Web lists-archives.com

Re: [Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.




On Wed, 10 Apr 2019 15:21:13 +0100
Stephen via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi all, I have a couple of Samba 4 DCs on my network and I created a
> new service account LDAPReader on my DCs that my non-Samba
> third-party services such as Redmine successfully use to access AD
> via the LDAPS protocol.
> 
> I have a couple of questions that relate to having service account of 
> this nature implemented in Samba and I wondered if the group could 
> possibly provide some advice?
> 
> 1) Firstly, for a service account of this type I ideally want to
> prevent the password expiring or manually being changed. There is a
> facility to do this when you manually create an account in Windows
> ADUC - there are two checkboxes "User cannot change password" and
> "Password never expires". How would I replicate similar behaviour
> when I do a create users at the command-line via samba-tool user
> create - are there command-line switches for samba-tool user create
> that provide such features? I ask is because I don't want password
> expiry to ever occur for this special account because an
> unanticipated expiry would then prevent access to all services using
> LDAP for authentication.
> 
> 2) Could people provide guidance about security best practices with
> such service "AD" accounts not intended for actual human use? Ideally
> I want to prevent users actually logging in as LDAPReader, and I
> obviously want it to have the absolute bare minimum of permissions
> required.
> 
> Thanks
> Stephen Ellwood
> 
> 

Create the user with a random password and then set it to never expire,
for info on how to this, try reading this page:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9#Create_a_user_to_carry_out_the_updates

That should you give an idea

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba