authentication policies in Samba 4.21
Stefan Kania
stefan at kania-online.de
Fri Oct 11 17:49:47 UTC 2024
Hi Douglas,
Am 11.10.24 um 03:36 schrieb Douglas Bagnall:
> On 11/10/24 10:21, Douglas Bagnall via samba-technical wrote:
>> hi Stefan,
>>
>> On 11/10/24 05:11, Stefan Kania via samba-technical wrote:
>>> I'm just testing how it's going on with the auth-policies in 4.21 and
>>> I see now it's possible to set conditions with:
>>> user-allowed-to-authenticate-to
>>> ...
>>>
>>> When I set a condition I see:
>>> "msDS-ComputerAllowedToAuthenticateTo": "O:SYG:SYD:(XA;OICI;CR;;;WD;
>>> (@USER.ad://ext/AuthenticationSilo == \"win11-computer\"))",
>>> I can allow the users from the silo to authenticate
>>> But in the Windows-world it's possible to disallow the
>>> authentication, then it looks like this:
>>> "msDS-ComputerAllowedToAuthenticateTo": "O:SYG:SYD:(XA;OICI;CR;;;WD;
>>> (@USER.ad://ext/AuthenticationSilo != \"win11-computer\"))",
>>>
>>>
>>> Am I missing something or is it not yet possible?
>
> OK, now I see that maybe we are talking about different things.
>
> When you say "possible", you mean "possible using samba-tool or something".
>
Yes, exactly :-)
> I was thinking more along the lines of "will it work if it gets in this
> state?".
>
> In that case, I think you are looking for something like this:
>
> samba-tool domain auth policy modify \
> --name foo \
> --user-allowed-to-authenticate-to="O:SYG:SYD:..."
>
> The other way is a shortcut to allow the most common thing.
>
That's what is missing. What is needed is another option to:
samba-tool domain auth policy computer-allowed-to-authenticate-to set
--by-silo=win11-computer --name=win11
Something like --deny and --allow. That's by the way how it is done on a
Windows-System.
Take a look at this howto:
https://thesleepyadmins.com/2024/07/16/active-directory-authentication-policies-and-authentication-policy-silos/
You will find a picture (nearly at the end) named "Create control
conditions" This picture is showing that you can choose between allow or
deny.
I try to set the XD or != via a ldif-file:
----------------
dn: CN=win11,CN=AuthN Policies,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net
changetype: modify
replace: msDS-ComputerAllowedToAuthenticateTo
msDS-ComputerAllowedToAuthenticateTo:
"O:SYG:SYD:(XD;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo ==
\"win11-computer\"))",
----------------
But when I try to view the policy I get:
----------------
root at dc01:~# samba-tool domain auth policy view --name win11
ERROR(runtime): uncaught exception - (11, 'Buffer Size Error')
File
"/usr/lib/python3/dist-packages/sernet/samba/netcmd/__init__.py", line
353, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File
"/usr/lib/python3/dist-packages/sernet/samba/netcmd/domain/auth/policy/policy.py",
line 163, in run
policy = AuthenticationPolicy.get(ldb, cn=name)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File
"/usr/lib/python3/dist-packages/sernet/samba/domain/models/model.py",
line 286, in get
return cls.query(samdb, **kwargs).get()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File
"/usr/lib/python3/dist-packages/sernet/samba/domain/models/query.py",
line 87, in get
return self._from_message(self.result[0])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File
"/usr/lib/python3/dist-packages/sernet/samba/domain/models/query.py",
line 65, in _from_message
return model._from_message(self.samdb, message)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File
"/usr/lib/python3/dist-packages/sernet/samba/domain/models/model.py",
line 148, in _from_message
obj._apply(samdb, message)
File
"/usr/lib/python3/dist-packages/sernet/samba/domain/models/model.py",
line 162, in _apply
setattr(self, attr, field.from_db_value(samdb, message[field.name]))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File
"/usr/lib/python3/dist-packages/sernet/samba/domain/models/fields.py",
line 402, in from_db_value
return ndr_unpack(security.descriptor, value[0])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/sernet/samba/ndr.py", line 48,
in ndr_unpack
ndr_unpack(data, allow_remaining=allow_remaining)
----------------
And here again it the working condition from a Windows-domain
-----------
msDS-UserAllowedToAuthenticateFrom:
O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.example://ext/AuthenticationSilo !=
"winclient-silo"))
-----------
As you can see, it stays "XA" only it changes from "==" to !=" and this
is handled by the option "deny" or "allow" in the condition.
Stefan
> Douglas
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4402 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241011/12a7d5fc/smime.bin>
More information about the samba-technical
mailing list