[Samba] Fwd: query account expired state
Kees van Vloten
keesvanvloten at gmail.com
Sun Oct 29 18:54:24 UTC 2023
Op 29-10-2023 om 19:01 schreef Rowland Penny via samba:
> On Sun, 29 Oct 2023 18:10:52 +0100
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
>> Op 28-10-2023 om 17:19 schreef Rowland Penny via samba:
>>> On Sat, 28 Oct 2023 16:22:23 +0200
>>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>>>
>>>> Op 28-10-2023 om 14:21 schreef Rowland Penny via samba:
>>>>> On Sat, 28 Oct 2023 13:50:31 +0200
>>>>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>>>>>
>>>>>>>> I consider this a big security omission: if Samba is the
>>>>>>>> source of information but not the the authenticator of the
>>>>>>>> user, that application cannot block expired users !
>>>>>>> But, Samba when running as an AD DC is the source of information
>>>>>>> AND the source of authentication. A user with an expired
>>>>>>> password will not be allowed to logon.
>>>>>> You are right, this is preferable, but not always the case.
>>>>>>
>>>>>> For example Samba does not support MFA, an application that does
>>>>>> this can use Samba as its user database but has to perform the
>>>>>> MFA authentication with its own mechanism.
>>>>>>
>>>>>> The situation I have is that you can login with MFA (from
>>>>>> internet) while you are blocked with normal authentication (when
>>>>>> in the office) when your password is expired. That is definitely
>>>>>> not alright!
>>>>> It isn't, but I would say that is a failing in the MFA rather than
>>>>> Samba AD.
>>>> Not really, there is no way you can make an LDAP filter to see that
>>>> an account is expired. Samba simply does not provide that
>>>> information in a form that can be used in an application filter
>>>> (which is the same a single ldapsearch command).
>>>>
>>>> Your suggestion below to have 'ms-DS-User-Password-Expired' would
>>>> solve the whole issue and so does setting bit-23 in
>>>> 'userAccountControl'.
>>>>
>>>> But both are not implemented yet, i.e. for the time being a
>>>> workaround is required for this piece of functionality. That brings
>>>> me back to the plan of making a small cron-script for this purpose.
>>>>
>>>> To prevent a potential race condition with Samba updating something
>>>> in 'userAccountControl' and the cron-script as well, it might be a
>>>> better idea to use another user attribute, for example the nowadays
>>>> obscure 'primaryTelexNumber ' and set it to 'expired=true'. With
>>>> that the issue is solved, the LDAP query to check for a user that
>>>> can be allowed to login would be:
>>>>
>>>> '(&(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(primaryTelexNumber=*expired=true*)))'
>>>>
>>>> Using asterisks around 'expired=true' allows for other string to be
>>>> added to this attribute, would there be the need for it.
>>>>
>>>> This is non-intrusive, it can be simply removed when Samba acquires
>>>> the real functionality.
>>> Forget ms-DS-User-Password-Expired, after a bit of checking, it
>>> seems that was only for ADAM and AD-LDS.
>>>
>>> However, can I introduce you to another constructed attribute (we
>>> need to document these somewhere)
>>> 'msDS-User-Account-Control-Computed'
>> Bingo:
>>
>> ldbsearch -H /var/lib/samba/private/sam.ldb -b 'CN=test 1
>> user,OU=User Accounts,DC=samdom,DC=com'
>> msDS-User-Account-Control-Computed 2> /dev/null # record 1
>> dn: CN=test 1 user,OU=User Accounts,DC=samdom,DC=com
>> msDS-User-Account-Control-Computed: 8388608
>>
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>>
>> As it turns out, it works as shown above. However filters based on
>> this computed value do not work:
>>
>> ldbsearch -H /var/lib/samba/private/sam.ldb -b 'OU=User
>> Accounts,DC=samdom,DC=com'
>> '(msDS-User-Account-Control-Computed=8388608)' sAMAccountName
>> msDS-User-Account-Control-Computed 2> /dev/null
>> # returned 0 records
>> # 0 entries
>> # 0 referrals
>>
>> It looks like it is not fully implemented yet... and without the
>> filtering code can't be used search filters.
>>
> Sorry, but I think it is the nearest you are going to get. You may not
> know this, but you have to explicitly ask for 'computed' attributes in
> the same way as getting the 'nTSecurityDescriptor' attribute.
Clear.
Still it is kind of unfortunate that the expiry does not show up in the
filterable 'userAccountControl' and that the alternative
'msDS-User-Account-Control-Computed' is computed and therefore not
filterable.
On the other hand it is very possible that this is a limitation in MS'
design and implementation and not an issue in Samba.
I have no Windows DCs and can't check that.
>
> To put it another way, the search is working in the expected fashion.
>
> I do not think that Samba AD works any differently to Windows AD when it
> comes to passwords, a user can change their password if it hasn't
> expired, if it has expired then an Admin must reset it for them.
>
> Rowland
>
>
More information about the samba
mailing list