Question for time based group membership in FL 2016

Fri Feb 2 10:29:27 UTC 2024

On Thu, 1 Feb 2024 23:32:37 +0100
Kees van Vloten via samba-technical <samba-technical at lists.samba.org>
wrote:

> 
> On 01-02-2024 22:42, Rowland Penny via samba-technical wrote:
> > On Thu, 1 Feb 2024 22:16:35 +0100
> > Kees van Vloten via samba-technical
> > <samba-technical at lists.samba.org> wrote:
> >
> >> On 01-02-2024 21:38, Douglas Bagnall via samba-technical wrote:
> >>> On 2/02/24 07:22, Stefan Kania via samba-technical wrote:
> >>>> Hi to all,
> >>>>
> >>>> I already posted the question in the samba-mailinlist but I think
> >>>> it's more a question for developers :-)
> >>>>
> >>>> I have a question about FL 2016 and if samba supports it. If yes,
> >>>> how can I use it without powershell.
> >>>>
> >>>> In FL 2016 there is the possibility to put a user into a group
> >>>> and the membership is time based. So I could put the user Foo
> >>>> into the group 'domain admins' for 30 minutes and after 30
> >>>> minutes the system will remove user foo from the group.
> >>> That sounds good. We don't do that, and we don't call it part of
> >>> "functional level 2016".
> >>>
> >>> The things that count as "functional level" are listed here:
> >>>
> >>> https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
> >>>
> >>>
> >>> They are protocol level things -- supporting FL2016 means you can
> >>> properly be a DC in an FL2016 domain.
> >>>
> >>> Temporary memberships is a useful trick that Windows Server 2016
> >>> can do, for which FL2016 is necessary, but not sufficient.
> >>>
> >>> That's my understanding, at least.
> >>>
> >>> Douglas
> >>>
> >>>
> >> Still, if you know what this powershell call changes in the LDAP
> >> record of the group, the user or elsewhere in LDAP, you can mimic
> >> this functionality quite easily with a little cron script on the
> >> DC.
> >>
> >> I have created a kind similar implementation called auto-lock,
> >> where (admin-)users that member of the "autolock" group
> >> automatically get disabled at midnight every day
> >> (https://github.com/kvvloten/samba_integrations/tree/main/domain_controller/manage_scripts#disable-special-users-daily)
> >>
> >> And another piece of cron-scripting makes "password expired" LDAP
> >> searchable (which is not the case with the computed attribute
> >> "msDS-User-Account-Control-Computed").
> > That attribute is searchable, it is one of the attributes you have
> > to explicitly ask for.
> 
> We had this discussing before: you can get it returned in an ldap
> query, but you can't use it in an ldap filter. Applications tend to
> use a filter to find find users, so it does not work for my usecase
> (with Privacyidea).

Fair enough, it isn't that Samba ldap is limited, it is a limitation of
the tool that you are using.

> 
> My workaround is to have a cron-script do the check and write the
> result in one of the unused attributes (e.g. the telex number), then
> the application can filter on that. Not the royal solution, but it
> works...
> 
> - Kees.
> 
> >
> >> With this applications like
> >> Privacyidea can disallow MFA for users with an expired domain
> >> password.
> >>
> >> It can't be hard to query some attribute and add or remove a user
> >> from a group.
> >>
> > Would that it was that easy, but as I said on the samba mailing
> > list, I am sure the timing is done in code, but I am sure that
> > those wiser than myself will know.
> >
> > Rowland
> >
> >
> >
> >
> >
> 

OK, I have been looking into this and from my googling, you need the
'Privileged Access Management Optional Feature' , so that means 2016
functional level (at least), see:

https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/d079eee8-1bac-4b03-86e4-506a21450905

Samba will also need to implement the
LDAP_SERVER_LINK_TTL_OID: 1.2.840.113556.1.4.2309

Finally, it seems that Samba will need the code to tie all this together,
just having the functional level and OID will not be enough.

Not a five minute job by the sound of it.

Rowland