Stephen
2019-Apr-10 15:25 UTC
[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
To be honest, the 'Dynamic Bind' method doesn't seem that secure to me, anybody could 'pretend' to be someone else. Rowland True! I agree with you Rowland that is a weakness. Unfortunately that is a universal weakness shared by all password-based authentication methods. I guess you would have to go with SSH-style encryption keys and certificates to circumvent that problem entirely which might bamboozle ordinary website users. Dynamic bind does remove the need to create an extra special omnipotent account with a never-expiring password though. So on that basis I am saying it is more secure (but not absolutely secure since there are no absolutes in life heh ;) ) Cheers Stephen Ellwood
Rowland Penny
2019-Apr-10 15:44 UTC
[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
On Wed, 10 Apr 2019 16:25:47 +0100 Stephen via samba <samba at lists.samba.org> wrote:> To be honest, the 'Dynamic Bind' method doesn't seem that secure to > me, anybody could 'pretend' to be someone else. > > Rowland > > True! I agree with you Rowland that is a weakness. Unfortunately that > is a universal weakness shared by all password-based authentication > methods. I guess you would have to go with SSH-style encryption keys > and certificates to circumvent that problem entirely which might > bamboozle ordinary website users. > > Dynamic bind does remove the need to create an extra special > omnipotent account with a never-expiring password though. So on that > basis I am saying it is more secure (but not absolutely secure since > there are no absolutes in life heh ;) ) > > Cheers > Stephen Ellwood > >I think I have already said this, but kerberos is much more secure than ldaps, the password never leaves the computer. As for SSH, you can use kerberos for this, no ssh keys or passwords. There is is nothing wrong with a service user with a never expiring password, just as long as you are using kerberos and the user never logs in anywhere. Rowland
Jonathon Reinhart
2019-Apr-10 22:35 UTC
[Samba] Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
Sorry to hop on an existing conversation but this seemed like a good point to jump in with this question. Say I have a service account, with a random password that is set to never expire. What component is expected to periodically renew (or request anew) the Kerberos TGT using that password? I see lots of information about SSSD handling this, but less so with Samba. Also, I understand that in Active Directory, Windows clients will periodically change their computer account passwords. Is this correct? If so, is there a "Samba way" of achieving this for a service account, also? Thanks! Jonathon On Wed, Apr 10, 2019 at 11:44 AM Rowland Penny via samba <samba at lists.samba.org> wrote:> > On Wed, 10 Apr 2019 16:25:47 +0100 > Stephen via samba <samba at lists.samba.org> wrote: > > > To be honest, the 'Dynamic Bind' method doesn't seem that secure to > > me, anybody could 'pretend' to be someone else. > > > > Rowland > > > > True! I agree with you Rowland that is a weakness. Unfortunately that > > is a universal weakness shared by all password-based authentication > > methods. I guess you would have to go with SSH-style encryption keys > > and certificates to circumvent that problem entirely which might > > bamboozle ordinary website users. > > > > Dynamic bind does remove the need to create an extra special > > omnipotent account with a never-expiring password though. So on that > > basis I am saying it is more secure (but not absolutely secure since > > there are no absolutes in life heh ;) ) > > > > Cheers > > Stephen Ellwood > > > > > > I think I have already said this, but kerberos is much more secure than > ldaps, the password never leaves the computer. As for SSH, you can use > kerberos for this, no ssh keys or passwords. > > There is is nothing wrong with a service user with a never expiring > password, just as long as you are using kerberos and the user never > logs in anywhere. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
- Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
- Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
- Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.
- Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.