Op 28-10-2023 om 17:19 schreef Rowland Penny via samba:> On Sat, 28 Oct 2023 16:22:23 +0200
> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>
>> Op 28-10-2023 om 14:21 schreef Rowland Penny via samba:
>>> On Sat, 28 Oct 2023 13:50:31 +0200
>>> Kees van Vloten via samba <samba at lists.samba.org> wrote:
>>>
>>>>>> I consider this a big security omission: if? Samba is
the source
>>>>>> of information but not the the authenticator of the
user, that
>>>>>> application cannot block expired users !
>>>>> But, Samba when running as an AD DC is the source of
information
>>>>> AND the source of authentication. A user with an expired
password
>>>>> will not be allowed to logon.
>>>> You are right, this is preferable, but not always the case.
>>>>
>>>> For example Samba does not support? MFA, an application that
does
>>>> this can use Samba as its user database but has to perform the
MFA
>>>> authentication with its own mechanism.
>>>>
>>>> The situation I have is that you can login with MFA (from
internet)
>>>> while you are blocked with normal authentication (when in the
>>>> office) when your password is expired. That is definitely not
>>>> alright!
>>> It isn't, but I would say that is a failing in the MFA rather
than
>>> Samba AD.
>> Not really, there is no way you can make an LDAP filter to see that
>> an account is expired. Samba simply does not provide that information
>> in a form that can be used in an application filter (which is the
>> same a single ldapsearch command).
>>
>> Your suggestion below to have 'ms-DS-User-Password-Expired'
would
>> solve the whole issue and so does setting bit-23 in
>> 'userAccountControl'.
>>
>> But both are not implemented yet, i.e. for the time being a
>> workaround is required for this piece of functionality. That brings
>> me back to the plan of making a small cron-script for this purpose.
>>
>> To prevent a potential race condition with Samba updating something
>> in 'userAccountControl' and the cron-script as well, it might
be a
>> better idea to use another user attribute, for example the nowadays
>> obscure 'primaryTelexNumber ' and set it to
'expired=true'.? With
>> that the issue is solved, the LDAP query to check for a user that can
>> be allowed to login would be:
>>
>>
'(&(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(primaryTelexNumber=*expired=true*)))'
>>
>> Using asterisks around 'expired=true' allows for other string
to be
>> added to this attribute, would there be the need for it.
>>
>> This is non-intrusive, it can be simply removed when Samba acquires
>> the real functionality.
> Forget ms-DS-User-Password-Expired, after a bit of checking, it seems
> that was only for ADAM and AD-LDS.
>
> However, can I introduce you to another constructed attribute (we need
> to document these somewhere) 'msDS-User-Account-Control-Computed'
Bingo:
ldbsearch -H /var/lib/samba/private/sam.ldb -b 'CN=test 1 user,OU=User
Accounts,DC=samdom,DC=com' msDS-User-Account-Control-Computed 2>
/dev/null
# record 1
dn: CN=test 1 user,OU=User Accounts,DC=samdom,DC=com
msDS-User-Account-Control-Computed: 8388608
# returned 1 records
# 1 entries
# 0 referrals
Persistency pays off :-)
Thank you, no workaround needed, this makes me really happy :-) :-)
- Kees.
>
> Try that one.
>
> Rowland
>