[Samba] query account expired state

Rowland Penny rpenny at samba.org
Sat Oct 28 12:21:37 UTC 2023 

On Sat, 28 Oct 2023 13:50:31 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:

> >> I consider this a big security omission: if  Samba is the source of
> >> information but not the the authenticator of the user, that
> >> application cannot block expired users !
> > But, Samba when running as an AD DC is the source of information AND
> > the source of authentication. A user with an expired password will
> > not be allowed to logon.
> 
> You are right, this is preferable, but not always the case.
> 
> For example Samba does not support  MFA, an application that does
> this can use Samba as its user database but has to perform the MFA 
> authentication with its own mechanism.
> 
> The situation I have is that you can login with MFA (from internet) 
> while you are blocked with normal authentication (when in the office) 
> when your password is expired. That is definitely not alright!

It isn't, but I would say that is a failing in the MFA rather than
Samba AD.
> 
> >
> >> How to proceed from here?
> >>
> >> I guess the real fix to update 'userAccountControl' and/or
> >> 'accountExpires' need changes in Samba's C code. In the meantime I
> >> would like to close this gap, so I am tempted to write a
> >> cron-script to check expiry and then update 'userAccountControl'
> >> every minute or so.
> >>
> >> Any other thoughts?
> > I am not sure if Unix can use 'userAccountControl' and even if it
> > can,
> 
> You can, I used it in the past to set 512 / 514 for enabled /
> disabled account.

I was actually referring to the password expired part.
  
> Now I am using samba-tool for it because that is
> easier with a bit-field (because other values than 512/ 514 can be
> there and you just want to toggle bit-1 (the 2), which would make the
> code a bit complexer).
> 
> As an alternative the cron-script you set / reset some value in
> another (used) attribute, which can then be used in queries.
> 
> > you are still going to need a script to check if it contains
> > '8388608'.
> 
> This is easy, there is a special LDAP function to query bit-values,
> the same as for account disabled:
> 
> (!(userAccountControl:1.2.840.113556.1.4.803:=2)) # for not disabled
> 
> (!(userAccountControl:1.2.840.113556.1.4.803:=8388608)) # for not
> expired

I always forget those, good job someone knows what they are doing ;-)

What would be better is if Samba could be made to understand
'ms-DS-User-Password-Expired'

Rowland

More information about the samba mailing list