[Samba] Question about silos and Authentication policies

Andrew Bartlett abartlet at samba.org
Mon Oct 23 23:08:15 UTC 2023 

Thanks Rob for chiming in.

Stefan,

I do want to be very clear, one of the big challanges that we as
developers face building these kind of tools is that we don't run AD
domains day-to-day.  So we really value good feedback on the
ergonomics.

If you can test with our work in progress, we are keen to adapt the
tooling where possible to be more in line with what is 'naturally
expected, so please do keep up the feedback.  

This area is already quite complex, we would love for this to 'just
work' for the initial use cases.

Andrew Bartlett

On Tue, 2023-10-24 at 10:03 +1300, Rob van der Linde via samba wrote:
> Hi Stefan,
> 
> We had a long weekend in New Zealand, I'm catching up now to your
> emails.
> 
> Some of the slight differences between Windows tools I've already
> picked 
> up on and are in my PR Andrew Bartlett mentioned on Friday, but I'm 
> always open to learning what things are missing or different etc.
> 
> On 23/10/23 02:58, Stefan Kania via samba wrote:
> > Talking to myself again ;-)
> > 
> > Samba-tool is working a little bit different then the silo/policy 
> > management on a Windows-DC.
> > On a Windows-DC after assigning the user and host to the silo you
> > have 
> > to assign the silo to the user and the host. When assigning the
> > user 
> > and host to the silo with samba-tool, the assignment to the user
> > and 
> > the host will be done at the same time. So now my policy looks like
> > that:
> > -------------
> > root at addc-01:~#  samba-tool domain auth policy view --
> > name=winclient-pol
> > {
> >   "cn": "winclient-pol",
> >   "distinguishedName": "CN=winclient-pol,CN=AuthN
> > Policies,CN=AuthN 
> > Policy
> > Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
> >   "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy 
> > Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
> >   "instanceType": 4,
> >   "msDS-AuthNPolicyEnforced": true,
> >   "msDS-ServiceTGTLifetime": 60,
> >   "msDS-StrongNTLMPolicy": 0,
> >   "name": "winclient-pol",
> >   "objectCategory": 
> > "CN=ms-DS-AuthN-
> > Policy,CN=Schema,CN=Configuration,DC=example,DC=net",
> >   "objectClass": [
> >     "top",
> >     "msDS-AuthNPolicy"
> >   ],
> >   "objectGUID": "21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d"
> > 
> > -------------
> > 
> > The silo looks like this:
> > -------------
> > root at addc-01:~#  samba-tool domain auth silo view --name=winclient-
> > silo
> > {
> >   "cn": "winclient-silo",
> >   "distinguishedName": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
> > Policy
> > Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
> >   "dn": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN Policy 
> > Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
> >   "instanceType": 4,
> >   "msDS-AuthNPolicySiloEnforced": true,
> >   "msDS-AuthNPolicySiloMembers": [
> >     "CN=WINCLIENT,CN=Computers,DC=example,DC=net",
> >     "CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net"
> >   ],
> >   "msDS-ComputerAuthNPolicy": "CN=winclient-pol,CN=AuthN 
> > Policies,CN=AuthN Policy 
> > Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
> >   "msDS-ServiceAuthNPolicy": "CN=winclient-pol,CN=AuthN 
> > Policies,CN=AuthN Policy 
> > Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
> >   "msDS-UserAuthNPolicy": "CN=winclient-pol,CN=AuthN
> > Policies,CN=AuthN 
> > Policy
> > Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
> >   "name": "winclient-silo",
> >   "objectCategory": 
> > "CN=ms-DS-AuthN-Policy-
> > Silo,CN=Schema,CN=Configuration,DC=example,DC=net",
> >   "objectClass": [
> >     "top",
> >     "msDS-AuthNPolicySilo"
> >   ],
> >   "objectGUID": "f063b775-e1da-4b2d-962b-d30f2cc8ffad"
> > -------------
> > 
> > My user "cn=protected admin" looks like this:
> > -------------
> > dn: CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > cn: protected admin
> > sn: admin
> > givenName: protected
> > instanceType: 4
> > whenCreated: 20231020125659.0Z
> > displayName: protected admin
> > uSNCreated: 4267
> > name: protected admin
> > objectGUID: 770c22a3-aa6d-4cea-bdbe-5bebce9c2994
> > badPwdCount: 0
> > codePage: 0
> > countryCode: 0
> > badPasswordTime: 0
> > lastLogoff: 0
> > primaryGroupID: 513
> > objectSid: S-1-5-21-3996049225-3177602564-2265300751-1106
> > accountExpires: 9223372036854775807
> > sAMAccountName: padmin
> > sAMAccountType: 805306368
> > userPrincipalName: 
> > padmin at example.net
> > 
> > objectCategory:
> > CN=Person,CN=Schema,CN=Configuration,DC=example,DC=net
> > userAccountControl: 512
> > memberOf: CN=Domain Admins,CN=Users,DC=example,DC=net
> > memberOf: CN=Protected Users,CN=Users,DC=example,DC=net
> > lastLogonTimestamp: 133422806290994480
> > msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN 
> > Silos,CN=AuthN Polic
> >  y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
> > msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN 
> > Silos,CN=AuthN Policy
> >   Configuration,CN=Services,CN=Configuration,DC=example,DC=net
> > pwdLastSet: 133424547343802100
> > whenChanged: 20231022132534.0Z
> > uSNChanged: 4319
> > lastLogon: 133424547477453410
> > logonCount: 12
> > distinguishedName: CN=protected 
> > admin,OU=users,OU=It,OU=Firma,DC=example,DC=ne
> >  t
> > -------------
> > 
> > And the host:
> > --------------
> > dn: CN=WINCLIENT,CN=Computers,DC=example,DC=net
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > objectClass: computer
> > cn: WINCLIENT
> > instanceType: 4
> > whenCreated: 20231019160325.0Z
> > uSNCreated: 4225
> > name: WINCLIENT
> > objectGUID: ca422c13-eb65-43ae-8ae9-7fea6950a972
> > userAccountControl: 4096
> > badPwdCount: 0
> > codePage: 0
> > countryCode: 0
> > badPasswordTime: 0
> > lastLogoff: 0
> > pwdLastSet: 133422050057063700
> > primaryGroupID: 515
> > objectSid: S-1-5-21-3996049225-3177602564-2265300751-1104
> > accountExpires: 9223372036854775807
> > sAMAccountName: WINCLIENT$
> > sAMAccountType: 805306369
> > dNSHostName: winclient.example.net
> > servicePrincipalName: HOST/winclient.example.net
> > servicePrincipalName: RestrictedKrbHost/winclient.example.net
> > servicePrincipalName: HOST/WINCLIENT
> > servicePrincipalName: RestrictedKrbHost/WINCLIENT
> > servicePrincipalName: WSMAN/winclient.example.net
> > servicePrincipalName: WSMAN/winclient
> > objectCategory:
> > CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=net
> > isCriticalSystemObject: FALSE
> > lastLogonTimestamp: 133422050059426810
> > operatingSystem: Windows 11 Pro
> > operatingSystemVersion: 10.0 (22621)
> > msDS-SupportedEncryptionTypes: 28
> > msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN 
> > Silos,CN=AuthN Polic
> >  y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
> > msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN 
> > Silos,CN=AuthN Policy
> >   Configuration,CN=Services,CN=Configuration,DC=example,DC=net
> > whenChanged: 20231020163411.0Z
> > uSNChanged: 4289
> > lastLogon: 133424546464979900
> > logonCount: 30
> > distinguishedName: CN=WINCLIENT,CN=Computers,DC=example,DC=net
> > --------------
> > 
> > So in both objects you can see the two Attributes:
> > ------------------
> > msDS-AuthNPolicySiloMembersBL:
> > msDS-AssignedAuthNPolicySilo:
> > ------------------
> > 
> > These Attributes look the same on a Windows Active Directory. I
> > build 
> > the same domain with Window-Server 2022 and FL 2016. There it
> > works.
> > 
> > In my Samba-domain I can assign everything, but my user
> > "cn=protected 
> > admin" can still log in to my host "winclient" :-(
> > 
> > Has anyone tried it yet and get it working?
> > 
> > 
> > Am 20.10.23 um 19:57 schrieb Stefan Kania via samba:
> > > Now I created a policy with:
> > > 
> > > ---------
> > > samba-tool domain auth policy create --enforce --name winclient-
> > > pol
> > > ---------
> > > 
> > > and a silo with:
> > > 
> > > ---------
> > > samba-tool domain auth silo create --enforce --name=winclient-
> > > silo
> > > 
> > > The I add the following objects to the silo
> > > ---------
> > > samba-tool domain auth silo member add --name=winclient-silo 
> > > --member=padmin
> > > 
> > > samba-tool domain auth silo member add --name=winclient-silo 
> > > --member=winclient\$
> > > ---------
> > > 
> > > Then assigning the policy to the silo with:
> > > 
> > > -------------
> > > samba-tool domain auth silo modify --name=winclient-silo 
> > > --policy=winclient-pol
> > > -------------
> > > 
> > > The next step would be to assign the silo to the user and the
> > > host, 
> > > but I don't see any option in "samba-tool domain auth ..." to do 
> > > this. The same with adding the host to the policy.
> > > 
> > > On a windows-System I would do this with "ADAC" But I can't use
> > > it 
> > > with a samba-DC.
> > > 
> > > Is there a way to do it with samba-tool, or any other tool?
> > > 
> > > 
> > 
> > 
> 
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list