setting up authentication policies in 4.20rc2
Jo Sutton
jsutton at samba.org
Tue Feb 27 01:57:17 UTC 2024
On 22/02/24 9:44 pm, Stefan Kania via samba-technical wrote:
>
>
> Am 21.02.24 um 03:50 schrieb Jo Sutton via samba-technical:
>> I think the problem is the SID in the authentication policy’s SDDL.
>> S-1-5-21-2545884418-1286714830-2149023192-512 is the SID of the Domain
>> Administrators group. Thus, what the SDDL means is “users with this
>> authentication policy applied may authenticate from devices that don’t
>> belong to the Domain Administrators group”. Note that it’s the
>> *device* that the condition applies to, not the user. So it won’t make
>> a difference if the user is in the Domain Administrators group or not.
>>
>> If you want the policy to prevent users from logging into the computer
>> ‘winclient’, try using that computer’s SID instead of the Domain
>> Administrators SID.
>>
>> Cheers,
>> Jo (she/her)
>
> Hi Jo,
>
> this makes no sens at all. Normally you don't need a silo at all, you
> can just create a policy add some hosts and users to the policy define a
> condition and every time you need anew host or user assign the policy to
> the user. Compare it with the filesystem (I know it's not the same) it
> would be the same giving permission via ACL to every single user. Nobody
> would do this. You assign a group to the directories ACL and give the
> group the permission and assign users to the group.
>
Sorry? You told me you wanted to forbid all users who were members of a
certain silo from logging on to a specific computer. If that’s not what
you’re after, can you more clearly state what you’re trying to do?
> The same should be done with the policies. You create the policy with
> the condition (that's the permission comparing to a filesystem ACL).
> Then you create the silo and assign all the users and hosts to the silo.
> Then you add the silo to the permission. So I can have different silos
> with different users and hosts and assign the policy to them.
>
> But with samba-tool it's not possible to assign a silo to a policy with
> samba-tool domain auth policy modify --name=winclient-pol
> --user-allowed-to-authenticate-from=winclient-silo
>
You don’t assign a silo to a policy, you set a policy on a silo.
‘--user-allowed-to-authenticate-from’ specifies the conditions a device
must meet in order for a user to be able to authenticate from it. It
corresponds to the ‘msDS-UserAllowedToAuthenticateFrom’ attribute in
Active Directory, and it takes SDDL, not the name of a silo.
‘--user-allowed-to-authenticate-from-device-silo=winclient-silo’, on the
other hand, takes the name of a silo to which a device must belong for a
user to be able to authenticate from it. Is that perhaps closer to what
you’re looking for?
Cheers,
Jo (she/her)
More information about the samba-technical
mailing list