[Samba] Fwd: query account expired state
Kees van Vloten
keesvanvloten at gmail.com
Sun Oct 29 17:10:52 UTC 2023
Op 28-10-2023 om 17:19 schreef Rowland Penny via samba:
> On Sat, 28 Oct 2023 16:22:23 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
>> Op 28-10-2023 om 14:21 schreef Rowland Penny via samba:
>>> On Sat, 28 Oct 2023 13:50:31 +0200
>>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>>>
>>>>>> I consider this a big security omission: if Samba is the source
>>>>>> of information but not the the authenticator of the user, that
>>>>>> application cannot block expired users !
>>>>> But, Samba when running as an AD DC is the source of information
>>>>> AND the source of authentication. A user with an expired password
>>>>> will not be allowed to logon.
>>>> You are right, this is preferable, but not always the case.
>>>>
>>>> For example Samba does not support MFA, an application that does
>>>> this can use Samba as its user database but has to perform the MFA
>>>> authentication with its own mechanism.
>>>>
>>>> The situation I have is that you can login with MFA (from internet)
>>>> while you are blocked with normal authentication (when in the
>>>> office) when your password is expired. That is definitely not
>>>> alright!
>>> It isn't, but I would say that is a failing in the MFA rather than
>>> Samba AD.
>> Not really, there is no way you can make an LDAP filter to see that
>> an account is expired. Samba simply does not provide that information
>> in a form that can be used in an application filter (which is the
>> same a single ldapsearch command).
>>
>> Your suggestion below to have 'ms-DS-User-Password-Expired' would
>> solve the whole issue and so does setting bit-23 in
>> 'userAccountControl'.
>>
>> But both are not implemented yet, i.e. for the time being a
>> workaround is required for this piece of functionality. That brings
>> me back to the plan of making a small cron-script for this purpose.
>>
>> To prevent a potential race condition with Samba updating something
>> in 'userAccountControl' and the cron-script as well, it might be a
>> better idea to use another user attribute, for example the nowadays
>> obscure 'primaryTelexNumber ' and set it to 'expired=true'. With
>> that the issue is solved, the LDAP query to check for a user that can
>> be allowed to login would be:
>>
>> '(&(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(primaryTelexNumber=*expired=true*)))'
>>
>> Using asterisks around 'expired=true' allows for other string to be
>> added to this attribute, would there be the need for it.
>>
>> This is non-intrusive, it can be simply removed when Samba acquires
>> the real functionality.
> Forget ms-DS-User-Password-Expired, after a bit of checking, it seems
> that was only for ADAM and AD-LDS.
>
> However, can I introduce you to another constructed attribute (we need
> to document these somewhere) 'msDS-User-Account-Control-Computed'
Bingo:
ldbsearch -H /var/lib/samba/private/sam.ldb -b 'CN=test 1 user,OU=User
Accounts,DC=samdom,DC=com' msDS-User-Account-Control-Computed 2> /dev/null
# record 1
dn: CN=test 1 user,OU=User Accounts,DC=samdom,DC=com
msDS-User-Account-Control-Computed: 8388608
# returned 1 records
# 1 entries
# 0 referrals
As it turns out, it works as shown above. However filters based on this
computed value do not work:
ldbsearch -H /var/lib/samba/private/sam.ldb -b 'OU=User
Accounts,DC=samdom,DC=com'
'(msDS-User-Account-Control-Computed=8388608)' sAMAccountName
msDS-User-Account-Control-Computed 2> /dev/null
# returned 0 records
# 0 entries
# 0 referrals
It looks like it is not fully implemented yet... and without the
filtering code can't be used search filters.
- Kees.
>
> Try that one.
>
> Rowland
>
More information about the samba
mailing list