[Samba] Fwd: query account expired state

Kees van Vloten keesvanvloten at gmail.com
Sun Oct 29 18:54:24 UTC 2023

Op 29-10-2023 om 19:01 schreef Rowland Penny via samba:
> On Sun, 29 Oct 2023 18:10:52 +0100
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>> Op 28-10-2023 om 17:19 schreef Rowland Penny via samba:
>>> On Sat, 28 Oct 2023 16:22:23 +0200
>>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>>>> Op 28-10-2023 om 14:21 schreef Rowland Penny via samba:
>>>>> On Sat, 28 Oct 2023 13:50:31 +0200
>>>>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>>>>>>>> I consider this a big security omission: if  Samba is the
>>>>>>>> source of information but not the the authenticator of the
>>>>>>>> user, that application cannot block expired users !
>>>>>>> But, Samba when running as an AD DC is the source of information
>>>>>>> AND the source of authentication. A user with an expired
>>>>>>> password will not be allowed to logon.
>>>>>> You are right, this is preferable, but not always the case.
>>>>>> For example Samba does not support  MFA, an application that does
>>>>>> this can use Samba as its user database but has to perform the
>>>>>> MFA authentication with its own mechanism.
>>>>>> The situation I have is that you can login with MFA (from
>>>>>> internet) while you are blocked with normal authentication (when
>>>>>> in the office) when your password is expired. That is definitely
>>>>>> not alright!
>>>>> It isn't, but I would say that is a failing in the MFA rather than
>>>>> Samba AD.
>>>> Not really, there is no way you can make an LDAP filter to see that
>>>> an account is expired. Samba simply does not provide that
>>>> information in a form that can be used in an application filter
>>>> (which is the same a single ldapsearch command).
>>>> Your suggestion below to have 'ms-DS-User-Password-Expired' would
>>>> solve the whole issue and so does setting bit-23 in
>>>> 'userAccountControl'.
>>>> But both are not implemented yet, i.e. for the time being a
>>>> workaround is required for this piece of functionality. That brings
>>>> me back to the plan of making a small cron-script for this purpose.
>>>> To prevent a potential race condition with Samba updating something
>>>> in 'userAccountControl' and the cron-script as well, it might be a
>>>> better idea to use another user attribute, for example the nowadays
>>>> obscure 'primaryTelexNumber ' and set it to 'expired=true'. With
>>>> that the issue is solved, the LDAP query to check for a user that
>>>> can be allowed to login would be:
>>>> '(&(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(primaryTelexNumber=*expired=true*)))'
>>>> Using asterisks around 'expired=true' allows for other string to be
>>>> added to this attribute, would there be the need for it.
>>>> This is non-intrusive, it can be simply removed when Samba acquires
>>>> the real functionality.
>>> Forget ms-DS-User-Password-Expired, after a bit of checking, it
>>> seems that was only for ADAM and AD-LDS.
>>> However, can I introduce you to another constructed attribute (we
>>> need to document these somewhere)
>>> 'msDS-User-Account-Control-Computed'
>> Bingo:
>> ldbsearch -H /var/lib/samba/private/sam.ldb -b 'CN=test 1
>> user,OU=User Accounts,DC=samdom,DC=com'
>> msDS-User-Account-Control-Computed 2> /dev/null # record 1
>> dn: CN=test 1 user,OU=User Accounts,DC=samdom,DC=com
>> msDS-User-Account-Control-Computed: 8388608
>> # returned 1 records
>> # 1 entries
>> # 0 referrals
>> As it turns out, it works as shown above. However filters based on
>> this computed value do not work:
>> ldbsearch -H /var/lib/samba/private/sam.ldb -b 'OU=User
>> Accounts,DC=samdom,DC=com'
>> '(msDS-User-Account-Control-Computed=8388608)' sAMAccountName
>> msDS-User-Account-Control-Computed 2> /dev/null
>> # returned 0 records
>> # 0 entries
>> # 0 referrals
>> It looks like it is not fully implemented yet...  and without the
>> filtering  code can't be used search filters.
> Sorry, but I think it is the nearest you are going to get. You may not
> know this, but you have to explicitly ask for 'computed' attributes in
> the same way as getting the 'nTSecurityDescriptor' attribute.


Still it is kind of unfortunate that the expiry does not show up in the 
filterable 'userAccountControl' and that the alternative 
'msDS-User-Account-Control-Computed' is computed and therefore not 

On the other hand it is very possible that this is a limitation in MS' 
design and implementation and not an issue in Samba.

I have no Windows DCs and can't check that.

> To put it another way, the search is working in the expected fashion.
> I do not think that Samba AD works any differently to Windows AD when it
> comes to passwords, a user can change their password if it hasn't
> expired, if it has expired then an Admin must reset it for them.
> Rowland

More information about the samba mailing list