authentication policies in Samba 4.21
Stefan Kania
stefan at kania-online.de
Tue Nov 5 16:43:53 UTC 2024
Am 05.11.24 um 11:13 schrieb Stefan Kania via samba-technical:
> Hi Jennifer
>
> Am 04.11.24 um 21:22 schrieb Jennifer Sutton via samba-technical:
>> On 5/11/24 7:27 am, Stefan Kania via samba-technical wrote:
>>> Inside the policy (comparing to a Windows AD) I still missing:
>>> msDS-UserAllowedToAuthenticateFrom
>>> msDS-ServiceAllowedToAuthenticateFrom
>>> It's not possible to set this values with samba-tool
>>
>> Have you tried --user-allowed-to-authenticate-from=SDDL and --service-
>> allowed-to-authenticate-from=SDDL?
>>
> No, not up to now. But now I changed the settings. On both, the windows
> AD and the Samba AD all the settings are the same, but still not working
> with Samba AD.
> The user who is a member of the silo can't login on the computer who is
> member of the silo BUT he also can't login to any other computer in the
> domain. He is getting the same message, that he is not allowed to login
> on this computer (what is right for the computer who is member of the
> silo). BTW now it's the first time I'm getting the correct message.
>
> All other users can't also not login to the computer from the silo, but
> on any other computer. Getting a message "This computer is protected
> with a authenticainfirewall".
>
>
>>>
>>> I'm missing:
>>> msDS-AssignedAuthNPolicySiloBL for all members
>>
>> You don’t set this on the silo. You assign the members to the silo
>> with ‘samba-tool user auth silo assign <username> [options]’.
> I know, but this is still the only attribute that is set in the windows
> AD but not in the Samba AD.
Found something more: if you take a look at the silo from my
Microsoft-AD you see:
msDS-AssignedAuthNPolicySiloBL: CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
msDS-AssignedAuthNPolicySiloBL:
CN=stka,OU=firma,DC=winexample,DC=net
msDS-AssignedAuthNPolicySiloBL:
CN=WIN2022,OU=Domain Controllers,DC=winexample ,DC=net
------------
msDS-AuthNPolicySiloMembers:
CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
msDS-AuthNPolicySiloMembers:
CN=st ka,OU=firma,DC=winexample,DC=net
The Domaincontroller (WIN2022) is listed with the attribute
msDS-AssignedAuthNPolicySiloBL, but the DC is NOT a member of the silo.
Only the user and the computer.
I tried to assign the DC to the policy and make it a member of the silo,
no changes.
So still the only difference between windows and samba is the missing
attribute msDS-AssignedAuthNPolicySiloBL for all members and the DC.
Stefan
>
>> Cheers,
>> Jennifer (she/her)
>>
> Stefan
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
---------------------
Es gibt keine WOLKE, nur die Computer fremder Leute
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x52F6D4DD1BB68AB5.asc
Type: application/pgp-keys
Size: 636 bytes
Desc: OpenPGP public key
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241105/59991360/OpenPGP_0x52F6D4DD1BB68AB5.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241105/59991360/OpenPGP_signature.sig>
More information about the samba-technical
mailing list