samba - Apr 2019 - Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.

Sorry to hop on an existing conversation but this seemed like a good
point to jump in with this question.

Say I have a service account, with a random password that is set to
never expire. What component is expected to periodically renew (or
request anew) the Kerberos TGT using that password? I see lots of
information about SSSD handling this, but less so with Samba.

Also, I understand that in Active Directory, Windows clients will
periodically change their computer account passwords. Is this correct?
If so, is there a "Samba way" of achieving this for a service account,
also?

Thanks!

Jonathon

On Wed, Apr 10, 2019 at 11:44 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
>
> On Wed, 10 Apr 2019 16:25:47 +0100
> Stephen via samba <samba at lists.samba.org> wrote:
>
> > To be honest, the 'Dynamic Bind' method doesn't seem that
secure to
> > me, anybody could 'pretend' to be someone else.
> >
> > Rowland
> >
> > True! I agree with you Rowland that is a weakness. Unfortunately that
> > is a universal weakness shared by all password-based authentication
> > methods. I guess you would have to go with SSH-style encryption keys
> > and certificates to circumvent that problem entirely which might
> > bamboozle ordinary website users.
> >
> > Dynamic bind does remove the need to create an extra special
> > omnipotent account with a never-expiring password though. So on that
> > basis I am saying it is more secure (but not absolutely secure since
> > there are no absolutes in life heh ;) )
> >
> > Cheers
> > Stephen Ellwood
> >
> >
>
> I think I have already said this, but kerberos is much more secure than
> ldaps, the password never leaves the computer. As for SSH, you can use
> kerberos for this, no ssh keys or passwords.
>
> There is is nothing wrong with a service user with a never expiring
> password, just as long as you are using kerberos and the user never
> logs in anywhere.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Wed, 10 Apr 2019 18:35:04 -0400
Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
> Sorry to hop on an existing conversation but this seemed like a good
> point to jump in with this question.
You really should have started a new thread ;-)
> 
> Say I have a service account, with a random password that is set to
> never expire. What component is expected to periodically renew (or
> request anew) the Kerberos TGT using that password? I see lots of
> information about SSSD handling this, but less so with Samba.
You need to check the ticket and renew it if required, see here for how
I do it:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

Samba user tickets are renewed by winbind if you have 'winbind refresh
tickets = yes' in smb.conf
> 
> Also, I understand that in Active Directory, Windows clients will
> periodically change their computer account passwords. Is this correct?
Yes, Samba does it as well.
> If so, is there a "Samba way" of achieving this for a service
account,
> also?
Not that I know, but if anyone does know a way, I am sure they will
chime in.

Rowland

On Thu, Apr 11, 2019, 03:43 Rowland Penny via samba <samba at
lists.samba.org>
wrote:
> On Wed, 10 Apr 2019 18:35:04 -0400
> Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
>
> > Sorry to hop on an existing conversation but this seemed like a good
> > point to jump in with this question.
>
> You really should have started a new thread ;-)
>
> >
> > Say I have a service account, with a random password that is set to
> > never expire. What component is expected to periodically renew (or
> > request anew) the Kerberos TGT using that password? I see lots of
> > information about SSSD handling this, but less so with Samba.
>
> You need to check the ticket and renew it if required, see here for how
> I do it:
>
>
>
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

That example answers a lot of questions, thank you!

So here, the service requests a new ticket on demand, just prior to its
interaction with AD. That makes sense to me; I was expecting a background
service that just kept the TGT up-to-date; something generic like that
might work well for an application without a scriptable call-out point.
Either way, that _KERBEROS function is a good template. It also corrected
my obvious mistake, and uses the keytab (not password) to acquire the TGT.

Samba user tickets are renewed by winbind if you have 'winbind
refresh
> tickets = yes' in smb.conf
>
> >
> > Also, I understand that in Active Directory, Windows clients will
> > periodically change their computer account passwords. Is this correct?
>
> Yes, Samba does it as well.
>
Which component does this? I don't see anything that indicates it is
winbind.
> If so, is there a "Samba way" of achieving this for a service
account,
> > also?
>
> Not that I know, but if anyone does know a way, I am sure they will
> chime in.
>
> Rowland
>
Thanks,
Jonathon
>