[Samba] query account expired state
Kees van Vloten
keesvanvloten at gmail.com
Sat Oct 28 14:22:23 UTC 2023
Op 28-10-2023 om 14:21 schreef Rowland Penny via samba:
> On Sat, 28 Oct 2023 13:50:31 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>>>> I consider this a big security omission: if Samba is the source of
>>>> information but not the the authenticator of the user, that
>>>> application cannot block expired users !
>>> But, Samba when running as an AD DC is the source of information AND
>>> the source of authentication. A user with an expired password will
>>> not be allowed to logon.
>> You are right, this is preferable, but not always the case.
>> For example Samba does not support MFA, an application that does
>> this can use Samba as its user database but has to perform the MFA
>> authentication with its own mechanism.
>> The situation I have is that you can login with MFA (from internet)
>> while you are blocked with normal authentication (when in the office)
>> when your password is expired. That is definitely not alright!
> It isn't, but I would say that is a failing in the MFA rather than
> Samba AD.
Not really, there is no way you can make an LDAP filter to see that an
account is expired. Samba simply does not provide that information in a
form that can be used in an application filter (which is the same a
single ldapsearch command).
Your suggestion below to have 'ms-DS-User-Password-Expired' would solve
the whole issue and so does setting bit-23 in 'userAccountControl'.
But both are not implemented yet, i.e. for the time being a workaround
is required for this piece of functionality. That brings me back to the
plan of making a small cron-script for this purpose.
To prevent a potential race condition with Samba updating something in
'userAccountControl' and the cron-script as well, it might be a better
idea to use another user attribute, for example the nowadays obscure
'primaryTelexNumber ' and set it to 'expired=true'. With that the issue
is solved, the LDAP query to check for a user that can be allowed to
login would be:
Using asterisks around 'expired=true' allows for other string to be
added to this attribute, would there be the need for it.
This is non-intrusive, it can be simply removed when Samba acquires the
What about the other question: for testing purposes it would be so handy
to be able to set expiry on an account by hand. What would be an easy
way to do that? I would think an ldbmodify, but what would be the
>>>> How to proceed from here?
>>>> I guess the real fix to update 'userAccountControl' and/or
>>>> 'accountExpires' need changes in Samba's C code. In the meantime I
>>>> would like to close this gap, so I am tempted to write a
>>>> cron-script to check expiry and then update 'userAccountControl'
>>>> every minute or so.
>>>> Any other thoughts?
>>> I am not sure if Unix can use 'userAccountControl' and even if it
>> You can, I used it in the past to set 512 / 514 for enabled /
>> disabled account.
> I was actually referring to the password expired part.
>> Now I am using samba-tool for it because that is
>> easier with a bit-field (because other values than 512/ 514 can be
>> there and you just want to toggle bit-1 (the 2), which would make the
>> code a bit complexer).
>> As an alternative the cron-script you set / reset some value in
>> another (used) attribute, which can then be used in queries.
>>> you are still going to need a script to check if it contains
>> This is easy, there is a special LDAP function to query bit-values,
>> the same as for account disabled:
>> (!(userAccountControl:1.2.840.1135184.108.40.2063:=2)) # for not disabled
>> (!(userAccountControl:1.2.840.1135220.127.116.113:=8388608)) # for not
> I always forget those, good job someone knows what they are doing ;-)
> What would be better is if Samba could be made to understand
More information about the samba