[Samba] Question about silos and Authentication policies

Stefan Kania stefan at kania-online.de
Sat Nov 4 16:34:33 UTC 2023 

Hi Rob,

I had some more time to test a little bit. So I took the LDAP Account 
Manager (LAM) connect to my Active Directory with Samba 4.19 and to 
cn=configuration,dc=example,dc=net. I found the policy and the silo. The 
I took the value from may Windows 2022 domain for the Attribute 
UserAllowedToAuthenticateFrom
and added it to the Atribute: msDS-UserAllowedToAuthenticateFrom of my 
Samba-domain. Doing this creates the condition. So my attribute looks 
like this:
O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo != 
"winclient-silo"))
Then the policy is working the user added to the silo can not login on 
computer also added to the silo.

But, execute
-------------------
samba-tool domain auth policy view --name winclient-pol
{
   "cn": "winclient-pol",
   "distinguishedName": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN 
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "instanceType": 4,
   "msDS-AuthNPolicyEnforced": true,
   "msDS-ServiceTGTLifetime": 60,
   "msDS-StrongNTLMPolicy": 0,
   "name": "winclient-pol",
   "objectCategory": 
"CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC=net",
   "objectClass": [
     "top",
     "msDS-AuthNPolicy"
   ],
   "objectGUID": "21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d"
}
-------------------
is not showing the condition :-(.

But with ldbsearch I can see the condition:
-------------------
root at addc-01:~# ldbsearch --cross-ncs 
--url=/var/lib/samba/private/sam.ldb "cn=winclient-pol"
# record 1
dn: CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=example,DC=net
objectClass: top
objectClass: msDS-AuthNPolicy
cn: winclient-pol
instanceType: 4
whenCreated: 20231020164016.0Z
uSNCreated: 4291
name: winclient-pol
objectGUID: 21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d
objectCategory: 
CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC
  =net
msDS-AuthNPolicyEnforced: TRUE
msDS-StrongNTLMPolicy: 0
msDS-ComputerAuthNPolicyBL: CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
Policy C
  onfiguration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-ServiceAuthNPolicyBL: CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
Policy Co
  nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-UserAuthNPolicyBL: CN=winclient-silo,CN=AuthN Silos,CN=AuthN Policy 
Confi
  guration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-ServiceTGTLifetime: 60
msDS-UserAllowedToAuthenticateFrom: 
O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext
  /AuthenticationSilo != "winclient-silo"))
whenChanged: 20231104162516.0Z
uSNChanged: 4513
distinguishedName: CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy 
Configur
  ation,CN=Services,CN=Configuration,DC=example,DC=net

-------------------

So auth-policies and auth-silos are working with Samba :-).

Don't ask me what is the meaning of the (I think) ACL in the attribute.

Maybe that will help you.

Stefan


Am 31.10.23 um 00:43 schrieb Rob van der Linde via samba:
> I was playing around again with Windows and when you add members to 
> silos, or remove them, it should not set/unset assigned silo on the user.
> 
> So I've got a new pull request in Draft state still where I remove that 
> functionality, as well as add some new commands to samba-tool user command.
> 
> It turned out to be easier to add sub commands to user, as edit user 
> wasn't quite what I thought it was and I had realised that after writing 
> my last email.
> 
> samba-tool user auth silo assign/remove/view
> samba-tool user auth policy assign/remove/view
> 
> I probably completely have the wording wrong still, I'm going to look at 
> using the same wording as Windows does so please consider this PR a 
> draft only. I'm having a look at the Windows tooling in detail now.
> 
> On 28/10/23 03:54, Stefan Kania via samba wrote:
>>
>>
>> Am 27.10.23 um 02:32 schrieb Rob van der Linde via samba:
>>> The missing functionality is --silo and --policy on modify user, and 
>>> probably also create user commands.
>>
>> That's exacly right, that's also the way Windows is handling this.
>>
>

More information about the samba mailing list