[Samba] Question about silos and Authentication policies
Stefan Kania
stefan at kania-online.de
Fri Oct 27 09:38:00 UTC 2023
Ok, this will fix the missing function to add the silo to a user, but
will not fix the missing condition ;-). Wihtout it ist's not possible to
prevent a user from login to a defined computer.
Am 27.10.23 um 02:32 schrieb Rob van der Linde via samba:
> Hi Stefan,
>
> Yes it looks like your testing has found a gap in the functionality.
>
> First of all, the single --policy I removed that, it's just the
> individual args now --user-authentication-policy,
> --service-authentication-policy, --computer-authentication-policy I know
> this is longer, but I wanted it to be consistent with the PowerShell
> tooling (to a point). This is explained in MR !3325 on Gitlab that
> should get merged soon.
>
> The missing functionality is --silo and --policy on modify user, and
> probably also create user commands.
>
> Right now if I add a user to two silos, it automatically sets the
> assigned silo to the last one I did, this is probably not the desired
> behaviour.
>
> On 21/10/23 06:57, Stefan Kania via samba wrote:
>> Now I created a policy with:
>>
>> ---------
>> samba-tool domain auth policy create --enforce --name winclient-pol
>> ---------
>>
>> and a silo with:
>>
>> ---------
>> samba-tool domain auth silo create --enforce --name=winclient-silo
>>
>> The I add the following objects to the silo
>> ---------
>> samba-tool domain auth silo member add --name=winclient-silo
>> --member=padmin
>>
>> samba-tool domain auth silo member add --name=winclient-silo
>> --member=winclient\$
>> ---------
>>
>> Then assigning the policy to the silo with:
>>
>> -------------
>> samba-tool domain auth silo modify --name=winclient-silo
>> --policy=winclient-pol
>> -------------
>>
>> The next step would be to assign the silo to the user and the host,
>> but I don't see any option in "samba-tool domain auth ..." to do this.
>> The same with adding the host to the policy.
>>
>> On a windows-System I would do this with "ADAC" But I can't use it
>> with a samba-DC.
>>
>> Is there a way to do it with samba-tool, or any other tool?
>>
>>
>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html
Neuer GPG-Key der public key befindet sich im Anhang
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20231027/c454f6f6/OpenPGP_signature.sig>
More information about the samba
mailing list