authentication policies in Samba 4.21

Stefan Kania stefan at kania-online.de
Wed Oct 23 17:35:53 UTC 2024


Hi Douglas

Am 23.10.24 um 06:04 schrieb Douglas Bagnall via samba-technical:
> hi Stefan,
> 
>> 7. Change the condition to disallow access for all user to all 
>> computers of the silo
>> samba-tool domain auth policy modify --name win11-policy --user- 
>> allowed- to-authenticate-to="O:SYG:SYD:(XA;OICI;CR;;;WD; 
>> (@USER.example://ext/ AuthenticationSilo != \"win11-silo\"))
> 
> The constructed silo attribute always starts with "ad://", as if it were 
> a URL prefix, but you have "example://" (you had this right earlier in 
> the thread so is perhaps a sanitisation error).

Yes, that's right, the listing from my earlier post was the result from 
a Microsort-AD auth-policy. What I wrote yesterday is the output from 
the result of the samba-tool command.
But even if I change "example:" with "ad:" it's not working.
samba-tool domain auth policy modify --name win11-policy 
--user-allowed-to-authenticate-to="O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo 
!= \"win11-silo\"))"
> 
> Another possible problem is you have a policy, but the policy is not 
> associated to a object. If it was, it would affect that object.
That's exactly what I think, that's what you have to do in a 
Microsoft-domain.
> 
> There should be something with the msDS-AssignedAuthNPolicy attribute 
> pointing to this policy, and that thing will what members of the win11- 
> silo can't log into. The samba-tool command to do that might be missing.
> 
The attribute msDS-AssignedAuthNPolicy is not set at the users object:
What I have is:
msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN 
Policy Co
  nfiguration,CN=Services,CN=Configuration,DC=example,DC=net

> 
>> 5. Assign users and computer
>> samba-tool domain auth silo member grant --name win11-silo --member=stka
>> samba-tool domain auth silo member grant --name win11-silo
>> --member=WINCLIENT11\$
> 
> I don't think adding "winclient11$" to the silo will make the policy 
> apply to other members accessing it. A silo is very much like a group, 
> and as with a group, this may just be giving similar rights to stka and 
> winclient11.
Yes, I know, but in any howto also the computers are member of the silo, 
without it is not working even on Windows-AD. BTW I used:
https://azurecloudai.blog/2019/12/09/protect-administrative-accounts-with-authentication-policies-and-silos/
> 
> In fact, the policy could just as easily use a real group, which would 
> look something like
> 
>    --user-allowed-to-authenticate-to \
>      'O:SYG:SYD:(XA;OICI;CR;;;WD;(Not_Member_Of(SID(S-1-2-3-4))))'
> 
> which could be useful in debugging.
Ok, now I changed the setting to:
samba-tool domain auth policy modify --name win11-policy 
--user-allowed-to-authenticate-to="O:SYG:SYD:(XA;OICI;CR;;;WD;(Not_member_of(SID(S-1-5-21-1359888689-2238436679-1068688124-512))))"

So as I understand, only members of the group 'domain admins' are 
allowed to log in. But I still can login with my "normal" user.

My conclusion: As long as it is not possible to (or maybe I can't figure 
out who it works) assign the policy to a user by adding the attribute 
msDS-AssignedAuthNPolicy the auth-polica / auth-silo stuff is not 
working with samba.

I would like to test more to maybe help to get it working.

Stefan


> 
> cheers,
> Douglas
> 




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4402 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241023/310b3ab1/smime.bin>


More information about the samba-technical mailing list