authentication policies in Samba 4.21
Andrew Bartlett
abartlet at samba.org
Mon Oct 14 21:18:44 UTC 2024
On Sat, 2024-10-12 at 13:53 +1300, Jennifer Sutton via samba-technical
wrote:
> On 12/10/24 6:49 am, Stefan Kania via samba-technical wrote:
> > Hi Douglas,
> > Am 11.10.24 um 03:36 schrieb Douglas Bagnall:
> > > On 11/10/24 10:21, Douglas Bagnall via samba-technical wrote:
> > > > hi Stefan,
> > > > On 11/10/24 05:11, Stefan Kania via samba-technical wrote:
> > > > > I'm just testing how it's going on with the auth-policies in
> > > > > 4.21 and I see now it's possible to set conditions with:user-
> > > > > allowed-to-authenticate-to...
> > > > > When I set a condition I see:"msDS-
> > > > > ComputerAllowedToAuthenticateTo":
> > > > > "O:SYG:SYD:(XA;OICI;CR;;;WD;
> > > > > (@USER.ad://ext/AuthenticationSilo == \"win11-computer\"))",I
> > > > > can allow the users from the silo to authenticateBut in the
> > > > > Windows-world it's possible to disallow the authentication,
> > > > > then it looks like this:"msDS-
> > > > > ComputerAllowedToAuthenticateTo":
> > > > > "O:SYG:SYD:(XA;OICI;CR;;;WD;
> > > > > (@USER.ad://ext/AuthenticationSilo != \"win11-computer\"))",
> > > > >
> > > > > Am I missing something or is it not yet possible?
> > >
> > > OK, now I see that maybe we are talking about different things.
> > > When you say "possible", you mean "possible using samba-tool or
> > > something".
> > Yes, exactly :-)
> > > I was thinking more along the lines of "will it work if it gets
> > > in this state?".
> > > In that case, I think you are looking for something like this:
> > > samba-tool domain auth policy modify \ --name
> > > foo \ --user-allowed-to-authenticate-
> > > to="O:SYG:SYD:..."
> > > The other way is a shortcut to allow the most common thing.
> > That's what is missing. What is needed is another option to:
> > samba-tool domain auth policy computer-allowed-to-authenticate-to
> > set --by-silo=win11-computer --name=win11
> > Something like --deny and --allow. That's by the way how it is done
> > on a Windows-System.
> > Take a look at this howto:
> > https://thesleepyadmins.com/2024/07/16/active-directory-authentication-policies-and-authentication-policy-silos/
> >
> > You will find a picture (nearly at the end) named "Create control
> > conditions" This picture is showing that you can choose between
> > allow or deny.
> > I try to set the XD or != via a ldif-file:----------------dn:
> > CN=win11,CN=AuthN Policies,CN=AuthN Policy
> > Configuration,CN=Services,CN=Configuration,DC=example,DC=netchanget
> > ype: modifyreplace: msDS-ComputerAllowedToAuthenticateTomsDS-
> > ComputerAllowedToAuthenticateTo:
> > "O:SYG:SYD:(XD;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo ==
> > \"win11-computer\"))",----------------
> > But when I try to view the policy I get:--------------
> > --root at dc01:~# samba-tool domain auth policy view --name
> > win11ERROR(runtime): uncaught exception - (11, 'Buffer Size Error')
> > File "/usr/lib/python3/dist-
> > packages/sernet/samba/netcmd/__init__.py", line 353, in _run
> > return self.run(*args, **kwargs)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-
> > packages/sernet/samba/netcmd/domain/auth/policy/policy.py", line
> > 163, in run policy = AuthenticationPolicy.get(ldb, cn=name)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File
> > "/usr/lib/python3/dist-
> > packages/sernet/samba/domain/models/model.py", line 286, in get
> > return cls.query(samdb, **kwargs).get()
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-
> > packages/sernet/samba/domain/models/query.py", line 87, in get
> > return self._from_message(self.result[0])
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-
> > packages/sernet/samba/domain/models/query.py", line 65, in
> > _from_message return model._from_message(self.samdb, message)
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File
> > "/usr/lib/python3/dist-
> > packages/sernet/samba/domain/models/model.py", line 148, in
> > _from_message obj._apply(samdb, message) File
> > "/usr/lib/python3/dist-
> > packages/sernet/samba/domain/models/model.py", line 162, in _apply
> > setattr(self, attr, field.from_db_value(samdb,
> > message[field.name]))
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File
> > "/usr/lib/python3/dist-
> > packages/sernet/samba/domain/models/fields.py", line 402, in
> > from_db_value return ndr_unpack(security.descriptor, value[0])
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File
> > "/usr/lib/python3/dist-packages/sernet/samba/ndr.py", line 48, in
> > ndr_unpack ndr_unpack(data, allow_remaining=allow_remaining)---
> > -------------And here again it the working condition from a
> > Windows-domain-----------msDS-UserAllowedToAuthenticateFrom:
> > O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.example://ext/AuthenticationSilo
> > != "winclient-silo"))-----------As you can see, it stays "XA" only
> > it changes from "==" to !=" and this is handled by the option
> > "deny" or "allow" in the condition.
> > Stefan
> > > Douglas
> >
> >
> >
>
> The problem is that SDDL has two separate representations: the
> encoded binary representation, and the SDDL string representation
> (like “O:SYG:SYD:…”. msDS-ComputerAllowedToAuthenticateTo uses the
> binary representation, and if you set it to an SDDL string instead,
> ndr_unpack() will be unable to decode it, as you see here.
> The recommended way to set the SDDL is like so:
> samba-tool domain auth policy modify --name win11 --computer-allowed-
> to-authenticate-to=SDDL
> Does Windows cope with an SDDL string in the msDS-
> ComputerAllowedToAuthenticateTo attribute?
Regarding setting SDDL, if using ldb tools to do it:
The Samba-side magic that allows LDB tools to show and set string-
format SDDL into ntSecurityDescriptor is controlled by samba/lib/ldb-
samba/ldif_handlers.c
This list could be extended.
Andrew,
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba-technical
mailing list