setting up authentication policies in 4.20rc2

Rowland Penny rpenny at samba.org
Mon Feb 19 16:45:07 UTC 2024


On Mon, 19 Feb 2024 14:48:06 +1300
Jo Sutton via samba-technical <samba-technical at lists.samba.org> wrote:

> On 18/02/24 6:11 am, Stefan Kania via samba-technical wrote:
> > Hi to all,
> > 
> > I just tried to setup authentication policies and authentication
> > silos in 4.20rc2.
> > Following these steps:
> > 1. create a policy
> > samba-tool domain auth policy create --enforce --name winclient-pol
> > 
> > 2. create a silo
> > samba-tool domain auth silo create --enforce --name=winclient-silo
> > 
> > 3. adding a at least one user and one host to the silo
> > samba-tool domain auth silo member grant --name=winclient-silo 
> > --member=winclient\$
> > samba-tool domain auth silo member grant --name=winclient-silo 
> > --member=padmin
> > 
> > BTW: In 4.19 it was "silo member add"
> > 
> > 4. Set single policy for all principals in this silo. with 4.19
> > that was possible and that's by the way also possible with a
> > windows DC. That's on a windows DC called "Use a single policy for
> > all principals that belog to this authentication silo"
> > 
> > In 4.20 the option --policy is missing, you have only the option to
> > add: --user-authentication-policy=
> > --service-authentication-policy=
> > --computer-authentication-policy=
> > So it would be nice if the option --policy will be back
> > 
> 
> We removed this option in commit 
> c22400fd8ef961e472ce2803cf4a2ec58b778795. I don’t remember our exact 
> reasoning, but we must have thought that it didn’t make much sense
> for a user and a computer to share the same authentication policy.
> 

Can I what was the reasoning about this ? Seeing as a computer in AD is
just a user with an extra objectclass.

I am trying to get my head around all this, but I am struggling at the
moment.

Rowland



More information about the samba-technical mailing list