Question for time based group membership in FL 2016

Fri Feb 2 11:44:11 UTC 2024

On Fri, 2 Feb 2024 12:19:35 +0100
Kees van Vloten via samba-technical <samba-technical at lists.samba.org>
wrote:

> 
> On 02-02-2024 11:29, Rowland Penny via samba-technical wrote:
> > On Thu, 1 Feb 2024 23:32:37 +0100
> > Kees van Vloten via samba-technical
> > <samba-technical at lists.samba.org> wrote:
> >
> >> On 01-02-2024 22:42, Rowland Penny via samba-technical wrote:
> >>> On Thu, 1 Feb 2024 22:16:35 +0100
> >>> Kees van Vloten via samba-technical
> >>> <samba-technical at lists.samba.org> wrote:
> >>>
> >>>> On 01-02-2024 21:38, Douglas Bagnall via samba-technical wrote:
> >>>>> On 2/02/24 07:22, Stefan Kania via samba-technical wrote:
> >>>>>> Hi to all,
> >>>>>>
> >>>>>> I already posted the question in the samba-mailinlist but I
> >>>>>> think it's more a question for developers :-)
> >>>>>>
> >>>>>> I have a question about FL 2016 and if samba supports it. If
> >>>>>> yes, how can I use it without powershell.
> >>>>>>
> >>>>>> In FL 2016 there is the possibility to put a user into a group
> >>>>>> and the membership is time based. So I could put the user Foo
> >>>>>> into the group 'domain admins' for 30 minutes and after 30
> >>>>>> minutes the system will remove user foo from the group.
> >>>>> That sounds good. We don't do that, and we don't call it part of
> >>>>> "functional level 2016".
> >>>>>
> >>>>> The things that count as "functional level" are listed here:
> >>>>>
> >>>>> https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
> >>>>>
> >>>>>
> >>>>> They are protocol level things -- supporting FL2016 means you
> >>>>> can properly be a DC in an FL2016 domain.
> >>>>>
> >>>>> Temporary memberships is a useful trick that Windows Server 2016
> >>>>> can do, for which FL2016 is necessary, but not sufficient.
> >>>>>
> >>>>> That's my understanding, at least.
> >>>>>
> >>>>> Douglas
> >>>>>
> >>>>>
> >>>> Still, if you know what this powershell call changes in the LDAP
> >>>> record of the group, the user or elsewhere in LDAP, you can mimic
> >>>> this functionality quite easily with a little cron script on the
> >>>> DC.
> >>>>
> >>>> I have created a kind similar implementation called auto-lock,
> >>>> where (admin-)users that member of the "autolock" group
> >>>> automatically get disabled at midnight every day
> >>>> (https://github.com/kvvloten/samba_integrations/tree/main/domain_controller/manage_scripts#disable-special-users-daily)
> >>>>
> >>>> And another piece of cron-scripting makes "password expired" LDAP
> >>>> searchable (which is not the case with the computed attribute
> >>>> "msDS-User-Account-Control-Computed").
> >>> That attribute is searchable, it is one of the attributes you have
> >>> to explicitly ask for.
> >> We had this discussing before: you can get it returned in an ldap
> >> query, but you can't use it in an ldap filter. Applications tend to
> >> use a filter to find find users, so it does not work for my usecase
> >> (with Privacyidea).
> > Fair enough, it isn't that Samba ldap is limited, it is a
> > limitation of the tool that you are using.
> 
> Sure, but there are not many applications where you can do things
> with retrieved attributes and multiple ldap-searches in the selection
> of users and groups.
> 
> Most (nearly all?) applications allow just server settings, bind 
> settings, base-dn, a ldap-filter and sometimes attribute mapping.
> That includes big names like Postfix and Dovecot.
> 
> I would think this is more a Microsoft limitation than anything else.
> Or perhaps it is even generic for ldap, I have no clue how OpenLdap
> treats computed attributes.

I do not think that openldap has computed attributes, so I don't think
you can say it is a Microsoft limitation, I would say that it was more
of an 'extension' and is something that most Linux tools are not
capable of dealing with, if only because they are designed to work with
openldap and Microsoft ldap is an after thought.

From my 'limited' understanding, time limited time group membership is
totally controlled by the AD DCs, the user is a group member until the
TTL expires and then they are not.

> 
> Then again, it does not matter much what the root-cause of the 
> limitation is, more important is how to overcome it :-)

Totally agree, but until the problem is fully understood, it cannot be
fixed ;-)

Rowland