authentication policies in Samba 4.21
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Wed Oct 30 01:39:59 UTC 2024
On 30/10/24 06:33, Stefan Kania wrote:
> I still not getting it working like expected. I now set up a Windows AD
> (Server 2022)to test it and get the ldap output for the user, the
> computer, the policy and the silo. I will post it here as soon as I'm
> finished to compare the results.
Here is the next pitfall. With
samba-tool domain auth policy modify --name win11-policy \
--computer-allowed-to-authenticate-to \
'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo !=
"win11-silo"))'
the '(@USER.ad://ext/AuthenticationSilo != "win11-silo")' condition will
first look for '@USER.ad://ext/AuthenticationSilo'. If it does not exist
(the user is in no silo) this will fail, and the condition will default
to not-allowing.
In effect this condition says the user needs to be in a silo that isn't
"win11-silo".
Douglas
More information about the samba-technical
mailing list