setting up authentication policies in 4.20rc2
Jo Sutton
jsutton at samba.org
Mon Feb 19 23:53:28 UTC 2024
On 20/02/24 5:28 am, Stefan Kania via samba-technical wrote:
>
>
> Am 19.02.24 um 02:48 schrieb Jo Sutton via samba-technical:
>> On 18/02/24 6:11 am, Stefan Kania via samba-technical wrote:
>>> Hi to all,
>>>
>>> I just tried to setup authentication policies and authentication
>>> silos in 4.20rc2.
>>> Following these steps:
>>> 1. create a policy
>>> samba-tool domain auth policy create --enforce --name winclient-pol
>>>
>>> 2. create a silo
>>> samba-tool domain auth silo create --enforce --name=winclient-silo
>>>
>>> 3. adding a at least one user and one host to the silo
>>> samba-tool domain auth silo member grant --name=winclient-silo
>>> --member=winclient\$
>>> samba-tool domain auth silo member grant --name=winclient-silo
>>> --member=padmin
>>>
>>> BTW: In 4.19 it was "silo member add"
>>>
>>> 4. Set single policy for all principals in this silo. with 4.19 that
>>> was possible and that's by the way also possible with a windows DC.
>>> That's on a windows DC called "Use a single policy for all principals
>>> that belog to this authentication silo"
>>>
>>> In 4.20 the option --policy is missing, you have only the option to add:
>>> --user-authentication-policy=
>>> --service-authentication-policy=
>>> --computer-authentication-policy=
>>> So it would be nice if the option --policy will be back
>>>
>>
>> We removed this option in commit
>> c22400fd8ef961e472ce2803cf4a2ec58b778795. I don’t remember our exact
>> reasoning, but we must have thought that it didn’t make much sense for
>> a user and a computer to share the same authentication policy.
>
>
> In this picture us see the screenshot from (soory it's a german DC) that
> you cann select either all policies or select one.
>
> https://ibb.co/kGB3XhR
>
> I think, with Samba we should have the same possibility.
>
>>
>>> The next step after creating the silo and the policy and adding the
>>> clients and users to the silo would be adding:
>>> --service-allowed-to-authenticate-from=SDDL
>>> and/or
>>> -service-allowed-to-authenticate-to=SDDL
>>>
>>> But were can I get the SDDL for the user and the client?
>>>
>>
>> Can you explain what you’d like to accomplish in this scenario? If you
>> want to make sure the user ‘padmin’ authenticates from the computer
>> ‘winclient$’, you can use
>> ‘--user-allowed-to-authenticate-from-device-silo=winclient-silo’, and
>> make sure the user and the computer both belong to the silo. Or if you
>> want to let only users in the silo authenticate to the computer
>> ‘winclient$’, you can use
>> ‘--computer-allowed-to-authenticate-to-by-silo=winclient-silo’.
>>
>
>
>
> I wan't to disallow the user padmin to login at the computer with the
> name winclient. So all users who are member of the silo winclient-silo
> should not be able to login to the computer winclient.
> So for example I create a policy login-to-DCs, than add the group
> "domain users" to the silo and the DCs. In a windows-Domain now I can
> configure to allow all userers are equal to a list of users or not equal.
> As you can see in the next picture, I can choose either if the user is
> equal to the list to allow the access, or the user is not equal to the
> list to allowed to access.
>
> https://ibb.co/SxgRzZW
>
> I'm missing the part of selecting "member of the list" or "not member of
> the list"
>
>
>
>
>
> Stefan
First, I think you’ll want to do:
samba-tool user auth silo assign winclient\$ --silo=winclient-silo
samba-tool user auth silo assign padmin --silo=winclient-silo
to assign the silo to the user and the client.
I don’t think you want ‘--service-allowed-to…’. Those options apply to
Managed Service Accounts, which you don’t appear to be dealing with.
I think this might be the command you want? —
samba-tool domain auth policy modify --name=winclient-pol
--user-allowed-to-authenticate-from='O:SYG:SYD:(XA;OICI;CR;;;WD;(Not_Member_of
SID(S-1-2-3)))'
where winclient’s SID is substituted for ‘S-1-2-3’.
That should prevent any users in the silo from authenticating, unless
they use FAST from a computer other than ‘winclient’.
Is that what you’re looking for?
Cheers,
Jo (she/her)
More information about the samba-technical
mailing list