authentication policies in Samba 4.21
Stefan Kania
stefan at kania-online.de
Wed Nov 6 15:10:07 UTC 2024
Hi Jennifer,
Am 05.11.24 um 23:22 schrieb Jennifer Sutton via samba-technical:
> On 6/11/24 5:43 am, Stefan Kania via samba-technical wrote:
>>
>>
>> Am 05.11.24 um 11:13 schrieb Stefan Kania via samba-technical:
>>> Hi Jennifer
>>>
>>> Am 04.11.24 um 21:22 schrieb Jennifer Sutton via samba-technical:
>>>> On 5/11/24 7:27 am, Stefan Kania via samba-technical wrote:
>>>>> Inside the policy (comparing to a Windows AD) I still missing:
>>>>> msDS-UserAllowedToAuthenticateFrom
>>>>> msDS-ServiceAllowedToAuthenticateFrom
>>>>> It's not possible to set this values with samba-tool
>>>>
>>>> Have you tried --user-allowed-to-authenticate-from=SDDL and --
>>>> service- allowed-to-authenticate-from=SDDL?
>>>>
>>> No, not up to now. But now I changed the settings. On both, the
>>> windows AD and the Samba AD all the settings are the same, but still
>>> not working with Samba AD.
>>> The user who is a member of the silo can't login on the computer who
>>> is member of the silo BUT he also can't login to any other computer
>>> in the domain. He is getting the same message, that he is not allowed
>>> to login on this computer (what is right for the computer who is
>>> member of the silo). BTW now it's the first time I'm getting the
>>> correct message.
>>>
>>> All other users can't also not login to the computer from the silo,
>>> but on any other computer. Getting a message "This computer is
>>> protected with a authenticainfirewall".
>>>
>
> Can you post the SDDL you’ve set on the authentication policy?
Yes, here they are:
--------------------
"msDS-ComputerAllowedToAuthenticateTo":
"O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo ==
\"win11-silo\"))",
"msDS-ServiceAllowedToAuthenticateFrom":
"O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo ==
\"win11-silo\"))",
"msDS-ServiceAllowedToAuthenticateTo":
"O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo ==
\"win11-silo\"))",
"msDS-UserAllowedToAuthenticateFrom":
"O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo ==
\"win11-silo\"))",
"msDS-UserAllowedToAuthenticateTo":
"O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo ==
\"win11-silo\"))",
--------------------
Exactly the same as in my Windows AD
>
>>>
>>>>>
>>>>> I'm missing:
>>>>> msDS-AssignedAuthNPolicySiloBL for all members
>>>>
>>>> You don’t set this on the silo. You assign the members to the silo
>>>> with ‘samba-tool user auth silo assign <username> [options]’.
>>> I know, but this is still the only attribute that is set in the
>>> windows AD but not in the Samba AD.
>>
>> Found something more: if you take a look at the silo from my
>> Microsoft-AD you see:
>> msDS-AssignedAuthNPolicySiloBL:
>> CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
>>
>> msDS-AssignedAuthNPolicySiloBL:
>> CN=stka,OU=firma,DC=winexample,DC=net
>>
>> msDS-AssignedAuthNPolicySiloBL:
>> CN=WIN2022,OU=Domain Controllers,DC=winexample ,DC=net
>>
>> ------------
>>
>> msDS-AuthNPolicySiloMembers:
>> CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
>>
>> msDS-AuthNPolicySiloMembers:
>> CN=st ka,OU=firma,DC=winexample,DC=net
>>
>>
>> The Domaincontroller (WIN2022) is listed with the attribute msDS-
>> AssignedAuthNPolicySiloBL, but the DC is NOT a member of the silo.
>> Only the user and the computer.
>>
>> I tried to assign the DC to the policy and make it a member of the
>> silo, no changes.
>> So still the only difference between windows and samba is the missing
>> attribute msDS-AssignedAuthNPolicySiloBL for all members and the DC.
>
> You can disregard the msDS-AssignedAuthNPolicySiloBL attribute; it’s not
> used for anything. The important one is msDS-AssignedAuthNPolicySilo,
> which should be set on the members of the silo.
Ok, it also looks strange for me. It makes no sens, but as I said that's
the only difference to the Samba-AD AND the only place were the DC is used.
Stefan
>
> Cheers,
> Jennifer (she/her)
>
>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
---------------------
Es gibt keine WOLKE, nur die Computer fremder Leute
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x52F6D4DD1BB68AB5.asc
Type: application/pgp-keys
Size: 636 bytes
Desc: OpenPGP public key
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241106/d0eb8bca/OpenPGP_0x52F6D4DD1BB68AB5.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241106/d0eb8bca/OpenPGP_signature.sig>
More information about the samba-technical
mailing list