[Samba] Question about silos and Authentication policies

Stefan Kania stefan at kania-online.de
Fri Oct 27 09:38:00 UTC 2023 

Ok, this will fix the missing function to add the silo to a user, but 
will not fix the missing condition ;-). Wihtout it ist's not possible to 
prevent a user from login to a defined computer.


Am 27.10.23 um 02:32 schrieb Rob van der Linde via samba:
> Hi Stefan,
> 
> Yes it looks like your testing has found a gap in the functionality.
> 
> First of all, the single --policy I removed that, it's just the 
> individual args now --user-authentication-policy, 
> --service-authentication-policy, --computer-authentication-policy I know 
> this is longer, but I wanted it to be consistent with the PowerShell 
> tooling (to a point). This is explained in MR !3325 on Gitlab that 
> should get merged soon.
> 
> The missing functionality is --silo and --policy on modify user, and 
> probably also create user commands.
> 
> Right now if I add a user to two silos, it automatically sets the 
> assigned silo to the last one I did, this is probably not the desired 
> behaviour.
> 
> On 21/10/23 06:57, Stefan Kania via samba wrote:
>> Now I created a policy with:
>>
>> ---------
>> samba-tool domain auth policy create --enforce --name winclient-pol
>> ---------
>>
>> and a silo with:
>>
>> ---------
>> samba-tool domain auth silo create --enforce --name=winclient-silo
>>
>> The I add the following objects to the silo
>> ---------
>> samba-tool domain auth silo member add --name=winclient-silo 
>> --member=padmin
>>
>> samba-tool domain auth silo member add --name=winclient-silo 
>> --member=winclient\$
>> ---------
>>
>> Then assigning the policy to the silo with:
>>
>> -------------
>> samba-tool domain auth silo modify --name=winclient-silo 
>> --policy=winclient-pol
>> -------------
>>
>> The next step would be to assign the silo to the user and the host, 
>> but I don't see any option in "samba-tool domain auth ..." to do this. 
>> The same with adding the host to the policy.
>>
>> On a windows-System I would do this with "ADAC" But I can't use it 
>> with a samba-DC.
>>
>> Is there a way to do it with samba-tool, or any other tool?
>>
>>
> 

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre 
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter 
https://www.dgn.de/dgncert/index.html
Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html

Neuer GPG-Key der public key befindet sich im Anhang


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20231027/c454f6f6/OpenPGP_signature.sig>

More information about the samba mailing list