[Samba] time based group membership in FL 2016

Kees van Vloten keesvanvloten at gmail.com
Wed Jan 31 16:45:25 UTC 2024


Op 31-01-2024 om 17:21 schreef Stefan Kania via samba:
> Hi all,
>
> it's again a question about FL 2016 and if samba supports it. If yes, 
> how can I use it without powershell.
>
> In FL 2016 there is the possibility to put a user into a group and the 
> membership is time based. So I could put the user Foo into the group 
> 'domain admins' for 30 minutes and after 30 minutes the system will 
> remove user foo from the group.
>
> But to activated this feature you have to give a powershell command:
> ----------------
> Enable-ADOptionalFeature "Privileged Access Management Feature" -Scope 
> ForestOrConfigurationSet -Target example.net"
> -----------------
>
> This feature once enabled can't be disabled anymore
>
> Then I could add a user to a group:
> ---------------
> Add-ADGroupMember -Identity "Domain Admins" -Members "Foo" 
> -MemberTimeToLive (New-TimeSpan -Minutes 30)
> ---------------
>
> After 30 minutes Foo will be removed automatically.
>
> But if this feature is supported by samba 4.19 or 4.20 with FL 2016 
> activated, how could I set this?

I am not aware of the developments on this.

But in general, what I would do is: execute the powershell command and 
then check with "samba-tool group show" of ldbsearch what attributes 
where set.

If you know what it does under the hood, it is easy enough to create 
some scripting to mimic the behaviour.

- Kees.

>
> Stefan
>



More information about the samba mailing list