[Samba] Question about silos and Authentication policies

Stefan Kania stefan at kania-online.de
Sun Oct 22 13:58:41 UTC 2023 

Talking to myself again ;-)

Samba-tool is working a little bit different then the silo/policy 
management on a Windows-DC.
On a Windows-DC after assigning the user and host to the silo you have 
to assign the silo to the user and the host. When assigning the user and 
host to the silo with samba-tool, the assignment to the user and the 
host will be done at the same time. So now my policy looks like that:
-------------
root at addc-01:~#  samba-tool domain auth policy view --name=winclient-pol
{
   "cn": "winclient-pol",
   "distinguishedName": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN 
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "instanceType": 4,
   "msDS-AuthNPolicyEnforced": true,
   "msDS-ServiceTGTLifetime": 60,
   "msDS-StrongNTLMPolicy": 0,
   "name": "winclient-pol",
   "objectCategory": 
"CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC=net",
   "objectClass": [
     "top",
     "msDS-AuthNPolicy"
   ],
   "objectGUID": "21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d"

-------------

The silo looks like this:
-------------
root at addc-01:~#  samba-tool domain auth silo view --name=winclient-silo
{
   "cn": "winclient-silo",
   "distinguishedName": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "dn": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "instanceType": 4,
   "msDS-AuthNPolicySiloEnforced": true,
   "msDS-AuthNPolicySiloMembers": [
     "CN=WINCLIENT,CN=Computers,DC=example,DC=net",
     "CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net"
   ],
   "msDS-ComputerAuthNPolicy": "CN=winclient-pol,CN=AuthN 
Policies,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "msDS-ServiceAuthNPolicy": "CN=winclient-pol,CN=AuthN 
Policies,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "msDS-UserAuthNPolicy": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN 
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "name": "winclient-silo",
   "objectCategory": 
"CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=example,DC=net",
   "objectClass": [
     "top",
     "msDS-AuthNPolicySilo"
   ],
   "objectGUID": "f063b775-e1da-4b2d-962b-d30f2cc8ffad"
-------------

My user "cn=protected admin" looks like this:
-------------
dn: CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: protected admin
sn: admin
givenName: protected
instanceType: 4
whenCreated: 20231020125659.0Z
displayName: protected admin
uSNCreated: 4267
name: protected admin
objectGUID: 770c22a3-aa6d-4cea-bdbe-5bebce9c2994
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-3996049225-3177602564-2265300751-1106
accountExpires: 9223372036854775807
sAMAccountName: padmin
sAMAccountType: 805306368
userPrincipalName: padmin at example.net
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=net
userAccountControl: 512
memberOf: CN=Domain Admins,CN=Users,DC=example,DC=net
memberOf: CN=Protected Users,CN=Users,DC=example,DC=net
lastLogonTimestamp: 133422806290994480
msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
Polic
  y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
Policy
   Configuration,CN=Services,CN=Configuration,DC=example,DC=net
pwdLastSet: 133424547343802100
whenChanged: 20231022132534.0Z
uSNChanged: 4319
lastLogon: 133424547477453410
logonCount: 12
distinguishedName: CN=protected 
admin,OU=users,OU=It,OU=Firma,DC=example,DC=ne
  t
-------------

And the host:
--------------
dn: CN=WINCLIENT,CN=Computers,DC=example,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: WINCLIENT
instanceType: 4
whenCreated: 20231019160325.0Z
uSNCreated: 4225
name: WINCLIENT
objectGUID: ca422c13-eb65-43ae-8ae9-7fea6950a972
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
pwdLastSet: 133422050057063700
primaryGroupID: 515
objectSid: S-1-5-21-3996049225-3177602564-2265300751-1104
accountExpires: 9223372036854775807
sAMAccountName: WINCLIENT$
sAMAccountType: 805306369
dNSHostName: winclient.example.net
servicePrincipalName: HOST/winclient.example.net
servicePrincipalName: RestrictedKrbHost/winclient.example.net
servicePrincipalName: HOST/WINCLIENT
servicePrincipalName: RestrictedKrbHost/WINCLIENT
servicePrincipalName: WSMAN/winclient.example.net
servicePrincipalName: WSMAN/winclient
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=net
isCriticalSystemObject: FALSE
lastLogonTimestamp: 133422050059426810
operatingSystem: Windows 11 Pro
operatingSystemVersion: 10.0 (22621)
msDS-SupportedEncryptionTypes: 28
msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
Polic
  y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
Policy
   Configuration,CN=Services,CN=Configuration,DC=example,DC=net
whenChanged: 20231020163411.0Z
uSNChanged: 4289
lastLogon: 133424546464979900
logonCount: 30
distinguishedName: CN=WINCLIENT,CN=Computers,DC=example,DC=net
--------------

So in both objects you can see the two Attributes:
------------------
msDS-AuthNPolicySiloMembersBL:
msDS-AssignedAuthNPolicySilo:
------------------

These Attributes look the same on a Windows Active Directory. I build 
the same domain with Window-Server 2022 and FL 2016. There it works.

In my Samba-domain I can assign everything, but my user "cn=protected 
admin" can still log in to my host "winclient" :-(

Has anyone tried it yet and get it working?


Am 20.10.23 um 19:57 schrieb Stefan Kania via samba:
> Now I created a policy with:
> 
> ---------
> samba-tool domain auth policy create --enforce --name winclient-pol
> ---------
> 
> and a silo with:
> 
> ---------
> samba-tool domain auth silo create --enforce --name=winclient-silo
> 
> The I add the following objects to the silo
> ---------
> samba-tool domain auth silo member add --name=winclient-silo 
> --member=padmin
> 
> samba-tool domain auth silo member add --name=winclient-silo 
> --member=winclient\$
> ---------
> 
> Then assigning the policy to the silo with:
> 
> -------------
> samba-tool domain auth silo modify --name=winclient-silo 
> --policy=winclient-pol
> -------------
> 
> The next step would be to assign the silo to the user and the host, but 
> I don't see any option in "samba-tool domain auth ..." to do this. The 
> same with adding the host to the policy.
> 
> On a windows-System I would do this with "ADAC" But I can't use it with 
> a samba-DC.
> 
> Is there a way to do it with samba-tool, or any other tool?
> 
>

More information about the samba mailing list