Web lists-archives.com

Re: [Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.





On 10/04/2019 15:44, Rowland Penny via samba wrote:
On Wed, 10 Apr 2019 15:21:13 +0100
Stephen via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi all, I have a couple of Samba 4 DCs on my network and I created a
new service account LDAPReader on my DCs that my non-Samba
third-party services such as Redmine successfully use to access AD
via the LDAPS protocol.

I have a couple of questions that relate to having service account of
this nature implemented in Samba and I wondered if the group could
possibly provide some advice?

1) Firstly, for a service account of this type I ideally want to
prevent the password expiring or manually being changed. There is a
facility to do this when you manually create an account in Windows
ADUC - there are two checkboxes "User cannot change password" and
"Password never expires". How would I replicate similar behaviour
when I do a create users at the command-line via samba-tool user
create - are there command-line switches for samba-tool user create
that provide such features? I ask is because I don't want password
expiry to ever occur for this special account because an
unanticipated expiry would then prevent access to all services using
LDAP for authentication.

2) Could people provide guidance about security best practices with
such service "AD" accounts not intended for actual human use? Ideally
I want to prevent users actually logging in as LDAPReader, and I
obviously want it to have the absolute bare minimum of permissions
required.

Thanks
Stephen Ellwood


Create the user with a random password and then set it to never expire,
for info on how to this, try reading this page:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9#Create_a_user_to_carry_out_the_updates

That should you give an idea

Rowland

Thanks Rowland, had a quick scan of the doc you mentioned and that sounds like exactly what I wanted to do. Half the battle with this stuff is knowing where to look in the documentation it seems :)

Thanks Again
Stephen Ellwood



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba