Re: [Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
- Date: Wed, 10 Apr 2019 18:35:04 -0400
- From: Jonathon Reinhart via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
Sorry to hop on an existing conversation but this seemed like a good
point to jump in with this question.
Say I have a service account, with a random password that is set to
never expire. What component is expected to periodically renew (or
request anew) the Kerberos TGT using that password? I see lots of
information about SSSD handling this, but less so with Samba.
Also, I understand that in Active Directory, Windows clients will
periodically change their computer account passwords. Is this correct?
If so, is there a "Samba way" of achieving this for a service account,
On Wed, Apr 10, 2019 at 11:44 AM Rowland Penny via samba
> On Wed, 10 Apr 2019 16:25:47 +0100
> Stephen via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > To be honest, the 'Dynamic Bind' method doesn't seem that secure to
> > me, anybody could 'pretend' to be someone else.
> > Rowland
> > True! I agree with you Rowland that is a weakness. Unfortunately that
> > is a universal weakness shared by all password-based authentication
> > methods. I guess you would have to go with SSH-style encryption keys
> > and certificates to circumvent that problem entirely which might
> > bamboozle ordinary website users.
> > Dynamic bind does remove the need to create an extra special
> > omnipotent account with a never-expiring password though. So on that
> > basis I am saying it is more secure (but not absolutely secure since
> > there are no absolutes in life heh ;) )
> > Cheers
> > Stephen Ellwood
> I think I have already said this, but kerberos is much more secure than
> ldaps, the password never leaves the computer. As for SSH, you can use
> kerberos for this, no ssh keys or passwords.
> There is is nothing wrong with a service user with a never expiring
> password, just as long as you are using kerberos and the user never
> logs in anywhere.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the