authentication policies in Samba 4.21
Jennifer Sutton
jsutton at samba.org
Sat Oct 12 00:53:06 UTC 2024
On 12/10/24 6:49 am, Stefan Kania via samba-technical wrote:
> Hi Douglas,
>
> Am 11.10.24 um 03:36 schrieb Douglas Bagnall:
>> On 11/10/24 10:21, Douglas Bagnall via samba-technical wrote:
>>> hi Stefan,
>>>
>>> On 11/10/24 05:11, Stefan Kania via samba-technical wrote:
>>>> I'm just testing how it's going on with the auth-policies in 4.21
>>>> and I see now it's possible to set conditions with:
>>>> user-allowed-to-authenticate-to
>>>> ...
>>>>
>>>> When I set a condition I see:
>>>> "msDS-ComputerAllowedToAuthenticateTo": "O:SYG:SYD:(XA;OICI;CR;;;WD;
>>>> (@USER.ad://ext/AuthenticationSilo == \"win11-computer\"))",
>>>> I can allow the users from the silo to authenticate
>>>> But in the Windows-world it's possible to disallow the
>>>> authentication, then it looks like this:
>>>> "msDS-ComputerAllowedToAuthenticateTo": "O:SYG:SYD:(XA;OICI;CR;;;WD;
>>>> (@USER.ad://ext/AuthenticationSilo != \"win11-computer\"))",
>>>>
>>>>
>>>> Am I missing something or is it not yet possible?
>>
>> OK, now I see that maybe we are talking about different things.
>>
>> When you say "possible", you mean "possible using samba-tool or
>> something".
>>
> Yes, exactly :-)
>> I was thinking more along the lines of "will it work if it gets in
>> this state?".
>>
>> In that case, I think you are looking for something like this:
>>
>> samba-tool domain auth policy modify \
>> --name foo \
>> --user-allowed-to-authenticate-to="O:SYG:SYD:..."
>>
>> The other way is a shortcut to allow the most common thing.
>>
> That's what is missing. What is needed is another option to:
>
> samba-tool domain auth policy computer-allowed-to-authenticate-to set
> --by-silo=win11-computer --name=win11
>
> Something like --deny and --allow. That's by the way how it is done on a
> Windows-System.
>
> Take a look at this howto:
> https://thesleepyadmins.com/2024/07/16/active-directory-authentication-policies-and-authentication-policy-silos/
>
> You will find a picture (nearly at the end) named "Create control
> conditions" This picture is showing that you can choose between allow or
> deny.
>
> I try to set the XD or != via a ldif-file:
> ----------------
> dn: CN=win11,CN=AuthN Policies,CN=AuthN Policy
> Configuration,CN=Services,CN=Configuration,DC=example,DC=net
> changetype: modify
> replace: msDS-ComputerAllowedToAuthenticateTo
> msDS-ComputerAllowedToAuthenticateTo:
> "O:SYG:SYD:(XD;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo ==
> \"win11-computer\"))",
> ----------------
>
> But when I try to view the policy I get:
> ----------------
> root at dc01:~# samba-tool domain auth policy view --name win11
> ERROR(runtime): uncaught exception - (11, 'Buffer Size Error')
> File
> "/usr/lib/python3/dist-packages/sernet/samba/netcmd/__init__.py", line
> 353, in _run
> return self.run(*args, **kwargs)
> ^^^^^^^^^^^^^^^^^^^^^^^^^
> File
> "/usr/lib/python3/dist-packages/sernet/samba/netcmd/domain/auth/policy/policy.py", line 163, in run
> policy = AuthenticationPolicy.get(ldb, cn=name)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File
> "/usr/lib/python3/dist-packages/sernet/samba/domain/models/model.py",
> line 286, in get
> return cls.query(samdb, **kwargs).get()
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File
> "/usr/lib/python3/dist-packages/sernet/samba/domain/models/query.py",
> line 87, in get
> return self._from_message(self.result[0])
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File
> "/usr/lib/python3/dist-packages/sernet/samba/domain/models/query.py",
> line 65, in _from_message
> return model._from_message(self.samdb, message)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File
> "/usr/lib/python3/dist-packages/sernet/samba/domain/models/model.py",
> line 148, in _from_message
> obj._apply(samdb, message)
> File
> "/usr/lib/python3/dist-packages/sernet/samba/domain/models/model.py",
> line 162, in _apply
> setattr(self, attr, field.from_db_value(samdb, message[field.name]))
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File
> "/usr/lib/python3/dist-packages/sernet/samba/domain/models/fields.py",
> line 402, in from_db_value
> return ndr_unpack(security.descriptor, value[0])
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/usr/lib/python3/dist-packages/sernet/samba/ndr.py", line 48,
> in ndr_unpack
> ndr_unpack(data, allow_remaining=allow_remaining)
> ----------------
> And here again it the working condition from a Windows-domain
> -----------
> msDS-UserAllowedToAuthenticateFrom:
> O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.example://ext/AuthenticationSilo !=
> "winclient-silo"))
> -----------
> As you can see, it stays "XA" only it changes from "==" to !=" and this
> is handled by the option "deny" or "allow" in the condition.
>
> Stefan
>
>> Douglas
>>
>
>
>
>
The problem is that SDDL has two separate representations: the encoded
binary representation, and the SDDL string representation (like
“O:SYG:SYD:…”. msDS-ComputerAllowedToAuthenticateTo uses the binary
representation, and if you set it to an SDDL string instead,
ndr_unpack() will be unable to decode it, as you see here.
The recommended way to set the SDDL is like so:
samba-tool domain auth policy modify --name win11
--computer-allowed-to-authenticate-to=SDDL
Does Windows cope with an SDDL string in the
msDS-ComputerAllowedToAuthenticateTo attribute?
Cheers,
Jennifer (she/her)
More information about the samba-technical
mailing list