Samba server flagging vulnerability scanner due to "CIFS Password Does Not Expire"
by newub from LinuxQuestions.org on (#6FH13)
We have Ubuntu users who have installed Samba so they can host a server on their Linux machine that can be accessed from Windows.
The issue I have is that this is not flagging our vulnerability scanner saying "CIFS password does not expire".
I am trying to figure out how Samba manages passwords. I believe that the account/password our users are using is the specific to Samba which can allow each user to set password expiration.
Questions for the group:
What are the issues if the Samba password is set to expire? It seems like this would be hard to manage. My reading shows that users are only connecting on an as-needed basis & would likely start running into issues with expiration, ie, Samba does not notify users if the password is about to expire.
Has anyone had success having Samba validate users using LDAP? I am not finding good information on this so far.
This seems like a security risk as now we have a folder on someone's machine with accounts that do not expire & are not subject to any rules for password complexity. Thoughts?
The issue I have is that this is not flagging our vulnerability scanner saying "CIFS password does not expire".
I am trying to figure out how Samba manages passwords. I believe that the account/password our users are using is the specific to Samba which can allow each user to set password expiration.
Questions for the group:
What are the issues if the Samba password is set to expire? It seems like this would be hard to manage. My reading shows that users are only connecting on an as-needed basis & would likely start running into issues with expiration, ie, Samba does not notify users if the password is about to expire.
Has anyone had success having Samba validate users using LDAP? I am not finding good information on this so far.
This seems like a security risk as now we have a folder on someone's machine with accounts that do not expire & are not subject to any rules for password complexity. Thoughts?