authentication policies in Samba 4.21

Stefan Kania stefan at kania-online.de
Tue Nov 5 16:43:53 UTC 2024



Am 05.11.24 um 11:13 schrieb Stefan Kania via samba-technical:
> Hi Jennifer
> 
> Am 04.11.24 um 21:22 schrieb Jennifer Sutton via samba-technical:
>> On 5/11/24 7:27 am, Stefan Kania via samba-technical wrote:
>>> Inside the policy (comparing to a Windows AD) I still missing:
>>> msDS-UserAllowedToAuthenticateFrom
>>> msDS-ServiceAllowedToAuthenticateFrom
>>> It's not possible to set this values with samba-tool
>>
>> Have you tried --user-allowed-to-authenticate-from=SDDL and --service- 
>> allowed-to-authenticate-from=SDDL?
>>
> No, not up to now. But now I changed the settings. On both, the windows 
> AD and the Samba AD all the settings are the same, but still not working 
> with Samba AD.
> The user who is a member of the silo can't login on the computer who is 
> member of the silo BUT he also can't login to any other computer in the 
> domain. He is getting the same message, that he is not allowed to login 
> on this computer (what is right for the computer who is member of the 
> silo). BTW now it's the first time I'm getting the correct message.
> 
> All other users can't also not login to the computer from the silo, but 
> on any other computer. Getting a message "This computer is protected 
> with a authenticainfirewall".
> 
> 
>>>
>>> I'm missing:
>>> msDS-AssignedAuthNPolicySiloBL for all members
>>
>> You don’t set this on the silo. You assign the members to the silo 
>> with ‘samba-tool user auth silo assign <username> [options]’.
> I know, but this is still the only attribute that is set in the windows 
> AD but not in the Samba AD.

Found something more: if you take a look at the silo from my 
Microsoft-AD you see:
msDS-AssignedAuthNPolicySiloBL: CN=WINCLIENT11,OU=firma,DC=winexample,DC=net

msDS-AssignedAuthNPolicySiloBL:
CN=stka,OU=firma,DC=winexample,DC=net

msDS-AssignedAuthNPolicySiloBL:
CN=WIN2022,OU=Domain Controllers,DC=winexample ,DC=net

------------

msDS-AuthNPolicySiloMembers:
CN=WINCLIENT11,OU=firma,DC=winexample,DC=net

msDS-AuthNPolicySiloMembers:
CN=st ka,OU=firma,DC=winexample,DC=net


The Domaincontroller (WIN2022) is listed with the attribute 
msDS-AssignedAuthNPolicySiloBL, but the DC is NOT a member of the silo. 
Only the user and the computer.

I tried to assign the DC to the policy and make it a member of the silo, 
no changes.
So still the only difference between windows and samba is the missing 
attribute  msDS-AssignedAuthNPolicySiloBL for all members and the DC.


Stefan

> 
>> Cheers,
>> Jennifer (she/her)
>>
> Stefan

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn

---------------------
Es gibt keine WOLKE, nur die Computer fremder Leute

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x52F6D4DD1BB68AB5.asc
Type: application/pgp-keys
Size: 636 bytes
Desc: OpenPGP public key
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241105/59991360/OpenPGP_0x52F6D4DD1BB68AB5.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241105/59991360/OpenPGP_signature.sig>


More information about the samba-technical mailing list