On Sun, 29 Oct 2023 18:10:52 +0100
Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
> Op 28-10-2023 om 17:19 schreef Rowland Penny via samba:
> > On Sat, 28 Oct 2023 16:22:23 +0200
> > Kees van Vloten via samba <samba at lists.samba.org> wrote:
> >
> >> Op 28-10-2023 om 14:21 schreef Rowland Penny via samba:
> >>> On Sat, 28 Oct 2023 13:50:31 +0200
> >>> Kees van Vloten via samba <samba at lists.samba.org>
wrote:
> >>>
> >>>>>> I consider this a big security omission: if? Samba
is the
> >>>>>> source of information but not the the
authenticator of the
> >>>>>> user, that application cannot block expired users
!
> >>>>> But, Samba when running as an AD DC is the source of
information
> >>>>> AND the source of authentication. A user with an
expired
> >>>>> password will not be allowed to logon.
> >>>> You are right, this is preferable, but not always the
case.
> >>>>
> >>>> For example Samba does not support? MFA, an application
that does
> >>>> this can use Samba as its user database but has to perform
the
> >>>> MFA authentication with its own mechanism.
> >>>>
> >>>> The situation I have is that you can login with MFA (from
> >>>> internet) while you are blocked with normal authentication
(when
> >>>> in the office) when your password is expired. That is
definitely
> >>>> not alright!
> >>> It isn't, but I would say that is a failing in the MFA
rather than
> >>> Samba AD.
> >> Not really, there is no way you can make an LDAP filter to see
that
> >> an account is expired. Samba simply does not provide that
> >> information in a form that can be used in an application filter
> >> (which is the same a single ldapsearch command).
> >>
> >> Your suggestion below to have
'ms-DS-User-Password-Expired' would
> >> solve the whole issue and so does setting bit-23 in
> >> 'userAccountControl'.
> >>
> >> But both are not implemented yet, i.e. for the time being a
> >> workaround is required for this piece of functionality. That
brings
> >> me back to the plan of making a small cron-script for this
purpose.
> >>
> >> To prevent a potential race condition with Samba updating
something
> >> in 'userAccountControl' and the cron-script as well, it
might be a
> >> better idea to use another user attribute, for example the
nowadays
> >> obscure 'primaryTelexNumber ' and set it to
'expired=true'. With
> >> that the issue is solved, the LDAP query to check for a user that
> >> can be allowed to login would be:
> >>
> >>
'(&(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(primaryTelexNumber=*expired=true*)))'
> >>
> >> Using asterisks around 'expired=true' allows for other
string to be
> >> added to this attribute, would there be the need for it.
> >>
> >> This is non-intrusive, it can be simply removed when Samba
acquires
> >> the real functionality.
> > Forget ms-DS-User-Password-Expired, after a bit of checking, it
> > seems that was only for ADAM and AD-LDS.
> >
> > However, can I introduce you to another constructed attribute (we
> > need to document these somewhere)
> > 'msDS-User-Account-Control-Computed'
> Bingo:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b 'CN=test 1
> user,OU=User Accounts,DC=samdom,DC=com'
> msDS-User-Account-Control-Computed 2> /dev/null # record 1
> dn: CN=test 1 user,OU=User Accounts,DC=samdom,DC=com
> msDS-User-Account-Control-Computed: 8388608
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> As it turns out, it works as shown above. However filters based on
> this computed value do not work:
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b 'OU=User
> Accounts,DC=samdom,DC=com'
> '(msDS-User-Account-Control-Computed=8388608)' sAMAccountName
> msDS-User-Account-Control-Computed 2> /dev/null
> # returned 0 records
> # 0 entries
> # 0 referrals
>
> It looks like it is not fully implemented yet...? and without the
> filtering? code can't be used search filters.
>
Sorry, but I think it is the nearest you are going to get. You may not
know this, but you have to explicitly ask for 'computed' attributes in
the same way as getting the 'nTSecurityDescriptor' attribute.
To put it another way, the search is working in the expected fashion.
I do not think that Samba AD works any differently to Windows AD when it
comes to passwords, a user can change their password if it hasn't
expired, if it has expired then an Admin must reset it for them.
Rowland