samba - Apr 2019 - Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.

To be honest, the 'Dynamic Bind' method doesn't seem that secure to
me,
anybody could 'pretend' to be someone else.

Rowland

True! I agree with you Rowland that is a weakness. Unfortunately that is 
a universal weakness shared by all password-based authentication 
methods. I guess you would have to go with SSH-style encryption keys and 
certificates to circumvent that problem entirely which might bamboozle 
ordinary website users.

Dynamic bind does remove the need to create an extra special omnipotent 
account with a never-expiring password though. So on that basis I am 
saying it is more secure (but not absolutely secure since there are no 
absolutes in life heh ;) )

Cheers
Stephen Ellwood

On Wed, 10 Apr 2019 16:25:47 +0100
Stephen via samba <samba at lists.samba.org> wrote:
> To be honest, the 'Dynamic Bind' method doesn't seem that
secure to
> me, anybody could 'pretend' to be someone else.
> 
> Rowland
> 
> True! I agree with you Rowland that is a weakness. Unfortunately that
> is a universal weakness shared by all password-based authentication 
> methods. I guess you would have to go with SSH-style encryption keys
> and certificates to circumvent that problem entirely which might
> bamboozle ordinary website users.
> 
> Dynamic bind does remove the need to create an extra special
> omnipotent account with a never-expiring password though. So on that
> basis I am saying it is more secure (but not absolutely secure since
> there are no absolutes in life heh ;) )
> 
> Cheers
> Stephen Ellwood
> 
> 
I think I have already said this, but kerberos is much more secure than
ldaps, the password never leaves the computer. As for SSH, you can use
kerberos for this, no ssh keys or passwords.

There is is nothing wrong with a service user with a never expiring
password, just as long as you are using kerberos and the user never
logs in anywhere.

Rowland

Sorry to hop on an existing conversation but this seemed like a good
point to jump in with this question.

Say I have a service account, with a random password that is set to
never expire. What component is expected to periodically renew (or
request anew) the Kerberos TGT using that password? I see lots of
information about SSSD handling this, but less so with Samba.

Also, I understand that in Active Directory, Windows clients will
periodically change their computer account passwords. Is this correct?
If so, is there a "Samba way" of achieving this for a service account,
also?

Thanks!

Jonathon

On Wed, Apr 10, 2019 at 11:44 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
>
> On Wed, 10 Apr 2019 16:25:47 +0100
> Stephen via samba <samba at lists.samba.org> wrote:
>
> > To be honest, the 'Dynamic Bind' method doesn't seem that
secure to
> > me, anybody could 'pretend' to be someone else.
> >
> > Rowland
> >
> > True! I agree with you Rowland that is a weakness. Unfortunately that
> > is a universal weakness shared by all password-based authentication
> > methods. I guess you would have to go with SSH-style encryption keys
> > and certificates to circumvent that problem entirely which might
> > bamboozle ordinary website users.
> >
> > Dynamic bind does remove the need to create an extra special
> > omnipotent account with a never-expiring password though. So on that
> > basis I am saying it is more secure (but not absolutely secure since
> > there are no absolutes in life heh ;) )
> >
> > Cheers
> > Stephen Ellwood
> >
> >
>
> I think I have already said this, but kerberos is much more secure than
> ldaps, the password never leaves the computer. As for SSH, you can use
> kerberos for this, no ssh keys or passwords.
>
> There is is nothing wrong with a service user with a never expiring
> password, just as long as you are using kerberos and the user never
> logs in anywhere.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba