setting up authentication policies in 4.20rc2
Stefan Kania
stefan at kania-online.de
Sat Feb 17 17:11:49 UTC 2024
Hi to all,
I just tried to setup authentication policies and authentication silos
in 4.20rc2.
Following these steps:
1. create a policy
samba-tool domain auth policy create --enforce --name winclient-pol
2. create a silo
samba-tool domain auth silo create --enforce --name=winclient-silo
3. adding a at least one user and one host to the silo
samba-tool domain auth silo member grant --name=winclient-silo
--member=winclient\$
samba-tool domain auth silo member grant --name=winclient-silo
--member=padmin
BTW: In 4.19 it was "silo member add"
4. Set single policy for all principals in this silo. with 4.19 that was
possible and that's by the way also possible with a windows DC. That's
on a windows DC called "Use a single policy for all principals that
belog to this authentication silo"
In 4.20 the option --policy is missing, you have only the option to add:
--user-authentication-policy=
--service-authentication-policy=
--computer-authentication-policy=
So it would be nice if the option --policy will be back
The next step after creating the silo and the policy and adding the
clients and users to the silo would be adding:
--service-allowed-to-authenticate-from=SDDL
and/or
-service-allowed-to-authenticate-to=SDDL
But were can I get the SDDL for the user and the client?
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3477 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20240217/c290cfcc/smime.bin>
More information about the samba-technical
mailing list