[Samba] Question about silos and Authentication policies
Stefan Kania
stefan at kania-online.de
Wed Oct 25 18:19:36 UTC 2023
Hi Andrew hi Rob,
so now I get the auth-silo and auth-policies working with a Windows
domaincontroller and different Windows-clients. I created a policy and a
silo.
Then I did the same with Samba. What am I missing is creating a
condition for the auth-policy. Here is the output from a Samba-policy:
-------------
{
"cn": "winclient-pol",
"distinguishedName": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
"dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
"instanceType": 4,
"msDS-AuthNPolicyEnforced": true,
"msDS-ServiceTGTLifetime": 60,
"msDS-StrongNTLMPolicy": 0,
"name": "winclient-pol",
"objectCategory":
"CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC=net",
"objectClass": [
"top",
"msDS-AuthNPolicy"
],
"objectGUID": "21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d"
}
-------------
the next listing is showing the output from my working Windows-policy
-------------
-----PS C:\Users\Administrator> Get-ADAuthenticationPolicy -Identity
computer-pol
ComputerAllowedToAuthenticateTo :
ComputerTGTLifetimeMins :
DistinguishedName : CN=computer-pol,CN=AuthN
Policies,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example1,DC=net
Enforce : True
Name : computer-pol
ObjectClass : msDS-AuthNPolicy
ObjectGUID :
a6584b9d-1219-43f6-816f-fad93151d2c5
RollingNTLMSecret : 0
ServiceAllowedNTLMNetworkAuthentication : False
ServiceAllowedToAuthenticateFrom :
ServiceAllowedToAuthenticateTo :
ServiceTGTLifetimeMins :
UserAllowedNTLMNetworkAuthentication : False
UserAllowedToAuthenticateFrom :
O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo ==
"computer-pol"))
UserAllowedToAuthenticateTo :
UserTGTLifetimeMins : 60
PS C:\Users\Administrator> Get-ADAuthenticationPolicy -Identity computer-pol
ComputerAllowedToAuthenticateTo :
ComputerTGTLifetimeMins :
DistinguishedName : CN=computer-pol,CN=AuthN
Policies,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example1,DC=net
Enforce : True
Name : computer-pol
ObjectClass : msDS-AuthNPolicy
ObjectGUID :
a6584b9d-1219-43f6-816f-fad93151d2c5
RollingNTLMSecret : 0
ServiceAllowedNTLMNetworkAuthentication : False
ServiceAllowedToAuthenticateFrom :
ServiceAllowedToAuthenticateTo :
ServiceTGTLifetimeMins :
UserAllowedNTLMNetworkAuthentication : False
UserAllowedToAuthenticateFrom :
O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo !=
"computer-silo"))
UserAllowedToAuthenticateTo :
UserTGTLifetimeMins : 60
--------
In both policies you see the attribute "UserAllowedToAuthenticateFrom"
that's a condition. The main difference between these two condition is:
the first one is "==" so the users from the silo can login on all
computers listed in the silo.
The second one is "!=" so the users from the silo can NOT login to any
of the computers listed in the silo.
without the condition the policy is useless :-(. Is there a way to set
these conditions with Samba? If "yes" how :-)?
Stefan
Am 24.10.23 um 01:08 schrieb Andrew Bartlett via samba:
> Thanks Rob for chiming in.
>
> Stefan,
>
> I do want to be very clear, one of the big challanges that we as
> developers face building these kind of tools is that we don't run AD
> domains day-to-day. So we really value good feedback on the
> ergonomics.
>
> If you can test with our work in progress, we are keen to adapt the
> tooling where possible to be more in line with what is 'naturally
> expected, so please do keep up the feedback.
>
> This area is already quite complex, we would love for this to 'just
> work' for the initial use cases.
>
> Andrew Bartlett
>
> On Tue, 2023-10-24 at 10:03 +1300, Rob van der Linde via samba wrote:
>> Hi Stefan,
>>
>> We had a long weekend in New Zealand, I'm catching up now to your
>> emails.
>>
>> Some of the slight differences between Windows tools I've already
>> picked
>> up on and are in my PR Andrew Bartlett mentioned on Friday, but I'm
>> always open to learning what things are missing or different etc.
>>
>> On 23/10/23 02:58, Stefan Kania via samba wrote:
>>> Talking to myself again ;-)
>>>
>>> Samba-tool is working a little bit different then the silo/policy
>>> management on a Windows-DC.
>>> On a Windows-DC after assigning the user and host to the silo you
>>> have
>>> to assign the silo to the user and the host. When assigning the
>>> user
>>> and host to the silo with samba-tool, the assignment to the user
>>> and
>>> the host will be done at the same time. So now my policy looks like
>>> that:
>>> -------------
>>> root at addc-01:~# samba-tool domain auth policy view --
>>> name=winclient-pol
>>> {
>>> "cn": "winclient-pol",
>>> "distinguishedName": "CN=winclient-pol,CN=AuthN
>>> Policies,CN=AuthN
>>> Policy
>>> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>>> "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy
>>> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>>> "instanceType": 4,
>>> "msDS-AuthNPolicyEnforced": true,
>>> "msDS-ServiceTGTLifetime": 60,
>>> "msDS-StrongNTLMPolicy": 0,
>>> "name": "winclient-pol",
>>> "objectCategory":
>>> "CN=ms-DS-AuthN-
>>> Policy,CN=Schema,CN=Configuration,DC=example,DC=net",
>>> "objectClass": [
>>> "top",
>>> "msDS-AuthNPolicy"
>>> ],
>>> "objectGUID": "21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d"
>>>
>>> -------------
>>>
>>> The silo looks like this:
>>> -------------
>>> root at addc-01:~# samba-tool domain auth silo view --name=winclient-
>>> silo
>>> {
>>> "cn": "winclient-silo",
>>> "distinguishedName": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN
>>> Policy
>>> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>>> "dn": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN Policy
>>> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>>> "instanceType": 4,
>>> "msDS-AuthNPolicySiloEnforced": true,
>>> "msDS-AuthNPolicySiloMembers": [
>>> "CN=WINCLIENT,CN=Computers,DC=example,DC=net",
>>> "CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net"
>>> ],
>>> "msDS-ComputerAuthNPolicy": "CN=winclient-pol,CN=AuthN
>>> Policies,CN=AuthN Policy
>>> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>>> "msDS-ServiceAuthNPolicy": "CN=winclient-pol,CN=AuthN
>>> Policies,CN=AuthN Policy
>>> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>>> "msDS-UserAuthNPolicy": "CN=winclient-pol,CN=AuthN
>>> Policies,CN=AuthN
>>> Policy
>>> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>>> "name": "winclient-silo",
>>> "objectCategory":
>>> "CN=ms-DS-AuthN-Policy-
>>> Silo,CN=Schema,CN=Configuration,DC=example,DC=net",
>>> "objectClass": [
>>> "top",
>>> "msDS-AuthNPolicySilo"
>>> ],
>>> "objectGUID": "f063b775-e1da-4b2d-962b-d30f2cc8ffad"
>>> -------------
>>>
>>> My user "cn=protected admin" looks like this:
>>> -------------
>>> dn: CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: protected admin
>>> sn: admin
>>> givenName: protected
>>> instanceType: 4
>>> whenCreated: 20231020125659.0Z
>>> displayName: protected admin
>>> uSNCreated: 4267
>>> name: protected admin
>>> objectGUID: 770c22a3-aa6d-4cea-bdbe-5bebce9c2994
>>> badPwdCount: 0
>>> codePage: 0
>>> countryCode: 0
>>> badPasswordTime: 0
>>> lastLogoff: 0
>>> primaryGroupID: 513
>>> objectSid: S-1-5-21-3996049225-3177602564-2265300751-1106
>>> accountExpires: 9223372036854775807
>>> sAMAccountName: padmin
>>> sAMAccountType: 805306368
>>> userPrincipalName:
>>> padmin at example.net
>>>
>>> objectCategory:
>>> CN=Person,CN=Schema,CN=Configuration,DC=example,DC=net
>>> userAccountControl: 512
>>> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=net
>>> memberOf: CN=Protected Users,CN=Users,DC=example,DC=net
>>> lastLogonTimestamp: 133422806290994480
>>> msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN
>>> Silos,CN=AuthN Polic
>>> y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
>>> msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN
>>> Silos,CN=AuthN Policy
>>> Configuration,CN=Services,CN=Configuration,DC=example,DC=net
>>> pwdLastSet: 133424547343802100
>>> whenChanged: 20231022132534.0Z
>>> uSNChanged: 4319
>>> lastLogon: 133424547477453410
>>> logonCount: 12
>>> distinguishedName: CN=protected
>>> admin,OU=users,OU=It,OU=Firma,DC=example,DC=ne
>>> t
>>> -------------
>>>
>>> And the host:
>>> --------------
>>> dn: CN=WINCLIENT,CN=Computers,DC=example,DC=net
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> objectClass: computer
>>> cn: WINCLIENT
>>> instanceType: 4
>>> whenCreated: 20231019160325.0Z
>>> uSNCreated: 4225
>>> name: WINCLIENT
>>> objectGUID: ca422c13-eb65-43ae-8ae9-7fea6950a972
>>> userAccountControl: 4096
>>> badPwdCount: 0
>>> codePage: 0
>>> countryCode: 0
>>> badPasswordTime: 0
>>> lastLogoff: 0
>>> pwdLastSet: 133422050057063700
>>> primaryGroupID: 515
>>> objectSid: S-1-5-21-3996049225-3177602564-2265300751-1104
>>> accountExpires: 9223372036854775807
>>> sAMAccountName: WINCLIENT$
>>> sAMAccountType: 805306369
>>> dNSHostName: winclient.example.net
>>> servicePrincipalName: HOST/winclient.example.net
>>> servicePrincipalName: RestrictedKrbHost/winclient.example.net
>>> servicePrincipalName: HOST/WINCLIENT
>>> servicePrincipalName: RestrictedKrbHost/WINCLIENT
>>> servicePrincipalName: WSMAN/winclient.example.net
>>> servicePrincipalName: WSMAN/winclient
>>> objectCategory:
>>> CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=net
>>> isCriticalSystemObject: FALSE
>>> lastLogonTimestamp: 133422050059426810
>>> operatingSystem: Windows 11 Pro
>>> operatingSystemVersion: 10.0 (22621)
>>> msDS-SupportedEncryptionTypes: 28
>>> msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN
>>> Silos,CN=AuthN Polic
>>> y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
>>> msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN
>>> Silos,CN=AuthN Policy
>>> Configuration,CN=Services,CN=Configuration,DC=example,DC=net
>>> whenChanged: 20231020163411.0Z
>>> uSNChanged: 4289
>>> lastLogon: 133424546464979900
>>> logonCount: 30
>>> distinguishedName: CN=WINCLIENT,CN=Computers,DC=example,DC=net
>>> --------------
>>>
>>> So in both objects you can see the two Attributes:
>>> ------------------
>>> msDS-AuthNPolicySiloMembersBL:
>>> msDS-AssignedAuthNPolicySilo:
>>> ------------------
>>>
>>> These Attributes look the same on a Windows Active Directory. I
>>> build
>>> the same domain with Window-Server 2022 and FL 2016. There it
>>> works.
>>>
>>> In my Samba-domain I can assign everything, but my user
>>> "cn=protected
>>> admin" can still log in to my host "winclient" :-(
>>>
>>> Has anyone tried it yet and get it working?
>>>
>>>
>>> Am 20.10.23 um 19:57 schrieb Stefan Kania via samba:
>>>> Now I created a policy with:
>>>>
>>>> ---------
>>>> samba-tool domain auth policy create --enforce --name winclient-
>>>> pol
>>>> ---------
>>>>
>>>> and a silo with:
>>>>
>>>> ---------
>>>> samba-tool domain auth silo create --enforce --name=winclient-
>>>> silo
>>>>
>>>> The I add the following objects to the silo
>>>> ---------
>>>> samba-tool domain auth silo member add --name=winclient-silo
>>>> --member=padmin
>>>>
>>>> samba-tool domain auth silo member add --name=winclient-silo
>>>> --member=winclient\$
>>>> ---------
>>>>
>>>> Then assigning the policy to the silo with:
>>>>
>>>> -------------
>>>> samba-tool domain auth silo modify --name=winclient-silo
>>>> --policy=winclient-pol
>>>> -------------
>>>>
>>>> The next step would be to assign the silo to the user and the
>>>> host,
>>>> but I don't see any option in "samba-tool domain auth ..." to do
>>>> this. The same with adding the host to the policy.
>>>>
>>>> On a windows-System I would do this with "ADAC" But I can't use
>>>> it
>>>> with a samba-DC.
>>>>
>>>> Is there a way to do it with samba-tool, or any other tool?
>>>>
>>>>
>>>
>>>
>>
>>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
More information about the samba
mailing list