[Samba] time based group membership in FL 2016

Stefan Kania stefan at kania-online.de
Wed Jan 31 19:40:28 UTC 2024



Am 31.01.24 um 20:36 schrieb Rowland Penny via samba:
> On Wed, 31 Jan 2024 20:02:55 +0100
> Stefan Kania via samba <samba at lists.samba.org> wrote:
> 
>>
>>
>> Am 31.01.24 um 17:45 schrieb Kees van Vloten via samba:
>>>
>>> Op 31-01-2024 om 17:21 schreef Stefan Kania via samba:
>>>> Hi all,
>>>>
>>>> it's again a question about FL 2016 and if samba supports it. If
>>>> yes, how can I use it without powershell.
>>>>
>>>> In FL 2016 there is the possibility to put a user into a group and
>>>> the membership is time based. So I could put the user Foo into the
>>>> group 'domain admins' for 30 minutes and after 30 minutes the
>>>> system will remove user foo from the group.
>>>>
>>>> But to activated this feature you have to give a powershell
>>>> command: ----------------
>>>> Enable-ADOptionalFeature "Privileged Access Management Feature"
>>>> -Scope ForestOrConfigurationSet -Target example.net"
>>>> -----------------
>>>>
>>>> This feature once enabled can't be disabled anymore
>>>>
>>>> Then I could add a user to a group:
>>>> ---------------
>>>> Add-ADGroupMember -Identity "Domain Admins" -Members "Foo"
>>>> -MemberTimeToLive (New-TimeSpan -Minutes 30)
>>>> ---------------
>>>>
>>>> After 30 minutes Foo will be removed automatically.
>>>>
>>>> But if this feature is supported by samba 4.19 or 4.20 with FL
>>>> 2016 activated, how could I set this?
>>>
>>> I am not aware of the developments on this.
>>>
>>> But in general, what I would do is: execute the powershell command
>>> and then check with "samba-tool group show" of ldbsearch what
>>> attributes where set.
>>>
>>> If you know what it does under the hood, it is easy enough to
>>> create some scripting to mimic the behaviour.
>>>
>>> - Kees.
>>>
>> I can install powershell on my DC but the Linux-powershell is not
>> supporting the ad-commands :-(
>>
>> Maybe someone has a different solution to my problem. We have a lot
>> of Admins managing the AD (all over the world). Yes it's samba :-).
>> We want to restrict admins from login to the DCs via ssh. Ssh login
>> should only be possible if an admin sends a request via a ticket
>> system and the ticket management team then adds him to a special
>> group for a  certain period of time. During this time he can login
>> via ssh. After the time is over, he will be removed automatically
>> from the group, so then he can't login on the DC anymore. That's why
>> I thought about time based group membership. But this function needs
>> FL 2016.
>>
>> Allow only users of a certain to login via ssh is not the problem.
>>
>> Stefan
>>
>>>>
>>>> Stefan
>>>>
> 
> I think this is going to require code to get it to work. Just adding an
> attribute (if that is what is happening ?) will not be enough, there
> must be something that either counts down to 0 and then removes the
> user from the group, or constantly checks AD and then removes the user
> from the group at the relevant time, or something along those lines.
> 
> Rowland
> MS is doing this via a Kerberos TTL with the time based groups




More information about the samba mailing list