samba - Oct 2016 - Samba-tool password expiration and service accounts

Initially I had set password expiration to be 6 months using samba-tool, and
used ADUC to tick the "password never expires" box on specific service
accounts that I wanted to keep with the same password. What I found was that
even with this box checked, the account's passwords did expire after 6
months.

 

So it seems that the password settings configured by samba-tool apply to all
accounts on the domain, including the ones I intended to use as service
accounts.  Either all account passwords expire after X days, or all accounts
never expire (if you set the max age to 0). My questions:

 

- Am I correct in the above? If so, do you have any ideas on how to preserve
security with password rotation for the users while also  allowing service
accounts (password never expires) to exist? 

 

-If I am not correct, does this indicate a problem with my Samba
installation or am I missing a setting to make the service accounts immune
to samba-tool password rules?

 

Thanks!

 

-Brandon

On Wed, 12 Oct 2016 21:16:02 +0000
Brandon Nishan via samba <samba at lists.samba.org> wrote:
> Initially I had set password expiration to be 6 months using
> samba-tool, and used ADUC to tick the "password never expires"
box on
> specific service accounts that I wanted to keep with the same
> password. What I found was that even with this box checked, the
> account's passwords did expire after 6 months.
> 
>  
> 
> So it seems that the password settings configured by samba-tool apply
> to all accounts on the domain, including the ones I intended to use
> as service accounts.  Either all account passwords expire after X
> days, or all accounts never expire (if you set the max age to 0). My
> questions:
> 
>  
> 
> - Am I correct in the above? If so, do you have any ideas on how to
> preserve security with password rotation for the users while also
> allowing service accounts (password never expires) to exist? 
> 
>  
> 
> -If I am not correct, does this indicate a problem with my Samba
> installation or am I missing a setting to make the service accounts
> immune to samba-tool password rules?
> 
>  
Have you tried reading the output of 'samba-tool user setexpiry
--help' ?

Rowland

Thanks for your help, I really appreciate it. I have gone back and now see 
that using "--noexpiry"
sets both the account and password to not expire. I had originally
misunderstood the command, thinking it set only the account to not expire.

-Brandon

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny
via samba
Sent: Thursday, October 13, 2016 3:39 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba-tool password expiration and service accounts

On Wed, 12 Oct 2016 21:16:02 +0000
Brandon Nishan via samba <samba at lists.samba.org> wrote:
> Initially I had set password expiration to be 6 months using
> samba-tool, and used ADUC to tick the "password never expires"
box on
> specific service accounts that I wanted to keep with the same
> password. What I found was that even with this box checked, the
> account's passwords did expire after 6 months.
>
>
>
> So it seems that the password settings configured by samba-tool apply
> to all accounts on the domain, including the ones I intended to use as
> service accounts.  Either all account passwords expire after X days,
> or all accounts never expire (if you set the max age to 0). My
> questions:
>
>
>
> - Am I correct in the above? If so, do you have any ideas on how to
> preserve security with password rotation for the users while also
> allowing service accounts (password never expires) to exist?
>
>
>
> -If I am not correct, does this indicate a problem with my Samba
> installation or am I missing a setting to make the service accounts
> immune to samba-tool password rules?
>
>
Have you tried reading the output of 'samba-tool user setexpiry --help'
?

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba