authentication policies in Samba 4.21
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Mon Oct 28 22:03:02 UTC 2024
On 25/10/24 09:01, Stefan Kania wrote:
> Douglas have you ever get it working?
A fair question. Running Samba is not a thing I do. But you spurred me
to have a go. It was hard.
In the end I traced what our interactive tests do, which is this
(test_user_silo_access in python/samba/tests/blackbox/claims.py):
bin/samba-tool domain auth policy create --enforce --name=win11-policy
bin/samba-tool domain auth silo create --enforce --name=win11-silo \
--user-authentication-policy=win11-policy \
--computer-authentication-policy=win11-policy \
--service-authentication-policy=win11-policy
bin/samba-tool domain auth policy computer-allowed-to-authenticate-to set --name=win11-policy --by-silo=win11-silo
bin/samba-tool domain auth silo member grant --name=win11-silo --member=win11client$
bin/samba-tool domain auth silo member grant --name=win11-silo --member=stka
bin/samba-tool user auth silo assign win11client$ --silo=win11-silo
bin/samba-tool user auth silo assign stka --silo=win11-silo
If you go:
kdestroy -A
kinit stka
bin/net ads kerberos pac dump -Ustka | grep -A 20 PAC_TYPE_CLIENT_CLAIMS_INFO
you should see something like this:
type : PAC_TYPE_CLIENT_CLAIMS_INFO (13)
_ndr_size : 0x000000f0 (240)
info : *
info : union PAC_INFO(case 13)
client_claims_info: struct DATA_BLOB_REM
remaining : DATA_BLOB length=240
[0000] 01 10 08 00 CC CC CC CC E0 00 00 00 00 00 00 00 ........ ........
[0010] 00 00 02 00 B8 00 00 00 04 00 02 00 00 00 00 00 ........ ........
[0020] B8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[0030] B8 00 00 00 01 10 08 00 CC CC CC CC A8 00 00 00 ........ ........
[0040] 00 00 00 00 00 00 02 00 01 00 00 00 04 00 02 00 ........ ........
[0050] 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ........ ........
[0060] 01 00 00 00 01 00 00 00 08 00 02 00 01 00 00 00 ........ ........
[0070] 0C 00 02 00 03 00 03 00 01 00 00 00 10 00 02 00 ........ ........
[0080] 1C 00 00 00 00 00 00 00 1C 00 00 00 61 00 64 00 ........ ....a.d.
[0090] 3A 00 2F 00 2F 00 65 00 78 00 74 00 2F 00 41 00 :././.e. x.t./.A.
[00A0] 75 00 74 00 68 00 65 00 6E 00 74 00 69 00 63 00 u.t.h.e. n.t.i.c.
[00B0] 61 00 74 00 69 00 6F 00 6E 00 53 00 69 00 6C 00 a.t.i.o. n.S.i.l.
[00C0] 6F 00 00 00 01 00 00 00 14 00 02 00 0A 00 00 00 o....... ........
[00D0] 00 00 00 00 0A 00 00 00 77 00 69 00 6E 00 31 00 ........ w.i.n.1.
[00E0] 31 00 73 00 69 00 6C 00 6F 00 00 00 00 00 00 00 1.s.i.l. o......
You want to see this bit:
........ ....a.d.
:././.e. x.t./.A.
u.t.h.e. n.t.i.c.
a.t.i.o. n.S.i.l.
o....... ........
which means the silo is there.
If you don't see that, then changing the policy conditions won't matter.
If you do see that, then changing the conditions will work.
The thing I missed, but Jennifer didn't, is that '--user-allowed-to-authenticate-to=win11client4'
is not --{subject}-{verb}={object}, it is --{object-type}-{verb}-{object}.
That means you want '--computer-allowed-to-authenticate-to=win11client$'.
cheers,
Douglas
More information about the samba-technical
mailing list