authentication policies in Samba 4.21

Jennifer Sutton jsutton at samba.org
Tue Nov 5 22:22:14 UTC 2024


On 6/11/24 5:43 am, Stefan Kania via samba-technical wrote:
> 
> 
> Am 05.11.24 um 11:13 schrieb Stefan Kania via samba-technical:
>> Hi Jennifer
>>
>> Am 04.11.24 um 21:22 schrieb Jennifer Sutton via samba-technical:
>>> On 5/11/24 7:27 am, Stefan Kania via samba-technical wrote:
>>>> Inside the policy (comparing to a Windows AD) I still missing:
>>>> msDS-UserAllowedToAuthenticateFrom
>>>> msDS-ServiceAllowedToAuthenticateFrom
>>>> It's not possible to set this values with samba-tool
>>>
>>> Have you tried --user-allowed-to-authenticate-from=SDDL and 
>>> --service- allowed-to-authenticate-from=SDDL?
>>>
>> No, not up to now. But now I changed the settings. On both, the 
>> windows AD and the Samba AD all the settings are the same, but still 
>> not working with Samba AD.
>> The user who is a member of the silo can't login on the computer who 
>> is member of the silo BUT he also can't login to any other computer in 
>> the domain. He is getting the same message, that he is not allowed to 
>> login on this computer (what is right for the computer who is member 
>> of the silo). BTW now it's the first time I'm getting the correct 
>> message.
>>
>> All other users can't also not login to the computer from the silo, 
>> but on any other computer. Getting a message "This computer is 
>> protected with a authenticainfirewall".
>>

Can you post the SDDL you’ve set on the authentication policy?

>>
>>>>
>>>> I'm missing:
>>>> msDS-AssignedAuthNPolicySiloBL for all members
>>>
>>> You don’t set this on the silo. You assign the members to the silo 
>>> with ‘samba-tool user auth silo assign <username> [options]’.
>> I know, but this is still the only attribute that is set in the 
>> windows AD but not in the Samba AD.
> 
> Found something more: if you take a look at the silo from my 
> Microsoft-AD you see:
> msDS-AssignedAuthNPolicySiloBL: 
> CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
> 
> msDS-AssignedAuthNPolicySiloBL:
> CN=stka,OU=firma,DC=winexample,DC=net
> 
> msDS-AssignedAuthNPolicySiloBL:
> CN=WIN2022,OU=Domain Controllers,DC=winexample ,DC=net
> 
> ------------
> 
> msDS-AuthNPolicySiloMembers:
> CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
> 
> msDS-AuthNPolicySiloMembers:
> CN=st ka,OU=firma,DC=winexample,DC=net
> 
> 
> The Domaincontroller (WIN2022) is listed with the attribute 
> msDS-AssignedAuthNPolicySiloBL, but the DC is NOT a member of the silo. 
> Only the user and the computer.
> 
> I tried to assign the DC to the policy and make it a member of the silo, 
> no changes.
> So still the only difference between windows and samba is the missing 
> attribute  msDS-AssignedAuthNPolicySiloBL for all members and the DC.

You can disregard the msDS-AssignedAuthNPolicySiloBL attribute; it’s not 
used for anything. The important one is msDS-AssignedAuthNPolicySilo, 
which should be set on the members of the silo.

Cheers,
Jennifer (she/her)




More information about the samba-technical mailing list