authentication policies in Samba 4.21

Stefan Kania stefan at kania-online.de
Tue Oct 22 18:51:09 UTC 2024


Still not working :-(

What i did:
Changing two GPOs
1. default Domaincontroller Policy
Computer Configuration\Policies\Administrative Templates\System\KDC
KDC support for claims, compound authentication and Kerberos armoring = 
enable

2. default Domain Policy
Computer Configuration\Policies\Administrative Templates\System\Kerberos
Kerberos client support for claims, compound authentication and Kerberos 
armoring

Then move all users and computer in a valid OU (not cn=users or 
cn=computers)

Reboot the windows11 client and samba-DC

3. Creating the policy:
samba-tool domain  auth policy create --name win11-policy --enforce

Setting Ticket-Livetime (not needed only to test if it works)
samba-tool domain  auth policy modify --user-tgt-lifetime-mins=90 --name 
win11-policy

4. Creating the silo
samba-tool domain auth silo create --name win11-silo --enforce

5. Assign users and computer
samba-tool domain auth silo member grant --name win11-silo --member=stka
samba-tool domain auth silo member grant --name win11-silo
--member=WINCLIENT11\$

6. Setting the condition
samba-tool domain  auth policy user-allowed-to-authenticate-to set 
--by-silo=win11-silo --name=win11-policy

7. Change the condition to disallow access for all user to all computers 
of the silo
samba-tool domain auth policy modify --name win11-policy 
--user-allowed-to-authenticate-to="O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.example://ext/AuthenticationSilo 
!= \"win11-silo\"))

On a Windows-DC you now have to assign the policy to the user and 
computer but on the samba-dc this is already done:
ldbsearch --url=/var/lib/samba/private/sam.ldb CN=stka --cross-ncs -U 
administrator
...
msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN 
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net
...

But user "stka" kann still login in to winclient11. What else do I have 
to do? What did I wrong?

Stefan





Am 15.10.24 um 20:17 schrieb Stefan Kania via samba-technical:
> Hi Jennifer,
> 
> thank you :-), now I set the auth-policy with !=. Now I can start 
> testing the policies and silos.
> 
> Stefan
> 
> Am 14.10.24 um 01:39 schrieb Jennifer Sutton via samba-technical:
>> On 14/10/24 12:33 pm, Jennifer Sutton via samba-technical wrote:
>>> samba-tool domain auth policy modify --name win11 --computer-allowed- 
>>> to-authenticate-to=O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.example://ext/ 
>>> AuthenticationSilo != \"winclient-silo\"))"
>>
>> Oh, pretend there was a double quote after ‘--computer-allowed-to- 
>> authenticate-to’.
>>
>> Cheers,
>> Jennifer (she/her)
>>
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4402 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241022/c65fb3cc/smime.bin>


More information about the samba-technical mailing list