setting up authentication policies in 4.20rc2
Jo Sutton
jsutton at samba.org
Mon Feb 19 01:48:06 UTC 2024
On 18/02/24 6:11 am, Stefan Kania via samba-technical wrote:
> Hi to all,
>
> I just tried to setup authentication policies and authentication silos
> in 4.20rc2.
> Following these steps:
> 1. create a policy
> samba-tool domain auth policy create --enforce --name winclient-pol
>
> 2. create a silo
> samba-tool domain auth silo create --enforce --name=winclient-silo
>
> 3. adding a at least one user and one host to the silo
> samba-tool domain auth silo member grant --name=winclient-silo
> --member=winclient\$
> samba-tool domain auth silo member grant --name=winclient-silo
> --member=padmin
>
> BTW: In 4.19 it was "silo member add"
>
> 4. Set single policy for all principals in this silo. with 4.19 that was
> possible and that's by the way also possible with a windows DC. That's
> on a windows DC called "Use a single policy for all principals that
> belog to this authentication silo"
>
> In 4.20 the option --policy is missing, you have only the option to add:
> --user-authentication-policy=
> --service-authentication-policy=
> --computer-authentication-policy=
> So it would be nice if the option --policy will be back
>
We removed this option in commit
c22400fd8ef961e472ce2803cf4a2ec58b778795. I don’t remember our exact
reasoning, but we must have thought that it didn’t make much sense for a
user and a computer to share the same authentication policy.
> The next step after creating the silo and the policy and adding the
> clients and users to the silo would be adding:
> --service-allowed-to-authenticate-from=SDDL
> and/or
> -service-allowed-to-authenticate-to=SDDL
>
> But were can I get the SDDL for the user and the client?
>
Can you explain what you’d like to accomplish in this scenario? If you
want to make sure the user ‘padmin’ authenticates from the computer
‘winclient$’, you can use
‘--user-allowed-to-authenticate-from-device-silo=winclient-silo’, and
make sure the user and the computer both belong to the silo. Or if you
want to let only users in the silo authenticate to the computer
‘winclient$’, you can use
‘--computer-allowed-to-authenticate-to-by-silo=winclient-silo’.
> Stefan
>
>
>
>
Cheers,
Jo (she/her)
More information about the samba-technical
mailing list