Question for time based group membership in FL 2016
Kees van Vloten
keesvanvloten at gmail.com
Thu Feb 1 22:32:37 UTC 2024
On 01-02-2024 22:42, Rowland Penny via samba-technical wrote:
> On Thu, 1 Feb 2024 22:16:35 +0100
> Kees van Vloten via samba-technical <samba-technical at lists.samba.org>
> wrote:
>
>> On 01-02-2024 21:38, Douglas Bagnall via samba-technical wrote:
>>> On 2/02/24 07:22, Stefan Kania via samba-technical wrote:
>>>> Hi to all,
>>>>
>>>> I already posted the question in the samba-mailinlist but I think
>>>> it's more a question for developers :-)
>>>>
>>>> I have a question about FL 2016 and if samba supports it. If yes,
>>>> how can I use it without powershell.
>>>>
>>>> In FL 2016 there is the possibility to put a user into a group and
>>>> the membership is time based. So I could put the user Foo into the
>>>> group 'domain admins' for 30 minutes and after 30 minutes the
>>>> system will remove user foo from the group.
>>> That sounds good. We don't do that, and we don't call it part of
>>> "functional level 2016".
>>>
>>> The things that count as "functional level" are listed here:
>>>
>>> https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
>>>
>>>
>>> They are protocol level things -- supporting FL2016 means you can
>>> properly be a DC in an FL2016 domain.
>>>
>>> Temporary memberships is a useful trick that Windows Server 2016
>>> can do, for which FL2016 is necessary, but not sufficient.
>>>
>>> That's my understanding, at least.
>>>
>>> Douglas
>>>
>>>
>> Still, if you know what this powershell call changes in the LDAP
>> record of the group, the user or elsewhere in LDAP, you can mimic
>> this functionality quite easily with a little cron script on the DC.
>>
>> I have created a kind similar implementation called auto-lock, where
>> (admin-)users that member of the "autolock" group automatically get
>> disabled at midnight every day
>> (https://github.com/kvvloten/samba_integrations/tree/main/domain_controller/manage_scripts#disable-special-users-daily)
>>
>> And another piece of cron-scripting makes "password expired" LDAP
>> searchable (which is not the case with the computed attribute
>> "msDS-User-Account-Control-Computed").
> That attribute is searchable, it is one of the attributes you have to
> explicitly ask for.
We had this discussing before: you can get it returned in an ldap query,
but you can't use it in an ldap filter. Applications tend to use a
filter to find find users, so it does not work for my usecase (with
Privacyidea).
My workaround is to have a cron-script do the check and write the result
in one of the unused attributes (e.g. the telex number), then the
application can filter on that. Not the royal solution, but it works...
- Kees.
>
>> With this applications like
>> Privacyidea can disallow MFA for users with an expired domain
>> password.
>>
>> It can't be hard to query some attribute and add or remove a user
>> from a group.
>>
> Would that it was that easy, but as I said on the samba mailing list, I
> am sure the timing is done in code, but I am sure that those wiser than
> myself will know.
>
> Rowland
>
>
>
>
>
More information about the samba-technical
mailing list