authentication policies in Samba 4.21
Stefan Kania
stefan at kania-online.de
Tue Oct 22 18:51:09 UTC 2024
Still not working :-(
What i did:
Changing two GPOs
1. default Domaincontroller Policy
Computer Configuration\Policies\Administrative Templates\System\KDC
KDC support for claims, compound authentication and Kerberos armoring =
enable
2. default Domain Policy
Computer Configuration\Policies\Administrative Templates\System\Kerberos
Kerberos client support for claims, compound authentication and Kerberos
armoring
Then move all users and computer in a valid OU (not cn=users or
cn=computers)
Reboot the windows11 client and samba-DC
3. Creating the policy:
samba-tool domain auth policy create --name win11-policy --enforce
Setting Ticket-Livetime (not needed only to test if it works)
samba-tool domain auth policy modify --user-tgt-lifetime-mins=90 --name
win11-policy
4. Creating the silo
samba-tool domain auth silo create --name win11-silo --enforce
5. Assign users and computer
samba-tool domain auth silo member grant --name win11-silo --member=stka
samba-tool domain auth silo member grant --name win11-silo
--member=WINCLIENT11\$
6. Setting the condition
samba-tool domain auth policy user-allowed-to-authenticate-to set
--by-silo=win11-silo --name=win11-policy
7. Change the condition to disallow access for all user to all computers
of the silo
samba-tool domain auth policy modify --name win11-policy
--user-allowed-to-authenticate-to="O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.example://ext/AuthenticationSilo
!= \"win11-silo\"))
On a Windows-DC you now have to assign the policy to the user and
computer but on the samba-dc this is already done:
ldbsearch --url=/var/lib/samba/private/sam.ldb CN=stka --cross-ncs -U
administrator
...
msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net
...
But user "stka" kann still login in to winclient11. What else do I have
to do? What did I wrong?
Stefan
Am 15.10.24 um 20:17 schrieb Stefan Kania via samba-technical:
> Hi Jennifer,
>
> thank you :-), now I set the auth-policy with !=. Now I can start
> testing the policies and silos.
>
> Stefan
>
> Am 14.10.24 um 01:39 schrieb Jennifer Sutton via samba-technical:
>> On 14/10/24 12:33 pm, Jennifer Sutton via samba-technical wrote:
>>> samba-tool domain auth policy modify --name win11 --computer-allowed-
>>> to-authenticate-to=O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.example://ext/
>>> AuthenticationSilo != \"winclient-silo\"))"
>>
>> Oh, pretend there was a double quote after ‘--computer-allowed-to-
>> authenticate-to’.
>>
>> Cheers,
>> Jennifer (she/her)
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4402 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241022/c65fb3cc/smime.bin>
More information about the samba-technical
mailing list