.com

[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.




Hi all, I have a couple of Samba 4 DCs on my network and I created a new service account LDAPReader on my DCs that my non-Samba third-party services such as Redmine successfully use to access AD via the LDAPS protocol.

I have a couple of questions that relate to having service account of this nature implemented in Samba and I wondered if the group could possibly provide some advice?

1) Firstly, for a service account of this type I ideally want to prevent the password expiring or manually being changed. There is a facility to do this when you manually create an account in Windows ADUC - there are two checkboxes "User cannot change password" and "Password never expires". How would I replicate similar behaviour when I do a create users at the command-line via samba-tool user create - are there command-line switches for samba-tool user create that provide such features? I ask is because I don't want password expiry to ever occur for this special account because an unanticipated expiry would then prevent access to all services using LDAP for authentication.

2) Could people provide guidance about security best practices with such service "AD" accounts not intended for actual human use? Ideally I want to prevent users actually logging in as LDAPReader, and I obviously want it to have the absolute bare minimum of permissions required.

Thanks
Stephen Ellwood


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba