[Samba] query account expired state
Rowland Penny
rpenny at samba.org
Sat Oct 28 12:21:37 UTC 2023
On Sat, 28 Oct 2023 13:50:31 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:
> >> I consider this a big security omission: if Samba is the source of
> >> information but not the the authenticator of the user, that
> >> application cannot block expired users !
> > But, Samba when running as an AD DC is the source of information AND
> > the source of authentication. A user with an expired password will
> > not be allowed to logon.
>
> You are right, this is preferable, but not always the case.
>
> For example Samba does not support MFA, an application that does
> this can use Samba as its user database but has to perform the MFA
> authentication with its own mechanism.
>
> The situation I have is that you can login with MFA (from internet)
> while you are blocked with normal authentication (when in the office)
> when your password is expired. That is definitely not alright!
It isn't, but I would say that is a failing in the MFA rather than
Samba AD.
>
> >
> >> How to proceed from here?
> >>
> >> I guess the real fix to update 'userAccountControl' and/or
> >> 'accountExpires' need changes in Samba's C code. In the meantime I
> >> would like to close this gap, so I am tempted to write a
> >> cron-script to check expiry and then update 'userAccountControl'
> >> every minute or so.
> >>
> >> Any other thoughts?
> > I am not sure if Unix can use 'userAccountControl' and even if it
> > can,
>
> You can, I used it in the past to set 512 / 514 for enabled /
> disabled account.
I was actually referring to the password expired part.
> Now I am using samba-tool for it because that is
> easier with a bit-field (because other values than 512/ 514 can be
> there and you just want to toggle bit-1 (the 2), which would make the
> code a bit complexer).
>
> As an alternative the cron-script you set / reset some value in
> another (used) attribute, which can then be used in queries.
>
> > you are still going to need a script to check if it contains
> > '8388608'.
>
> This is easy, there is a special LDAP function to query bit-values,
> the same as for account disabled:
>
> (!(userAccountControl:1.2.840.113556.1.4.803:=2)) # for not disabled
>
> (!(userAccountControl:1.2.840.113556.1.4.803:=8388608)) # for not
> expired
I always forget those, good job someone knows what they are doing ;-)
What would be better is if Samba could be made to understand
'ms-DS-User-Password-Expired'
Rowland
More information about the samba
mailing list