authentication policies in Samba 4.21
Stefan Kania
stefan at kania-online.de
Mon Nov 4 18:27:30 UTC 2024
I tried to to get the same settings in Samba as in Windows
Am 30.10.24 um 23:30 schrieb Douglas Bagnall via samba-technical:
> On 31/10/24 05:57, Stefan Kania wrote:
>> the assignment is different to the one we have in Samba
>
> Just so this part doesn't get lost, these are the differences we're
> looking at.
>
> policy, windows:
>
>> msDS-UserAuthNPolicyBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy
>> Configura
>> tion,CN=Services,CN=Configuration,DC=winexample,DC=net
>> msDS-ComputerAuthNPolicyBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN
>> Policy Confi
>> guration,CN=Services,CN=Configuration,DC=winexample,DC=net
>> msDS-ServiceAuthNPolicyBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN
>> Policy Config
>> uration,CN=Services,CN=Configuration,DC=winexample,DC=net
>
> policy, samba:
>
>>> msDS-AssignedAuthNPolicyBL: CN=stka,OU=firma,DC=example,DC=net
>>> msDS-AssignedAuthNPolicyBL: CN=WINCLIENT11,OU=firma,DC=example,DC=net
policy samba new:
msDS-ComputerAuthNPolicyBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-ServiceAuthNPolicyBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-UserAuthNPolicyBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net
Inside the policy (comparing to a Windows AD) I still missing:
msDS-UserAllowedToAuthenticateFrom
msDS-ServiceAllowedToAuthenticateFrom
It's not possible to set this values with samba-tool
>
>
> silo, windows:
>
>> msDS-AssignedAuthNPolicySiloBL:
>> CN=WINCLIENT11,OU=firma,DC=winexample,DC=net> msDS-
>> AssignedAuthNPolicySiloBL: CN=st ka,OU=firma,DC=winexample,DC=net
>> msDS-AssignedAuthNPolicySiloBL: CN=WIN2022,OU=Domain
>> Controllers,DC=winexample msDS-UserAuthNPolicy: CN=win11-
>> policy,CN=AuthN Policies,CN=AuthN Policy Config>
>> uration,CN=Services,CN=Configuration,DC=winexample,DC=net
>> msDS-ComputerAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN
>> Policy Co
>> nfiguration,CN=Services,CN=Configuration,DC=winexample,DC=net
>> msDS-ServiceAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN
>> Policy Con
>> figuration,CN=Services,CN=Configuration,DC=winexample,DC=net
>
> silo, samba:
>
>>> msDS-AuthNPolicySiloMembers: CN=stka,OU=firma,DC=example,DC=net
>>> msDS-AuthNPolicySiloMembers: CN=WINCLIENT11,OU=firma,DC=example,DC=net
Samba silo new:
msDS-ComputerAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-ServiceAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-UserAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net
I'm missing:
msDS-AssignedAuthNPolicySiloBL for all members
I see in the samba silo:
msDS-AuthNPolicySiloMembers for all members
>
>
> user, windows:
>
>> msDS-AssignedAuthNPolicySilo: CN=win11-silo,CN=AuthN Silos,CN=AuthN
>> Policy Con
>> figuration,CN=Services,CN=Configuration,DC=winexample,DC=net
>> msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN
>> Policy Co
>> nfiguration,CN=Services,CN=Configuration,DC=winexample,DC=net
>
> user, samba:
>
>>> msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN
>>> Policy Co
>>> nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
>>> msDS-AssignedAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN
>>> Policy Co
>>> nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
>
>
> computer, windows:
>
>> msDS-AssignedAuthNPolicySilo: CN=win11-silo,CN=AuthN Silos,CN=AuthN
>> Policy Con
>> figuration,CN=Services,CN=Configuration,DC=winexample,DC=net
>> msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN
>> Policy Co
>> nfiguration,CN=Services,CN=Configuration,DC=winexample,DC=net
>
> computer, samba:
>
>>> msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN
>>> Policy Co
>>> nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
>>> msDS-AssignedAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN
>>> Policy Co
>>> nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
>
>
> Douglas
>
So still not working
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x52F6D4DD1BB68AB5.asc
Type: application/pgp-keys
Size: 636 bytes
Desc: OpenPGP public key
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241104/b3f8e03c/OpenPGP_0x52F6D4DD1BB68AB5.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241104/b3f8e03c/OpenPGP_signature.sig>
More information about the samba-technical
mailing list