authentication policies in Samba 4.21

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Mon Oct 28 22:03:02 UTC 2024


On 25/10/24 09:01, Stefan Kania wrote:

> Douglas have you ever get it working?

A fair question. Running Samba is not a thing I do. But you spurred me
to have a go. It was hard.

In the end I traced what our interactive tests do, which is this
(test_user_silo_access in python/samba/tests/blackbox/claims.py):

bin/samba-tool domain auth policy create --enforce --name=win11-policy

bin/samba-tool domain auth silo create --enforce --name=win11-silo \
     --user-authentication-policy=win11-policy \
     --computer-authentication-policy=win11-policy \
     --service-authentication-policy=win11-policy

bin/samba-tool domain auth policy computer-allowed-to-authenticate-to set --name=win11-policy --by-silo=win11-silo

bin/samba-tool domain auth silo member grant --name=win11-silo --member=win11client$

bin/samba-tool domain auth silo member grant --name=win11-silo --member=stka

bin/samba-tool user auth silo assign win11client$ --silo=win11-silo

bin/samba-tool user auth silo assign stka --silo=win11-silo


If you go:

 kdestroy -A
 kinit stka
 bin/net ads kerberos pac dump -Ustka | grep -A 20 PAC_TYPE_CLIENT_CLAIMS_INFO

you should see something like this:

                type                     : PAC_TYPE_CLIENT_CLAIMS_INFO (13)
                _ndr_size                : 0x000000f0 (240)
                info                     : *
                    info                     : union PAC_INFO(case 13)
                    client_claims_info: struct DATA_BLOB_REM
                        remaining                : DATA_BLOB length=240
[0000] 01 10 08 00 CC CC CC CC   E0 00 00 00 00 00 00 00   ........ ........
[0010] 00 00 02 00 B8 00 00 00   04 00 02 00 00 00 00 00   ........ ........
[0020] B8 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00   ........ ........
[0030] B8 00 00 00 01 10 08 00   CC CC CC CC A8 00 00 00   ........ ........
[0040] 00 00 00 00 00 00 02 00   01 00 00 00 04 00 02 00   ........ ........
[0050] 00 00 00 00 00 00 00 00   00 00 00 00 01 00 00 00   ........ ........
[0060] 01 00 00 00 01 00 00 00   08 00 02 00 01 00 00 00   ........ ........
[0070] 0C 00 02 00 03 00 03 00   01 00 00 00 10 00 02 00   ........ ........
[0080] 1C 00 00 00 00 00 00 00   1C 00 00 00 61 00 64 00   ........ ....a.d.
[0090] 3A 00 2F 00 2F 00 65 00   78 00 74 00 2F 00 41 00   :././.e. x.t./.A.
[00A0] 75 00 74 00 68 00 65 00   6E 00 74 00 69 00 63 00   u.t.h.e. n.t.i.c.
[00B0] 61 00 74 00 69 00 6F 00   6E 00 53 00 69 00 6C 00   a.t.i.o. n.S.i.l.
[00C0] 6F 00 00 00 01 00 00 00   14 00 02 00 0A 00 00 00   o....... ........
[00D0] 00 00 00 00 0A 00 00 00   77 00 69 00 6E 00 31 00   ........ w.i.n.1.
[00E0] 31 00 73 00 69 00 6C 00   6F 00 00 00 00 00 00 00   1.s.i.l. o......

You want to see this bit:

  ........ ....a.d.
  :././.e. x.t./.A.
  u.t.h.e. n.t.i.c.
  a.t.i.o. n.S.i.l.
  o....... ........

which means the silo is there.

If you don't see that, then changing the policy conditions won't matter.

If you do see that, then changing the conditions will work.


The thing I missed, but Jennifer didn't, is that '--user-allowed-to-authenticate-to=win11client4'
is not --{subject}-{verb}={object}, it is --{object-type}-{verb}-{object}.

That means you want '--computer-allowed-to-authenticate-to=win11client$'.

cheers,
Douglas




More information about the samba-technical mailing list