authentication policies in Samba 4.21
Stefan Kania
stefan at kania-online.de
Wed Oct 23 17:35:53 UTC 2024
Hi Douglas
Am 23.10.24 um 06:04 schrieb Douglas Bagnall via samba-technical:
> hi Stefan,
>
>> 7. Change the condition to disallow access for all user to all
>> computers of the silo
>> samba-tool domain auth policy modify --name win11-policy --user-
>> allowed- to-authenticate-to="O:SYG:SYD:(XA;OICI;CR;;;WD;
>> (@USER.example://ext/ AuthenticationSilo != \"win11-silo\"))
>
> The constructed silo attribute always starts with "ad://", as if it were
> a URL prefix, but you have "example://" (you had this right earlier in
> the thread so is perhaps a sanitisation error).
Yes, that's right, the listing from my earlier post was the result from
a Microsort-AD auth-policy. What I wrote yesterday is the output from
the result of the samba-tool command.
But even if I change "example:" with "ad:" it's not working.
samba-tool domain auth policy modify --name win11-policy
--user-allowed-to-authenticate-to="O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo
!= \"win11-silo\"))"
>
> Another possible problem is you have a policy, but the policy is not
> associated to a object. If it was, it would affect that object.
That's exactly what I think, that's what you have to do in a
Microsoft-domain.
>
> There should be something with the msDS-AssignedAuthNPolicy attribute
> pointing to this policy, and that thing will what members of the win11-
> silo can't log into. The samba-tool command to do that might be missing.
>
The attribute msDS-AssignedAuthNPolicy is not set at the users object:
What I have is:
msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN
Policy Co
nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
>
>> 5. Assign users and computer
>> samba-tool domain auth silo member grant --name win11-silo --member=stka
>> samba-tool domain auth silo member grant --name win11-silo
>> --member=WINCLIENT11\$
>
> I don't think adding "winclient11$" to the silo will make the policy
> apply to other members accessing it. A silo is very much like a group,
> and as with a group, this may just be giving similar rights to stka and
> winclient11.
Yes, I know, but in any howto also the computers are member of the silo,
without it is not working even on Windows-AD. BTW I used:
https://azurecloudai.blog/2019/12/09/protect-administrative-accounts-with-authentication-policies-and-silos/
>
> In fact, the policy could just as easily use a real group, which would
> look something like
>
> --user-allowed-to-authenticate-to \
> 'O:SYG:SYD:(XA;OICI;CR;;;WD;(Not_Member_Of(SID(S-1-2-3-4))))'
>
> which could be useful in debugging.
Ok, now I changed the setting to:
samba-tool domain auth policy modify --name win11-policy
--user-allowed-to-authenticate-to="O:SYG:SYD:(XA;OICI;CR;;;WD;(Not_member_of(SID(S-1-5-21-1359888689-2238436679-1068688124-512))))"
So as I understand, only members of the group 'domain admins' are
allowed to log in. But I still can login with my "normal" user.
My conclusion: As long as it is not possible to (or maybe I can't figure
out who it works) assign the policy to a user by adding the attribute
msDS-AssignedAuthNPolicy the auth-polica / auth-silo stuff is not
working with samba.
I would like to test more to maybe help to get it working.
Stefan
>
> cheers,
> Douglas
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4402 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241023/310b3ab1/smime.bin>
More information about the samba-technical
mailing list