samba - Apr 2019 - Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.

Hi all, I have a couple of Samba 4 DCs on my network and I created a new 
service account LDAPReader on my DCs that my non-Samba third-party 
services such as Redmine successfully use to access AD via the LDAPS 
protocol.

I have a couple of questions that relate to having service account of 
this nature implemented in Samba and I wondered if the group could 
possibly provide some advice?

1) Firstly, for a service account of this type I ideally want to prevent 
the password expiring or manually being changed. There is a facility to 
do this when you manually create an account in Windows ADUC - there are 
two checkboxes "User cannot change password" and "Password never 
expires". How would I replicate similar behaviour when I do a create 
users at the command-line via samba-tool user create - are there 
command-line switches for samba-tool user create that provide such 
features? I ask is because I don't want password expiry to ever occur 
for this special account because an unanticipated expiry would then 
prevent access to all services using LDAP for authentication.

2) Could people provide guidance about security best practices with such 
service "AD" accounts not intended for actual human use? Ideally I
want
to prevent users actually logging in as LDAPReader, and I obviously want 
it to have the absolute bare minimum of permissions required.

Thanks
Stephen Ellwood

On Wed, 10 Apr 2019 15:21:13 +0100
Stephen via samba <samba at lists.samba.org> wrote:
> Hi all, I have a couple of Samba 4 DCs on my network and I created a
> new service account LDAPReader on my DCs that my non-Samba
> third-party services such as Redmine successfully use to access AD
> via the LDAPS protocol.
> 
> I have a couple of questions that relate to having service account of 
> this nature implemented in Samba and I wondered if the group could 
> possibly provide some advice?
> 
> 1) Firstly, for a service account of this type I ideally want to
> prevent the password expiring or manually being changed. There is a
> facility to do this when you manually create an account in Windows
> ADUC - there are two checkboxes "User cannot change password" and
> "Password never expires". How would I replicate similar behaviour
> when I do a create users at the command-line via samba-tool user
> create - are there command-line switches for samba-tool user create
> that provide such features? I ask is because I don't want password
> expiry to ever occur for this special account because an
> unanticipated expiry would then prevent access to all services using
> LDAP for authentication.
> 
> 2) Could people provide guidance about security best practices with
> such service "AD" accounts not intended for actual human use?
Ideally
> I want to prevent users actually logging in as LDAPReader, and I
> obviously want it to have the absolute bare minimum of permissions
> required.
> 
> Thanks
> Stephen Ellwood
> 
> 
Create the user with a random password and then set it to never expire,
for info on how to this, try reading this page:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9#Create_a_user_to_carry_out_the_updates

That should you give an idea

Rowland

On 10/04/2019 15:44, Rowland Penny via samba wrote:
> On Wed, 10 Apr 2019 15:21:13 +0100
> Stephen via samba <samba at lists.samba.org> wrote:
>
>> Hi all, I have a couple of Samba 4 DCs on my network and I created a
>> new service account LDAPReader on my DCs that my non-Samba
>> third-party services such as Redmine successfully use to access AD
>> via the LDAPS protocol.
>>
>> I have a couple of questions that relate to having service account of
>> this nature implemented in Samba and I wondered if the group could
>> possibly provide some advice?
>>
>> 1) Firstly, for a service account of this type I ideally want to
>> prevent the password expiring or manually being changed. There is a
>> facility to do this when you manually create an account in Windows
>> ADUC - there are two checkboxes "User cannot change password"
and
>> "Password never expires". How would I replicate similar
behaviour
>> when I do a create users at the command-line via samba-tool user
>> create - are there command-line switches for samba-tool user create
>> that provide such features? I ask is because I don't want password
>> expiry to ever occur for this special account because an
>> unanticipated expiry would then prevent access to all services using
>> LDAP for authentication.
>>
>> 2) Could people provide guidance about security best practices with
>> such service "AD" accounts not intended for actual human use?
Ideally
>> I want to prevent users actually logging in as LDAPReader, and I
>> obviously want it to have the absolute bare minimum of permissions
>> required.
>>
>> Thanks
>> Stephen Ellwood
>>
>>
> Create the user with a random password and then set it to never expire,
> for info on how to this, try reading this page:
>
>
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9#Create_a_user_to_carry_out_the_updates
>
> That should you give an idea
>
> Rowland
Thanks Rowland, had a quick scan of the doc you mentioned and that 
sounds like exactly what I wanted to do. Half the battle with this stuff 
is knowing where to look in the documentation it seems :)

Thanks Again
Stephen Ellwood