[Samba] query account expired state

[Rowland Penny]

On Sat, 28 Oct 2023 16:22:23 +0200
Kees van Vloten via samba <samba at lists.samba.org> wrote:

> 
> Op 28-10-2023 om 14:21 schreef Rowland Penny via samba:
> > On Sat, 28 Oct 2023 13:50:31 +0200
> > Kees van Vloten via samba <samba at lists.samba.org> wrote:
> >
> >>>> I consider this a big security omission: if  Samba is the source
> >>>> of information but not the the authenticator of the user, that
> >>>> application cannot block expired users !
> >>> But, Samba when running as an AD DC is the source of information
> >>> AND the source of authentication. A user with an expired password
> >>> will not be allowed to logon.
> >> You are right, this is preferable, but not always the case.
> >>
> >> For example Samba does not support  MFA, an application that does
> >> this can use Samba as its user database but has to perform the MFA
> >> authentication with its own mechanism.
> >>
> >> The situation I have is that you can login with MFA (from internet)
> >> while you are blocked with normal authentication (when in the
> >> office) when your password is expired. That is definitely not
> >> alright!
> > It isn't, but I would say that is a failing in the MFA rather than
> > Samba AD.
> 
> Not really, there is no way you can make an LDAP filter to see that
> an account is expired. Samba simply does not provide that information
> in a form that can be used in an application filter (which is the
> same a single ldapsearch command).
> 
> Your suggestion below to have 'ms-DS-User-Password-Expired' would
> solve the whole issue and so does setting bit-23 in
> 'userAccountControl'.
> 
> But both are not implemented yet, i.e. for the time being a
> workaround is required for this piece of functionality. That brings
> me back to the plan of making a small cron-script for this purpose.
> 
> To prevent a potential race condition with Samba updating something
> in 'userAccountControl' and the cron-script as well, it might be a
> better idea to use another user attribute, for example the nowadays
> obscure 'primaryTelexNumber ' and set it to 'expired=true'.  With
> that the issue is solved, the LDAP query to check for a user that can
> be allowed to login would be:
> 
> '(&(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(primaryTelexNumber=*expired=true*)))'
> 
> Using asterisks around 'expired=true' allows for other string to be 
> added to this attribute, would there be the need for it.
> 
> This is non-intrusive, it can be simply removed when Samba acquires
> the real functionality.

Forget ms-DS-User-Password-Expired, after a bit of checking, it seems
that was only for ADAM and AD-LDS.

However, can I introduce you to another constructed attribute (we need
to document these somewhere) 'msDS-User-Account-Control-Computed'

Try that one.

Rowland