authentication policies in Samba 4.21

Jennifer Sutton jsutton at samba.org
Sat Oct 12 00:53:06 UTC 2024


On 12/10/24 6:49 am, Stefan Kania via samba-technical wrote:
> Hi Douglas,
> 
> Am 11.10.24 um 03:36 schrieb Douglas Bagnall:
>> On 11/10/24 10:21, Douglas Bagnall via samba-technical wrote:
>>> hi Stefan,
>>>
>>> On 11/10/24 05:11, Stefan Kania via samba-technical wrote:
>>>> I'm just testing how it's going on with the auth-policies in 4.21 
>>>> and I see now it's possible to set conditions with:
>>>> user-allowed-to-authenticate-to
>>>> ...
>>>>
>>>> When I set a condition I see:
>>>> "msDS-ComputerAllowedToAuthenticateTo": "O:SYG:SYD:(XA;OICI;CR;;;WD; 
>>>> (@USER.ad://ext/AuthenticationSilo == \"win11-computer\"))",
>>>> I can allow the users from the silo to authenticate
>>>> But in the Windows-world it's possible to disallow the 
>>>> authentication, then it looks like this:
>>>> "msDS-ComputerAllowedToAuthenticateTo": "O:SYG:SYD:(XA;OICI;CR;;;WD; 
>>>> (@USER.ad://ext/AuthenticationSilo != \"win11-computer\"))",
>>>>
>>>>
>>>> Am I missing something or is it not yet possible?
>>
>> OK, now I see that maybe we are talking about different things.
>>
>> When you say "possible", you mean "possible using samba-tool or 
>> something".
>>
> Yes, exactly :-)
>> I was thinking more along the lines of "will it work if it gets in 
>> this state?".
>>
>> In that case, I think you are looking for something like this:
>>
>>      samba-tool domain auth policy modify  \
>>              --name foo  \
>>             --user-allowed-to-authenticate-to="O:SYG:SYD:..."
>>
>> The other way is a shortcut to allow the most common thing.
>>
> That's what is missing. What is needed is another option to:
> 
> samba-tool domain  auth policy computer-allowed-to-authenticate-to set 
> --by-silo=win11-computer --name=win11
> 
> Something like --deny and --allow. That's by the way how it is done on a 
> Windows-System.
> 
> Take a look at this howto:
> https://thesleepyadmins.com/2024/07/16/active-directory-authentication-policies-and-authentication-policy-silos/
> 
> You will find a picture (nearly at the end) named "Create control 
> conditions" This picture is showing that you can choose between allow or 
> deny.
> 
> I try to set the XD or != via a ldif-file:
> ----------------
> dn: CN=win11,CN=AuthN Policies,CN=AuthN Policy 
> Configuration,CN=Services,CN=Configuration,DC=example,DC=net
> changetype: modify
> replace: msDS-ComputerAllowedToAuthenticateTo
> msDS-ComputerAllowedToAuthenticateTo: 
> "O:SYG:SYD:(XD;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == 
> \"win11-computer\"))",
> ----------------
> 
> But when I try to view the policy I get:
> ----------------
> root at dc01:~# samba-tool domain  auth policy view --name win11
> ERROR(runtime): uncaught exception - (11, 'Buffer Size Error')
>    File 
> "/usr/lib/python3/dist-packages/sernet/samba/netcmd/__init__.py", line 
> 353, in _run
>      return self.run(*args, **kwargs)
>             ^^^^^^^^^^^^^^^^^^^^^^^^^
>    File 
> "/usr/lib/python3/dist-packages/sernet/samba/netcmd/domain/auth/policy/policy.py", line 163, in run
>      policy = AuthenticationPolicy.get(ldb, cn=name)
>               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    File 
> "/usr/lib/python3/dist-packages/sernet/samba/domain/models/model.py", 
> line 286, in get
>      return cls.query(samdb, **kwargs).get()
>             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    File 
> "/usr/lib/python3/dist-packages/sernet/samba/domain/models/query.py", 
> line 87, in get
>      return self._from_message(self.result[0])
>             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    File 
> "/usr/lib/python3/dist-packages/sernet/samba/domain/models/query.py", 
> line 65, in _from_message
>      return model._from_message(self.samdb, message)
>             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    File 
> "/usr/lib/python3/dist-packages/sernet/samba/domain/models/model.py", 
> line 148, in _from_message
>      obj._apply(samdb, message)
>    File 
> "/usr/lib/python3/dist-packages/sernet/samba/domain/models/model.py", 
> line 162, in _apply
>      setattr(self, attr, field.from_db_value(samdb, message[field.name]))
>                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    File 
> "/usr/lib/python3/dist-packages/sernet/samba/domain/models/fields.py", 
> line 402, in from_db_value
>      return ndr_unpack(security.descriptor, value[0])
>             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    File "/usr/lib/python3/dist-packages/sernet/samba/ndr.py", line 48, 
> in ndr_unpack
>      ndr_unpack(data, allow_remaining=allow_remaining)
> ----------------
> And here again it the working condition from a Windows-domain
> -----------
> msDS-UserAllowedToAuthenticateFrom: 
> O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.example://ext/AuthenticationSilo != 
> "winclient-silo"))
> -----------
> As you can see, it stays "XA" only it changes from "==" to !=" and this 
> is handled by the option "deny" or "allow" in the condition.
> 
> Stefan
> 
>> Douglas
>>
> 
> 
> 
> 

The problem is that SDDL has two separate representations: the encoded 
binary representation, and the SDDL string representation (like 
“O:SYG:SYD:…”. msDS-ComputerAllowedToAuthenticateTo uses the binary 
representation, and if you set it to an SDDL string instead, 
ndr_unpack() will be unable to decode it, as you see here.

The recommended way to set the SDDL is like so:

samba-tool domain auth policy modify --name win11 
--computer-allowed-to-authenticate-to=SDDL

Does Windows cope with an SDDL string in the 
msDS-ComputerAllowedToAuthenticateTo attribute?

Cheers,
Jennifer (she/her)



More information about the samba-technical mailing list