authentication policies in Samba 4.21
Jennifer Sutton
jsutton at samba.org
Tue Nov 5 22:22:14 UTC 2024
On 6/11/24 5:43 am, Stefan Kania via samba-technical wrote:
>
>
> Am 05.11.24 um 11:13 schrieb Stefan Kania via samba-technical:
>> Hi Jennifer
>>
>> Am 04.11.24 um 21:22 schrieb Jennifer Sutton via samba-technical:
>>> On 5/11/24 7:27 am, Stefan Kania via samba-technical wrote:
>>>> Inside the policy (comparing to a Windows AD) I still missing:
>>>> msDS-UserAllowedToAuthenticateFrom
>>>> msDS-ServiceAllowedToAuthenticateFrom
>>>> It's not possible to set this values with samba-tool
>>>
>>> Have you tried --user-allowed-to-authenticate-from=SDDL and
>>> --service- allowed-to-authenticate-from=SDDL?
>>>
>> No, not up to now. But now I changed the settings. On both, the
>> windows AD and the Samba AD all the settings are the same, but still
>> not working with Samba AD.
>> The user who is a member of the silo can't login on the computer who
>> is member of the silo BUT he also can't login to any other computer in
>> the domain. He is getting the same message, that he is not allowed to
>> login on this computer (what is right for the computer who is member
>> of the silo). BTW now it's the first time I'm getting the correct
>> message.
>>
>> All other users can't also not login to the computer from the silo,
>> but on any other computer. Getting a message "This computer is
>> protected with a authenticainfirewall".
>>
Can you post the SDDL you’ve set on the authentication policy?
>>
>>>>
>>>> I'm missing:
>>>> msDS-AssignedAuthNPolicySiloBL for all members
>>>
>>> You don’t set this on the silo. You assign the members to the silo
>>> with ‘samba-tool user auth silo assign <username> [options]’.
>> I know, but this is still the only attribute that is set in the
>> windows AD but not in the Samba AD.
>
> Found something more: if you take a look at the silo from my
> Microsoft-AD you see:
> msDS-AssignedAuthNPolicySiloBL:
> CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
>
> msDS-AssignedAuthNPolicySiloBL:
> CN=stka,OU=firma,DC=winexample,DC=net
>
> msDS-AssignedAuthNPolicySiloBL:
> CN=WIN2022,OU=Domain Controllers,DC=winexample ,DC=net
>
> ------------
>
> msDS-AuthNPolicySiloMembers:
> CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
>
> msDS-AuthNPolicySiloMembers:
> CN=st ka,OU=firma,DC=winexample,DC=net
>
>
> The Domaincontroller (WIN2022) is listed with the attribute
> msDS-AssignedAuthNPolicySiloBL, but the DC is NOT a member of the silo.
> Only the user and the computer.
>
> I tried to assign the DC to the policy and make it a member of the silo,
> no changes.
> So still the only difference between windows and samba is the missing
> attribute msDS-AssignedAuthNPolicySiloBL for all members and the DC.
You can disregard the msDS-AssignedAuthNPolicySiloBL attribute; it’s not
used for anything. The important one is msDS-AssignedAuthNPolicySilo,
which should be set on the members of the silo.
Cheers,
Jennifer (she/her)
More information about the samba-technical
mailing list