authentication policies in Samba 4.21

Douglas Bagnall douglas.bagnall at catalyst.net.nz
Wed Oct 30 01:39:59 UTC 2024


On 30/10/24 06:33, Stefan Kania wrote:
> I still not getting it working like expected. I now set up a Windows AD 
> (Server 2022)to test it and get the ldap output for the user, the 
> computer, the policy and the silo. I will post it here as soon as I'm 
> finished to compare the results.

Here is the next pitfall. With

   samba-tool domain auth policy modify --name win11-policy \
    --computer-allowed-to-authenticate-to \
     'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo != 
"win11-silo"))'

the '(@USER.ad://ext/AuthenticationSilo != "win11-silo")' condition will 
first look for '@USER.ad://ext/AuthenticationSilo'. If it does not exist 
(the user is in no silo) this will fail, and the condition will default 
to not-allowing.

In effect this condition says the user needs to be in a silo that isn't 
"win11-silo".

Douglas




More information about the samba-technical mailing list