authentication policies in Samba 4.21

Stefan Kania stefan at kania-online.de
Wed Nov 6 15:10:07 UTC 2024


Hi Jennifer,


Am 05.11.24 um 23:22 schrieb Jennifer Sutton via samba-technical:
> On 6/11/24 5:43 am, Stefan Kania via samba-technical wrote:
>>
>>
>> Am 05.11.24 um 11:13 schrieb Stefan Kania via samba-technical:
>>> Hi Jennifer
>>>
>>> Am 04.11.24 um 21:22 schrieb Jennifer Sutton via samba-technical:
>>>> On 5/11/24 7:27 am, Stefan Kania via samba-technical wrote:
>>>>> Inside the policy (comparing to a Windows AD) I still missing:
>>>>> msDS-UserAllowedToAuthenticateFrom
>>>>> msDS-ServiceAllowedToAuthenticateFrom
>>>>> It's not possible to set this values with samba-tool
>>>>
>>>> Have you tried --user-allowed-to-authenticate-from=SDDL and -- 
>>>> service- allowed-to-authenticate-from=SDDL?
>>>>
>>> No, not up to now. But now I changed the settings. On both, the 
>>> windows AD and the Samba AD all the settings are the same, but still 
>>> not working with Samba AD.
>>> The user who is a member of the silo can't login on the computer who 
>>> is member of the silo BUT he also can't login to any other computer 
>>> in the domain. He is getting the same message, that he is not allowed 
>>> to login on this computer (what is right for the computer who is 
>>> member of the silo). BTW now it's the first time I'm getting the 
>>> correct message.
>>>
>>> All other users can't also not login to the computer from the silo, 
>>> but on any other computer. Getting a message "This computer is 
>>> protected with a authenticainfirewall".
>>>
> 
> Can you post the SDDL you’ve set on the authentication policy?
Yes, here they are:
--------------------
   "msDS-ComputerAllowedToAuthenticateTo": 
"O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == 
\"win11-silo\"))",

   "msDS-ServiceAllowedToAuthenticateFrom": 
"O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == 
\"win11-silo\"))",

   "msDS-ServiceAllowedToAuthenticateTo": 
"O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == 
\"win11-silo\"))",

   "msDS-UserAllowedToAuthenticateFrom": 
"O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == 
\"win11-silo\"))",

   "msDS-UserAllowedToAuthenticateTo": 
"O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == 
\"win11-silo\"))",

--------------------
Exactly the same as in my Windows AD

> 
>>>
>>>>>
>>>>> I'm missing:
>>>>> msDS-AssignedAuthNPolicySiloBL for all members
>>>>
>>>> You don’t set this on the silo. You assign the members to the silo 
>>>> with ‘samba-tool user auth silo assign <username> [options]’.
>>> I know, but this is still the only attribute that is set in the 
>>> windows AD but not in the Samba AD.
>>
>> Found something more: if you take a look at the silo from my 
>> Microsoft-AD you see:
>> msDS-AssignedAuthNPolicySiloBL: 
>> CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
>>
>> msDS-AssignedAuthNPolicySiloBL:
>> CN=stka,OU=firma,DC=winexample,DC=net
>>
>> msDS-AssignedAuthNPolicySiloBL:
>> CN=WIN2022,OU=Domain Controllers,DC=winexample ,DC=net
>>
>> ------------
>>
>> msDS-AuthNPolicySiloMembers:
>> CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
>>
>> msDS-AuthNPolicySiloMembers:
>> CN=st ka,OU=firma,DC=winexample,DC=net
>>
>>
>> The Domaincontroller (WIN2022) is listed with the attribute msDS- 
>> AssignedAuthNPolicySiloBL, but the DC is NOT a member of the silo. 
>> Only the user and the computer.
>>
>> I tried to assign the DC to the policy and make it a member of the 
>> silo, no changes.
>> So still the only difference between windows and samba is the missing 
>> attribute  msDS-AssignedAuthNPolicySiloBL for all members and the DC.
> 
> You can disregard the msDS-AssignedAuthNPolicySiloBL attribute; it’s not 
> used for anything. The important one is msDS-AssignedAuthNPolicySilo, 
> which should be set on the members of the silo.
Ok, it also looks strange for me. It makes no sens, but as I said that's 
the only difference to the Samba-AD AND the only place were the DC is used.

Stefan

> 
> Cheers,
> Jennifer (she/her)
> 
> 

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn

---------------------
Es gibt keine WOLKE, nur die Computer fremder Leute

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x52F6D4DD1BB68AB5.asc
Type: application/pgp-keys
Size: 636 bytes
Desc: OpenPGP public key
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241106/d0eb8bca/OpenPGP_0x52F6D4DD1BB68AB5.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241106/d0eb8bca/OpenPGP_signature.sig>


More information about the samba-technical mailing list