authentication policies in Samba 4.21

Stefan Kania stefan at kania-online.de
Tue Oct 29 10:06:09 UTC 2024



Am 28.10.24 um 23:26 schrieb Douglas Bagnall via samba-technical:
> On 29/10/24 02:29, Stefan Kania wrote:
>> Starting from the beginning. Set up the Domain with:
>> samba-tool domain provision --domain=example --real=example.net --host-ip=192.168.56.21 --backend-store=mdb
>> --dns-backend=BIND9_DLZ --adminpass=Passw0rd --function-level=2016 --option="ad dc functional level = 2016"
>>
>> Create some users and groups.
>>
>> Then start the show:
>> -------------------------
>> Creating the two GPO
>> 1. default domain controller policy
>> Setting  KDC for claims
> 
> I'm not actually sure what this part does (which is normal for me and GPOs).
Without the GPOs claims will not work and so auth-policies won't work.
> 
>> 2. default domain policy
>> Setting Kerberos for claims
>>
>> 3. All steps to create the auth-policy and auth-silo and assigning the policy
>> samba-tool domain  auth policy create --name win11-policy --enforce
>> samba-tool domain  auth policy modify --user-tgt-lifetime-mins=90 --name win11-policy
>> samba-tool domain auth silo create --name win11-silo --enforce
>> samba-tool domain auth silo member grant --name win11-silo --member=stka
> 
> At this point you should be able to see the silo claim in a new kerberos ticket,
> using `net ads kerberos pac dump  -Ustka`.

no. I got:
root at dc01:~# net ads kerberos pac dump  -Ustka
Password for [EXAMPLE\stka]:
failed to query kerberos PAC: NT_STATUS_LOGON_FAILURE

Then I put a "-d 4" to the command to see a little bit more and I got:
-----------
Password for [EXAMPLE\stka]:
ads_krb5_mk_req: smb_krb5_get_credentials failed for DC01$@EXAMPLE.NET 
(Ticket expired)
failed to get ticket for DC01$@EXAMPLE.NET: Ticket expired
failed to query kerberos PAC: NT_STATUS_LOGON_FAILURE
return code = -1
-----------
That's strange.

One more thing:
If I do "kinit stka" and right after getting the ticket I do a klist, 
I'm, getting
------------------
root at dc01:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
         Principal: stka at EXAMPLE.NET

   Issued                Expires        Principal
Oct 29 10:46:25 2024  >>>Expired<<<  krbtgt/EXAMPLE.NET at EXAMPLE.NET

------------------
Then I recreated the policy and the silo this time without:
--------
samba-tool domain  auth policy modify --user-tgt-lifetime-mins=90 --name 
win11-policy
--------
Again "kinit stka" and klist
---------
root at dc01:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
         Principal: stka at EXAMPLE.NET

   Issued                Expires               Principal
Oct 29 10:51:55 2024  Oct 29 14:51:55 2024  krbtgt/EXAMPLE.NET at EXAMPLE.NET

---------
The ticket is only 4 hours valide because the user ist member oft the 
"protected users" group. Then I again did "net ads kerberos pac dump 
-Ustka". Now I see a lot of PAC information.
As soon as I add the --user-tgt-lifetime-mins the problem with the 
expired ticket is back.


> 
>> samba-tool domain auth silo member grant --name win11-silo --member=WINCLIENT11\$
>> samba-tool domain  auth policy user-allowed-to-authenticate-to set --by-silo=win11-silo --name=win11-policy
> 
>   *computer-allowed-to-authenticate-to
> 
> It would have been better for us to name this
> 
>    allowed-to-authenticate-to-computer
> 
> but I guess we are following the object names from Microsoft.
the name should stay because it's exactly the same as in the 
Microsoft-world.
> 
> The rest of the trouble probably follows from this.
> 
> If that's not enough, we might need to look at
> 
> ldbsearch --url=/var/lib/samba/private/sam.ldb '(|(CN=stka)(CN=win11*))' --cross-ncs
> 
I did ldbsearch --url=/var/lib/samba/private/sam.ldb 
'(|(CN=stka)(CN=win11*)(CN=WINCLIENT11*))' --cross-ncs to also see the 
computer object and I got:
------------------------
# record 1
dn: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=example,DC=net
objectClass: top
objectClass: msDS-AuthNPolicySilo
cn: win11-silo
instanceType: 4
whenCreated: 20241029092704.0Z
uSNCreated: 4336
name: win11-silo
objectGUID: da5fcab5-8081-463d-8746-e9f5117b1208
objectCategory: 
CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=examp
  le,DC=net
msDS-AuthNPolicySiloEnforced: TRUE
msDS-AuthNPolicySiloMembers: CN=stka,OU=firma,DC=example,DC=net
msDS-AuthNPolicySiloMembers: CN=WINCLIENT11,OU=firma,DC=example,DC=net
whenChanged: 20241029092715.0Z
uSNChanged: 4338
distinguishedName: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy 
Configuration,
  CN=Services,CN=Configuration,DC=example,DC=net

# record 2
dn: CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=example,DC=net
objectClass: top
objectClass: msDS-AuthNPolicy
cn: win11-policy
instanceType: 4
whenCreated: 20241029092655.0Z
uSNCreated: 4334
name: win11-policy
objectGUID: 98571bf9-7ea3-4bb0-b491-3a53cf78ce85
objectCategory: 
CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC
  =net
msDS-AuthNPolicyEnforced: TRUE
msDS-StrongNTLMPolicy: 0
msDS-UserTGTLifetime: 90
msDS-UserAllowedToAuthenticateTo:: 
AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABRIAAAA
  BAQAAAAAABRIAAAAEAHgAAQAAAAkDcAAAAQAAAQEAAAAAAAEAAAAAYXJ0ePk2AAAAYQBkADoALwAv
  AGUAeAB0AC8AQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAFMAaQBsAG8AEBQAAAB3AGkAbgAxA
  DEALQBzAGkAbABvAIAAAAA=
whenChanged: 20241029092721.0Z
uSNChanged: 4339
msDS-AssignedAuthNPolicyBL: CN=stka,OU=firma,DC=example,DC=net
msDS-AssignedAuthNPolicyBL: CN=WINCLIENT11,OU=firma,DC=example,DC=net
distinguishedName: CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy 
Configura
  tion,CN=Services,CN=Configuration,DC=example,DC=net

# record 3
dn: CN=stka,OU=firma,DC=example,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: stka
instanceType: 4
whenCreated: 20241025171359.0Z
uSNCreated: 4195
name: stka
objectGUID: daa92975-185f-4c9b-90a3-d13da8108abf
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-772918318-2857192760-2291337991-1104
accountExpires: 9223372036854775807
sAMAccountName: stka
sAMAccountType: 805306368
userPrincipalName: stka at example.net
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=net
pwdLastSet: 133743500399319404
userAccountControl: 512
memberOf: CN=alle,OU=firma,DC=example,DC=net
memberOf: CN=sgroup,OU=firma,DC=example,DC=net
memberOf: CN=Protected Users,CN=Users,DC=example,DC=net
memberOf: CN=Domain Admins,CN=Users,DC=example,DC=net
lastLogonTimestamp: 133743524059766370
msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN 
Policy Co
  nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-AssignedAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN 
Policy Co
  nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
whenChanged: 20241029092727.0Z
uSNChanged: 4340
lastLogon: 133746677564366140
logonCount: 214
distinguishedName: CN=stka,OU=firma,DC=example,DC=net

# record 4
dn: CN=WINCLIENT11,OU=firma,DC=example,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: WINCLIENT11
instanceType: 4
whenCreated: 20241025172227.0Z
uSNCreated: 4209
name: WINCLIENT11
objectGUID: 714a6f9c-570f-487c-952b-16074c079108
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
pwdLastSet: 133743505478840387
primaryGroupID: 515
objectSid: S-1-5-21-772918318-2857192760-2291337991-1109
accountExpires: 9223372036854775807
sAMAccountName: WINCLIENT11$
sAMAccountType: 805306369
dNSHostName: winclient11.example.net
servicePrincipalName: HOST/winclient11.example.net
servicePrincipalName: RestrictedKrbHost/winclient11.example.net
servicePrincipalName: HOST/WINCLIENT11
servicePrincipalName: RestrictedKrbHost/WINCLIENT11
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=net
isCriticalSystemObject: FALSE
lastLogonTimestamp: 133743505480976010
operatingSystem: Windows 11 Pro
operatingSystemVersion: 10.0 (22631)
msDS-SupportedEncryptionTypes: 28
lastLogon: 133746671580846550
logonCount: 49
msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN 
Policy Co
  nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-AssignedAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN 
Policy Co
  nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
whenChanged: 20241029092733.0Z
uSNChanged: 4341
distinguishedName: CN=WINCLIENT11,OU=firma,DC=example,DC=net

------------------------
Everything look good to me

Here the value from the condition:
root at dc01:~# samba-tool domain auth policy view --name win11-policy
------------------------
{
   "cn": "win11-policy",
   "distinguishedName": "CN=win11-policy,CN=AuthN Policies,CN=AuthN 
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "dn": "CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "instanceType": 4,
   "msDS-AuthNPolicyEnforced": true,
   "msDS-StrongNTLMPolicy": 0,
   "msDS-UserAllowedToAuthenticateTo": 
"O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo == 
\"win11-silo\"))",
   "msDS-UserTGTLifetime": 90,
   "name": "win11-policy",
   "objectCategory": 
"CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC=net",
   "objectClass": [
     "top",
     "msDS-AuthNPolicy"
   ],
   "objectGUID": "98571bf9-7ea3-4bb0-b491-3a53cf78ce85"
}

------------------------
So now, for me and how it works in a Microsoft environment. All Users 
(here stka) who are member of the silo should only be able to login to 
computers which also member of the silo.

cheers,
Stefan

> cheers,
> Douglas
> 
> 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x52F6D4DD1BB68AB5.asc
Type: application/pgp-keys
Size: 636 bytes
Desc: OpenPGP public key
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241029/84098bbf/OpenPGP_0x52F6D4DD1BB68AB5.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241029/84098bbf/OpenPGP_signature.sig>


More information about the samba-technical mailing list