[Samba] Fwd: query account expired state

Kees van Vloten keesvanvloten at gmail.com
Sun Oct 29 17:10:52 UTC 2023

Op 28-10-2023 om 17:19 schreef Rowland Penny via samba:
> On Sat, 28 Oct 2023 16:22:23 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>> Op 28-10-2023 om 14:21 schreef Rowland Penny via samba:
>>> On Sat, 28 Oct 2023 13:50:31 +0200
>>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>>>>>> I consider this a big security omission: if  Samba is the source
>>>>>> of information but not the the authenticator of the user, that
>>>>>> application cannot block expired users !
>>>>> But, Samba when running as an AD DC is the source of information
>>>>> AND the source of authentication. A user with an expired password
>>>>> will not be allowed to logon.
>>>> You are right, this is preferable, but not always the case.
>>>> For example Samba does not support  MFA, an application that does
>>>> this can use Samba as its user database but has to perform the MFA
>>>> authentication with its own mechanism.
>>>> The situation I have is that you can login with MFA (from internet)
>>>> while you are blocked with normal authentication (when in the
>>>> office) when your password is expired. That is definitely not
>>>> alright!
>>> It isn't, but I would say that is a failing in the MFA rather than
>>> Samba AD.
>> Not really, there is no way you can make an LDAP filter to see that
>> an account is expired. Samba simply does not provide that information
>> in a form that can be used in an application filter (which is the
>> same a single ldapsearch command).
>> Your suggestion below to have 'ms-DS-User-Password-Expired' would
>> solve the whole issue and so does setting bit-23 in
>> 'userAccountControl'.
>> But both are not implemented yet, i.e. for the time being a
>> workaround is required for this piece of functionality. That brings
>> me back to the plan of making a small cron-script for this purpose.
>> To prevent a potential race condition with Samba updating something
>> in 'userAccountControl' and the cron-script as well, it might be a
>> better idea to use another user attribute, for example the nowadays
>> obscure 'primaryTelexNumber ' and set it to 'expired=true'. With
>> that the issue is solved, the LDAP query to check for a user that can
>> be allowed to login would be:
>> '(&(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(primaryTelexNumber=*expired=true*)))'
>> Using asterisks around 'expired=true' allows for other string to be
>> added to this attribute, would there be the need for it.
>> This is non-intrusive, it can be simply removed when Samba acquires
>> the real functionality.
> Forget ms-DS-User-Password-Expired, after a bit of checking, it seems
> that was only for ADAM and AD-LDS.
> However, can I introduce you to another constructed attribute (we need
> to document these somewhere) 'msDS-User-Account-Control-Computed'

ldbsearch -H /var/lib/samba/private/sam.ldb -b 'CN=test 1 user,OU=User 
Accounts,DC=samdom,DC=com' msDS-User-Account-Control-Computed 2> /dev/null
# record 1
dn: CN=test 1 user,OU=User Accounts,DC=samdom,DC=com
msDS-User-Account-Control-Computed: 8388608

# returned 1 records
# 1 entries
# 0 referrals

As it turns out, it works as shown above. However filters based on this 
computed value do not work:

ldbsearch -H /var/lib/samba/private/sam.ldb -b 'OU=User 
'(msDS-User-Account-Control-Computed=8388608)' sAMAccountName 
msDS-User-Account-Control-Computed 2> /dev/null
# returned 0 records
# 0 entries
# 0 referrals

It looks like it is not fully implemented yet...  and without the 
filtering  code can't be used search filters.

- Kees.

> Try that one.
> Rowland

More information about the samba mailing list