similar to: Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.

On Wed, 10 Apr 2019 15:21:13 +0100 Stephen via samba <samba at lists.samba.org> wrote: > Hi all, I have a couple of Samba 4 DCs on my network and I created a > new service account LDAPReader on my DCs that my non-Samba > third-party services such as Redmine successfully use to access AD > via the LDAPS protocol. > > I have a couple of questions that relate to having

Dear samba-list, please disregard my previous post. Since posting I have found a way to avoid the need to create a dedicated AD service account purely to allow Redmine to authenticate via LDAPS and AD. This neatly circumvents my original issue and is much more secure to boot. For future Redmine users googling, refer to this document here:

Sorry to hop on an existing conversation but this seemed like a good point to jump in with this question. Say I have a service account, with a random password that is set to never expire. What component is expected to periodically renew (or request anew) the Kerberos TGT using that password? I see lots of information about SSSD handling this, but less so with Samba. Also, I understand that in

To be honest, the 'Dynamic Bind' method doesn't seem that secure to me, anybody could 'pretend' to be someone else. Rowland True! I agree with you Rowland that is a weakness. Unfortunately that is a universal weakness shared by all password-based authentication methods. I guess you would have to go with SSH-style encryption keys and certificates to circumvent that problem

On Wed, 10 Apr 2019 16:25:47 +0100 Stephen via samba <samba at lists.samba.org> wrote: > To be honest, the 'Dynamic Bind' method doesn't seem that secure to > me, anybody could 'pretend' to be someone else. > > Rowland > > True! I agree with you Rowland that is a weakness. Unfortunately that > is a universal weakness shared by all password-based

On Wed, 10 Apr 2019 18:35:04 -0400 Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote: > Sorry to hop on an existing conversation but this seemed like a good > point to jump in with this question. You really should have started a new thread ;-) > > Say I have a service account, with a random password that is set to > never expire. What component is expected to

Hi everyone, I have a basic SAMBA setup with a main AD DC ad1 and a backup AD DC ad2, running on Samba 4.5.16-Debian on Raspbian. I would now like to enable LDAPS so my users can authenticate in other non Samba services using Active Directory. From reading the documentation here: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC I understand that for the most

There seems to be a slight issue with the instructions at the following wiki page: https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 The /usr/local/bin/dhcp-dyndns.sh script seems to use a hardwired value for the lease expiry time of 3600 - independent of whatever is configured in dhcpd.conf. With the examples provided, it should work, as the example dhcpd.conf

Hi guys, I'm battling to understand how the Samba4 user password expiry seems to tie in together and was hoping this could be clarified by someone for me please? Currently I have the following Samba4 domain policies in place... [root at headoffice ~]# samba-tool domain passwordsettings show Password informations for domain 'DC=abc-ho,DC=local' Password complexity: on Store plaintext

I've just found out that Samba (rather correctly) implements a nice and low password expiry date through the tdbsam backend, and I believe the "maximum password age" value. However, I can't, for the life of me, actually /set/ this thing. I've tried this: # pdbedit -u <username> -r -P "maximum password age" -C 100 And without the -r, and with various

I think we're suffering from bug 8641 at the moment: https://bugzilla.samba.org/show_bug.cgi?id=8641 where the netsamlogon_cache.tdb entries are not expiring. We use AD groups for our (redhat) server auth, and also use server-side group auth for NFS (with the --manage-gids flag). So if a user is not in a group on the server, they're denied access to files as per group permissions.

Thanks for the answer Marcel, I did get them confused. Any ideas why then that my passwords don't seem to be expiring even well after 60 days and despite having the domain policy enforcing password expiry? Thanks. Regards. Neil Wilson. On Mon, Jan 12, 2015 at 12:46 PM, Marcel de Reuver <marcel at de.reuver.org> wrote: > Account expiry and password expiry are not the same....

I have tried this patch (against 3.5p1) and would very much like it to be in the OpenSSH 3.6p1 release, if possible: http://bugzilla.mindrot.org/show_bug.cgi?id=14 On that note, I'd like the Sun BSM patch to be included also, if possible. I have it working applied to 3.5p1: http://bugzilla.mindrot.org/show_bug.cgi?id=125 In fact, both patches work together, apparently. If I have any

A user with the X (password doesn't expire) flag on his account was forced to change his password because it expired on a system with pdbedit -P'maximum password age' account policy "maximum password age" description: Maximum password age, in seconds (default: -1 => never expire passwords) What's going on? why is samba ignoring this and expiring passwords anyways?

Hi Rowland, and many thanks for fast reply, When using --noexpiry, the userAccountControl is set to 66048, which disable expiry for password as well (in MS console, "password never expires" is now checked). This means that the password expiry (let say, every 6 month) will never popup again to the user, which is in my sense a wrong behaviour. Is there a way to change ONLY

Hi guys... I setup samba 2.2.5 as a PDC ... I have w2k clients. It seems that now I am prompted to change my password because it is going to expire Could you guys tell me how and where to disable password expiry? cheers`

I have found that when passwords are reset from a windows machine, the default password expiry period is around 40 days. I would like to change this to say 90 days, but have been unable to find a way. I tried the option "password expire time" but testparm doesn't seem to recognise it. There is nothing in the official Samba How-to about this. Has anyone managed to set thier

I see the output. root@X10SDV-8C-TLN4F:/mnt/config# cat /var/lib/libvirt/dnsmasq/mgmt-1br1.status [ { "ip-address": "192.168.27.8", "mac-address": "52:54:00:42:21:14", "hostname": "vyatta", "expiry-time": 1589500228 } ] Can you please explain what does the expiry-time mean ? What are its units ? Please let

Hi Elliot, I couldn't find anything related to smbpasswd expiry. Since u have "unix password sync = true", just a wild guess, if u could turn off password ageing in unix passwd file (man passwd for more detail) and see if problem persists. Rgds Gary Elliot wrote: > Hi guys... I setup samba 2.2.5 as a PDC ... I have w2k clients. It seems > that now I am prompted to change

Hi list :) I am looking for the right command to achieve my goal. I would like to remove the account expiry date of an ACCOUNT with a samba-tool command (account never expires) Options of "samba-tool user setexpiry" are : --filter=FILTER LDAP Filter to set password on --days=DAYS Days to expiry --noexpiry Unfortunately, the "noexpiry" parameter just set another option