Web lists-archives.com

Re: [Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.




On Wed, 10 Apr 2019 18:35:04 -0400
Jonathon Reinhart <jonathon.reinhart@xxxxxxxxx> wrote:

> Sorry to hop on an existing conversation but this seemed like a good
> point to jump in with this question.

You really should have started a new thread ;-)

> 
> Say I have a service account, with a random password that is set to
> never expire. What component is expected to periodically renew (or
> request anew) the Kerberos TGT using that password? I see lots of
> information about SSSD handling this, but less so with Samba.

You need to check the ticket and renew it if required, see here for how
I do it:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

Samba user tickets are renewed by winbind if you have 'winbind refresh
tickets = yes' in smb.conf

> 
> Also, I understand that in Active Directory, Windows clients will
> periodically change their computer account passwords. Is this correct?

Yes, Samba does it as well.

> If so, is there a "Samba way" of achieving this for a service account,
> also?

Not that I know, but if anyone does know a way, I am sure they will
chime in.

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba