authentication policies in Samba 4.21

Stefan Kania stefan at kania-online.de
Fri Oct 11 17:49:47 UTC 2024


Hi Douglas,

Am 11.10.24 um 03:36 schrieb Douglas Bagnall:
> On 11/10/24 10:21, Douglas Bagnall via samba-technical wrote:
>> hi Stefan,
>>
>> On 11/10/24 05:11, Stefan Kania via samba-technical wrote:
>>> I'm just testing how it's going on with the auth-policies in 4.21 and 
>>> I see now it's possible to set conditions with:
>>> user-allowed-to-authenticate-to
>>> ...
>>>
>>> When I set a condition I see:
>>> "msDS-ComputerAllowedToAuthenticateTo": "O:SYG:SYD:(XA;OICI;CR;;;WD; 
>>> (@USER.ad://ext/AuthenticationSilo == \"win11-computer\"))",
>>> I can allow the users from the silo to authenticate
>>> But in the Windows-world it's possible to disallow the 
>>> authentication, then it looks like this:
>>> "msDS-ComputerAllowedToAuthenticateTo": "O:SYG:SYD:(XA;OICI;CR;;;WD; 
>>> (@USER.ad://ext/AuthenticationSilo != \"win11-computer\"))",
>>>
>>>
>>> Am I missing something or is it not yet possible?
> 
> OK, now I see that maybe we are talking about different things.
> 
> When you say "possible", you mean "possible using samba-tool or something".
> 
Yes, exactly :-)
> I was thinking more along the lines of "will it work if it gets in this 
> state?".
> 
> In that case, I think you are looking for something like this:
> 
>      samba-tool domain auth policy modify  \
>              --name foo  \
>             --user-allowed-to-authenticate-to="O:SYG:SYD:..."
> 
> The other way is a shortcut to allow the most common thing.
> 
That's what is missing. What is needed is another option to:

samba-tool domain  auth policy computer-allowed-to-authenticate-to set 
--by-silo=win11-computer --name=win11

Something like --deny and --allow. That's by the way how it is done on a 
Windows-System.

Take a look at this howto:
https://thesleepyadmins.com/2024/07/16/active-directory-authentication-policies-and-authentication-policy-silos/

You will find a picture (nearly at the end) named "Create control 
conditions" This picture is showing that you can choose between allow or 
deny.

I try to set the XD or != via a ldif-file:
----------------
dn: CN=win11,CN=AuthN Policies,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=example,DC=net
changetype: modify
replace: msDS-ComputerAllowedToAuthenticateTo
msDS-ComputerAllowedToAuthenticateTo: 
"O:SYG:SYD:(XD;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == 
\"win11-computer\"))",
----------------

But when I try to view the policy I get:
----------------
root at dc01:~# samba-tool domain  auth policy view --name win11
ERROR(runtime): uncaught exception - (11, 'Buffer Size Error')
   File 
"/usr/lib/python3/dist-packages/sernet/samba/netcmd/__init__.py", line 
353, in _run
     return self.run(*args, **kwargs)
            ^^^^^^^^^^^^^^^^^^^^^^^^^
   File 
"/usr/lib/python3/dist-packages/sernet/samba/netcmd/domain/auth/policy/policy.py", 
line 163, in run
     policy = AuthenticationPolicy.get(ldb, cn=name)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File 
"/usr/lib/python3/dist-packages/sernet/samba/domain/models/model.py", 
line 286, in get
     return cls.query(samdb, **kwargs).get()
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File 
"/usr/lib/python3/dist-packages/sernet/samba/domain/models/query.py", 
line 87, in get
     return self._from_message(self.result[0])
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File 
"/usr/lib/python3/dist-packages/sernet/samba/domain/models/query.py", 
line 65, in _from_message
     return model._from_message(self.samdb, message)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File 
"/usr/lib/python3/dist-packages/sernet/samba/domain/models/model.py", 
line 148, in _from_message
     obj._apply(samdb, message)
   File 
"/usr/lib/python3/dist-packages/sernet/samba/domain/models/model.py", 
line 162, in _apply
     setattr(self, attr, field.from_db_value(samdb, message[field.name]))
                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File 
"/usr/lib/python3/dist-packages/sernet/samba/domain/models/fields.py", 
line 402, in from_db_value
     return ndr_unpack(security.descriptor, value[0])
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/usr/lib/python3/dist-packages/sernet/samba/ndr.py", line 48, 
in ndr_unpack
     ndr_unpack(data, allow_remaining=allow_remaining)
----------------
And here again it the working condition from a Windows-domain
-----------
msDS-UserAllowedToAuthenticateFrom: 
O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.example://ext/AuthenticationSilo != 
"winclient-silo"))
-----------
As you can see, it stays "XA" only it changes from "==" to !=" and this 
is handled by the option "deny" or "allow" in the condition.

Stefan

> Douglas
> 




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4402 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241011/12a7d5fc/smime.bin>


More information about the samba-technical mailing list