samba - Jan 2024 - time based group membership in FL 2016

On Wed, 31 Jan 2024 20:02:55 +0100
Stefan Kania via samba <samba at lists.samba.org> wrote:
> 
> 
> Am 31.01.24 um 17:45 schrieb Kees van Vloten via samba:
> > 
> > Op 31-01-2024 om 17:21 schreef Stefan Kania via samba:
> >> Hi all,
> >>
> >> it's again a question about FL 2016 and if samba supports it.
If
> >> yes, how can I use it without powershell.
> >>
> >> In FL 2016 there is the possibility to put a user into a group and
> >> the membership is time based. So I could put the user Foo into the
> >> group 'domain admins' for 30 minutes and after 30 minutes
the
> >> system will remove user foo from the group.
> >>
> >> But to activated this feature you have to give a powershell
> >> command: ----------------
> >> Enable-ADOptionalFeature "Privileged Access Management
Feature"
> >> -Scope ForestOrConfigurationSet -Target example.net"
> >> -----------------
> >>
> >> This feature once enabled can't be disabled anymore
> >>
> >> Then I could add a user to a group:
> >> ---------------
> >> Add-ADGroupMember -Identity "Domain Admins" -Members
"Foo"
> >> -MemberTimeToLive (New-TimeSpan -Minutes 30)
> >> ---------------
> >>
> >> After 30 minutes Foo will be removed automatically.
> >>
> >> But if this feature is supported by samba 4.19 or 4.20 with FL
> >> 2016 activated, how could I set this?
> > 
> > I am not aware of the developments on this.
> > 
> > But in general, what I would do is: execute the powershell command
> > and then check with "samba-tool group show" of ldbsearch
what
> > attributes where set.
> > 
> > If you know what it does under the hood, it is easy enough to
> > create some scripting to mimic the behaviour.
> > 
> > - Kees.
> > 
> I can install powershell on my DC but the Linux-powershell is not 
> supporting the ad-commands :-(
> 
> Maybe someone has a different solution to my problem. We have a lot
> of Admins managing the AD (all over the world). Yes it's samba :-).
> We want to restrict admins from login to the DCs via ssh. Ssh login
> should only be possible if an admin sends a request via a ticket
> system and the ticket management team then adds him to a special
> group for a  certain period of time. During this time he can login
> via ssh. After the time is over, he will be removed automatically
> from the group, so then he can't login on the DC anymore. That's
why
> I thought about time based group membership. But this function needs
> FL 2016.
> 
> Allow only users of a certain to login via ssh is not the problem.
> 
> Stefan
> 
> >>
> >> Stefan
> >>
I think this is going to require code to get it to work. Just adding an
attribute (if that is what is happening ?) will not be enough, there
must be something that either counts down to 0 and then removes the
user from the group, or constantly checks AD and then removes the user
from the group at the relevant time, or something along those lines.

Rowland

Am 31.01.24 um 20:36 schrieb Rowland Penny via samba:
> On Wed, 31 Jan 2024 20:02:55 +0100
> Stefan Kania via samba <samba at lists.samba.org> wrote:
> 
>>
>>
>> Am 31.01.24 um 17:45 schrieb Kees van Vloten via samba:
>>>
>>> Op 31-01-2024 om 17:21 schreef Stefan Kania via samba:
>>>> Hi all,
>>>>
>>>> it's again a question about FL 2016 and if samba supports
it. If
>>>> yes, how can I use it without powershell.
>>>>
>>>> In FL 2016 there is the possibility to put a user into a group
and
>>>> the membership is time based. So I could put the user Foo into
the
>>>> group 'domain admins' for 30 minutes and after 30
minutes the
>>>> system will remove user foo from the group.
>>>>
>>>> But to activated this feature you have to give a powershell
>>>> command: ----------------
>>>> Enable-ADOptionalFeature "Privileged Access Management
Feature"
>>>> -Scope ForestOrConfigurationSet -Target example.net"
>>>> -----------------
>>>>
>>>> This feature once enabled can't be disabled anymore
>>>>
>>>> Then I could add a user to a group:
>>>> ---------------
>>>> Add-ADGroupMember -Identity "Domain Admins" -Members
"Foo"
>>>> -MemberTimeToLive (New-TimeSpan -Minutes 30)
>>>> ---------------
>>>>
>>>> After 30 minutes Foo will be removed automatically.
>>>>
>>>> But if this feature is supported by samba 4.19 or 4.20 with FL
>>>> 2016 activated, how could I set this?
>>>
>>> I am not aware of the developments on this.
>>>
>>> But in general, what I would do is: execute the powershell command
>>> and then check with "samba-tool group show" of ldbsearch
what
>>> attributes where set.
>>>
>>> If you know what it does under the hood, it is easy enough to
>>> create some scripting to mimic the behaviour.
>>>
>>> - Kees.
>>>
>> I can install powershell on my DC but the Linux-powershell is not
>> supporting the ad-commands :-(
>>
>> Maybe someone has a different solution to my problem. We have a lot
>> of Admins managing the AD (all over the world). Yes it's samba :-).
>> We want to restrict admins from login to the DCs via ssh. Ssh login
>> should only be possible if an admin sends a request via a ticket
>> system and the ticket management team then adds him to a special
>> group for a  certain period of time. During this time he can login
>> via ssh. After the time is over, he will be removed automatically
>> from the group, so then he can't login on the DC anymore.
That's why
>> I thought about time based group membership. But this function needs
>> FL 2016.
>>
>> Allow only users of a certain to login via ssh is not the problem.
>>
>> Stefan
>>
>>>>
>>>> Stefan
>>>>
> 
> I think this is going to require code to get it to work. Just adding an
> attribute (if that is what is happening ?) will not be enough, there
> must be something that either counts down to 0 and then removes the
> user from the group, or constantly checks AD and then removes the user
> from the group at the relevant time, or something along those lines.
> 
> Rowland
> MS is doing this via a Kerberos TTL with the time based groups

On 31-01-2024 20:36, Rowland Penny via samba wrote:
> On Wed, 31 Jan 2024 20:02:55 +0100
> Stefan Kania via samba <samba at lists.samba.org> wrote:
>
>>
>> Am 31.01.24 um 17:45 schrieb Kees van Vloten via samba:
>>> Op 31-01-2024 om 17:21 schreef Stefan Kania via samba:
>>>> Hi all,
>>>>
>>>> it's again a question about FL 2016 and if samba supports
it. If
>>>> yes, how can I use it without powershell.
>>>>
>>>> In FL 2016 there is the possibility to put a user into a group
and
>>>> the membership is time based. So I could put the user Foo into
the
>>>> group 'domain admins' for 30 minutes and after 30
minutes the
>>>> system will remove user foo from the group.
>>>>
>>>> But to activated this feature you have to give a powershell
>>>> command: ----------------
>>>> Enable-ADOptionalFeature "Privileged Access Management
Feature"
>>>> -Scope ForestOrConfigurationSet -Target example.net"
>>>> -----------------
>>>>
>>>> This feature once enabled can't be disabled anymore
>>>>
>>>> Then I could add a user to a group:
>>>> ---------------
>>>> Add-ADGroupMember -Identity "Domain Admins" -Members
"Foo"
>>>> -MemberTimeToLive (New-TimeSpan -Minutes 30)
>>>> ---------------
>>>>
>>>> After 30 minutes Foo will be removed automatically.
>>>>
>>>> But if this feature is supported by samba 4.19 or 4.20 with FL
>>>> 2016 activated, how could I set this?
>>> I am not aware of the developments on this.
>>>
>>> But in general, what I would do is: execute the powershell command
>>> and then check with "samba-tool group show" of ldbsearch
what
>>> attributes where set.
>>>
>>> If you know what it does under the hood, it is easy enough to
>>> create some scripting to mimic the behaviour.
>>>
>>> - Kees.
>>>
>> I can install powershell on my DC but the Linux-powershell is not
>> supporting the ad-commands :-(
>>
>> Maybe someone has a different solution to my problem. We have a lot
>> of Admins managing the AD (all over the world). Yes it's samba :-).
>> We want to restrict admins from login to the DCs via ssh. Ssh login
>> should only be possible if an admin sends a request via a ticket
>> system and the ticket management team then adds him to a special
>> group for a  certain period of time. During this time he can login
>> via ssh. After the time is over, he will be removed automatically
>> from the group, so then he can't login on the DC anymore.
That's why
>> I thought about time based group membership. But this function needs
>> FL 2016.
>>
>> Allow only users of a certain to login via ssh is not the problem.
>>
>> Stefan
>>
>>>> Stefan
>>>>
> I think this is going to require code to get it to work. Just adding an
> attribute (if that is what is happening ?) will not be enough, there
> must be something that either counts down to 0 and then removes the
> user from the group, or constantly checks AD and then removes the user
> from the group at the relevant time, or something along those lines.
>
> Rowland
If that is part of FL 2016 as Stefan suggests, I would think, that bit 
is taken care of by the AD, i.e. the Samba-AD code.

In that case setting the right attribute(s) on an LDAP group could be 
the only thing needed...

Perhaps one the Samba developers knows more about the exact 
implementation (@Andrew ?).

- Kees.
>