[Samba] Question about silos and Authentication policies
Rob van der Linde
rob at catalyst.net.nz
Fri Oct 27 00:32:29 UTC 2023
Hi Stefan,
Yes it looks like your testing has found a gap in the functionality.
First of all, the single --policy I removed that, it's just the
individual args now --user-authentication-policy,
--service-authentication-policy, --computer-authentication-policy I know
this is longer, but I wanted it to be consistent with the PowerShell
tooling (to a point). This is explained in MR !3325 on Gitlab that
should get merged soon.
The missing functionality is --silo and --policy on modify user, and
probably also create user commands.
Right now if I add a user to two silos, it automatically sets the
assigned silo to the last one I did, this is probably not the desired
behaviour.
On 21/10/23 06:57, Stefan Kania via samba wrote:
> Now I created a policy with:
>
> ---------
> samba-tool domain auth policy create --enforce --name winclient-pol
> ---------
>
> and a silo with:
>
> ---------
> samba-tool domain auth silo create --enforce --name=winclient-silo
>
> The I add the following objects to the silo
> ---------
> samba-tool domain auth silo member add --name=winclient-silo
> --member=padmin
>
> samba-tool domain auth silo member add --name=winclient-silo
> --member=winclient\$
> ---------
>
> Then assigning the policy to the silo with:
>
> -------------
> samba-tool domain auth silo modify --name=winclient-silo
> --policy=winclient-pol
> -------------
>
> The next step would be to assign the silo to the user and the host,
> but I don't see any option in "samba-tool domain auth ..." to do this.
> The same with adding the host to the policy.
>
> On a windows-System I would do this with "ADAC" But I can't use it
> with a samba-DC.
>
> Is there a way to do it with samba-tool, or any other tool?
>
>
More information about the samba
mailing list