authentication policies in Samba 4.21
Stefan Kania
stefan at kania-online.de
Tue Oct 29 10:06:09 UTC 2024
Am 28.10.24 um 23:26 schrieb Douglas Bagnall via samba-technical:
> On 29/10/24 02:29, Stefan Kania wrote:
>> Starting from the beginning. Set up the Domain with:
>> samba-tool domain provision --domain=example --real=example.net --host-ip=192.168.56.21 --backend-store=mdb
>> --dns-backend=BIND9_DLZ --adminpass=Passw0rd --function-level=2016 --option="ad dc functional level = 2016"
>>
>> Create some users and groups.
>>
>> Then start the show:
>> -------------------------
>> Creating the two GPO
>> 1. default domain controller policy
>> Setting KDC for claims
>
> I'm not actually sure what this part does (which is normal for me and GPOs).
Without the GPOs claims will not work and so auth-policies won't work.
>
>> 2. default domain policy
>> Setting Kerberos for claims
>>
>> 3. All steps to create the auth-policy and auth-silo and assigning the policy
>> samba-tool domain auth policy create --name win11-policy --enforce
>> samba-tool domain auth policy modify --user-tgt-lifetime-mins=90 --name win11-policy
>> samba-tool domain auth silo create --name win11-silo --enforce
>> samba-tool domain auth silo member grant --name win11-silo --member=stka
>
> At this point you should be able to see the silo claim in a new kerberos ticket,
> using `net ads kerberos pac dump -Ustka`.
no. I got:
root at dc01:~# net ads kerberos pac dump -Ustka
Password for [EXAMPLE\stka]:
failed to query kerberos PAC: NT_STATUS_LOGON_FAILURE
Then I put a "-d 4" to the command to see a little bit more and I got:
-----------
Password for [EXAMPLE\stka]:
ads_krb5_mk_req: smb_krb5_get_credentials failed for DC01$@EXAMPLE.NET
(Ticket expired)
failed to get ticket for DC01$@EXAMPLE.NET: Ticket expired
failed to query kerberos PAC: NT_STATUS_LOGON_FAILURE
return code = -1
-----------
That's strange.
One more thing:
If I do "kinit stka" and right after getting the ticket I do a klist,
I'm, getting
------------------
root at dc01:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: stka at EXAMPLE.NET
Issued Expires Principal
Oct 29 10:46:25 2024 >>>Expired<<< krbtgt/EXAMPLE.NET at EXAMPLE.NET
------------------
Then I recreated the policy and the silo this time without:
--------
samba-tool domain auth policy modify --user-tgt-lifetime-mins=90 --name
win11-policy
--------
Again "kinit stka" and klist
---------
root at dc01:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: stka at EXAMPLE.NET
Issued Expires Principal
Oct 29 10:51:55 2024 Oct 29 14:51:55 2024 krbtgt/EXAMPLE.NET at EXAMPLE.NET
---------
The ticket is only 4 hours valide because the user ist member oft the
"protected users" group. Then I again did "net ads kerberos pac dump
-Ustka". Now I see a lot of PAC information.
As soon as I add the --user-tgt-lifetime-mins the problem with the
expired ticket is back.
>
>> samba-tool domain auth silo member grant --name win11-silo --member=WINCLIENT11\$
>> samba-tool domain auth policy user-allowed-to-authenticate-to set --by-silo=win11-silo --name=win11-policy
>
> *computer-allowed-to-authenticate-to
>
> It would have been better for us to name this
>
> allowed-to-authenticate-to-computer
>
> but I guess we are following the object names from Microsoft.
the name should stay because it's exactly the same as in the
Microsoft-world.
>
> The rest of the trouble probably follows from this.
>
> If that's not enough, we might need to look at
>
> ldbsearch --url=/var/lib/samba/private/sam.ldb '(|(CN=stka)(CN=win11*))' --cross-ncs
>
I did ldbsearch --url=/var/lib/samba/private/sam.ldb
'(|(CN=stka)(CN=win11*)(CN=WINCLIENT11*))' --cross-ncs to also see the
computer object and I got:
------------------------
# record 1
dn: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net
objectClass: top
objectClass: msDS-AuthNPolicySilo
cn: win11-silo
instanceType: 4
whenCreated: 20241029092704.0Z
uSNCreated: 4336
name: win11-silo
objectGUID: da5fcab5-8081-463d-8746-e9f5117b1208
objectCategory:
CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=examp
le,DC=net
msDS-AuthNPolicySiloEnforced: TRUE
msDS-AuthNPolicySiloMembers: CN=stka,OU=firma,DC=example,DC=net
msDS-AuthNPolicySiloMembers: CN=WINCLIENT11,OU=firma,DC=example,DC=net
whenChanged: 20241029092715.0Z
uSNChanged: 4338
distinguishedName: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy
Configuration,
CN=Services,CN=Configuration,DC=example,DC=net
# record 2
dn: CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net
objectClass: top
objectClass: msDS-AuthNPolicy
cn: win11-policy
instanceType: 4
whenCreated: 20241029092655.0Z
uSNCreated: 4334
name: win11-policy
objectGUID: 98571bf9-7ea3-4bb0-b491-3a53cf78ce85
objectCategory:
CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC
=net
msDS-AuthNPolicyEnforced: TRUE
msDS-StrongNTLMPolicy: 0
msDS-UserTGTLifetime: 90
msDS-UserAllowedToAuthenticateTo::
AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABRIAAAA
BAQAAAAAABRIAAAAEAHgAAQAAAAkDcAAAAQAAAQEAAAAAAAEAAAAAYXJ0ePk2AAAAYQBkADoALwAv
AGUAeAB0AC8AQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAFMAaQBsAG8AEBQAAAB3AGkAbgAxA
DEALQBzAGkAbABvAIAAAAA=
whenChanged: 20241029092721.0Z
uSNChanged: 4339
msDS-AssignedAuthNPolicyBL: CN=stka,OU=firma,DC=example,DC=net
msDS-AssignedAuthNPolicyBL: CN=WINCLIENT11,OU=firma,DC=example,DC=net
distinguishedName: CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy
Configura
tion,CN=Services,CN=Configuration,DC=example,DC=net
# record 3
dn: CN=stka,OU=firma,DC=example,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: stka
instanceType: 4
whenCreated: 20241025171359.0Z
uSNCreated: 4195
name: stka
objectGUID: daa92975-185f-4c9b-90a3-d13da8108abf
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-772918318-2857192760-2291337991-1104
accountExpires: 9223372036854775807
sAMAccountName: stka
sAMAccountType: 805306368
userPrincipalName: stka at example.net
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=net
pwdLastSet: 133743500399319404
userAccountControl: 512
memberOf: CN=alle,OU=firma,DC=example,DC=net
memberOf: CN=sgroup,OU=firma,DC=example,DC=net
memberOf: CN=Protected Users,CN=Users,DC=example,DC=net
memberOf: CN=Domain Admins,CN=Users,DC=example,DC=net
lastLogonTimestamp: 133743524059766370
msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN
Policy Co
nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-AssignedAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN
Policy Co
nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
whenChanged: 20241029092727.0Z
uSNChanged: 4340
lastLogon: 133746677564366140
logonCount: 214
distinguishedName: CN=stka,OU=firma,DC=example,DC=net
# record 4
dn: CN=WINCLIENT11,OU=firma,DC=example,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: WINCLIENT11
instanceType: 4
whenCreated: 20241025172227.0Z
uSNCreated: 4209
name: WINCLIENT11
objectGUID: 714a6f9c-570f-487c-952b-16074c079108
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
pwdLastSet: 133743505478840387
primaryGroupID: 515
objectSid: S-1-5-21-772918318-2857192760-2291337991-1109
accountExpires: 9223372036854775807
sAMAccountName: WINCLIENT11$
sAMAccountType: 805306369
dNSHostName: winclient11.example.net
servicePrincipalName: HOST/winclient11.example.net
servicePrincipalName: RestrictedKrbHost/winclient11.example.net
servicePrincipalName: HOST/WINCLIENT11
servicePrincipalName: RestrictedKrbHost/WINCLIENT11
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=net
isCriticalSystemObject: FALSE
lastLogonTimestamp: 133743505480976010
operatingSystem: Windows 11 Pro
operatingSystemVersion: 10.0 (22631)
msDS-SupportedEncryptionTypes: 28
lastLogon: 133746671580846550
logonCount: 49
msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN
Policy Co
nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-AssignedAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN
Policy Co
nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
whenChanged: 20241029092733.0Z
uSNChanged: 4341
distinguishedName: CN=WINCLIENT11,OU=firma,DC=example,DC=net
------------------------
Everything look good to me
Here the value from the condition:
root at dc01:~# samba-tool domain auth policy view --name win11-policy
------------------------
{
"cn": "win11-policy",
"distinguishedName": "CN=win11-policy,CN=AuthN Policies,CN=AuthN
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
"dn": "CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
"instanceType": 4,
"msDS-AuthNPolicyEnforced": true,
"msDS-StrongNTLMPolicy": 0,
"msDS-UserAllowedToAuthenticateTo":
"O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo ==
\"win11-silo\"))",
"msDS-UserTGTLifetime": 90,
"name": "win11-policy",
"objectCategory":
"CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC=net",
"objectClass": [
"top",
"msDS-AuthNPolicy"
],
"objectGUID": "98571bf9-7ea3-4bb0-b491-3a53cf78ce85"
}
------------------------
So now, for me and how it works in a Microsoft environment. All Users
(here stka) who are member of the silo should only be able to login to
computers which also member of the silo.
cheers,
Stefan
> cheers,
> Douglas
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x52F6D4DD1BB68AB5.asc
Type: application/pgp-keys
Size: 636 bytes
Desc: OpenPGP public key
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241029/84098bbf/OpenPGP_0x52F6D4DD1BB68AB5.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241029/84098bbf/OpenPGP_signature.sig>
More information about the samba-technical
mailing list