[Samba] time based group membership in FL 2016
Kees van Vloten
keesvanvloten at gmail.com
Wed Jan 31 16:45:25 UTC 2024
Op 31-01-2024 om 17:21 schreef Stefan Kania via samba:
> Hi all,
>
> it's again a question about FL 2016 and if samba supports it. If yes,
> how can I use it without powershell.
>
> In FL 2016 there is the possibility to put a user into a group and the
> membership is time based. So I could put the user Foo into the group
> 'domain admins' for 30 minutes and after 30 minutes the system will
> remove user foo from the group.
>
> But to activated this feature you have to give a powershell command:
> ----------------
> Enable-ADOptionalFeature "Privileged Access Management Feature" -Scope
> ForestOrConfigurationSet -Target example.net"
> -----------------
>
> This feature once enabled can't be disabled anymore
>
> Then I could add a user to a group:
> ---------------
> Add-ADGroupMember -Identity "Domain Admins" -Members "Foo"
> -MemberTimeToLive (New-TimeSpan -Minutes 30)
> ---------------
>
> After 30 minutes Foo will be removed automatically.
>
> But if this feature is supported by samba 4.19 or 4.20 with FL 2016
> activated, how could I set this?
I am not aware of the developments on this.
But in general, what I would do is: execute the powershell command and
then check with "samba-tool group show" of ldbsearch what attributes
where set.
If you know what it does under the hood, it is easy enough to create
some scripting to mimic the behaviour.
- Kees.
>
> Stefan
>
More information about the samba
mailing list