authentication policies in Samba 4.21

Stefan Kania stefan at kania-online.de
Wed Oct 30 16:57:21 UTC 2024


Hi Douglas

Am 30.10.24 um 02:39 schrieb Douglas Bagnall via samba-technical:
> On 30/10/24 06:33, Stefan Kania wrote:
>> I still not getting it working like expected. I now set up a Windows 
>> AD (Server 2022)to test it and get the ldap output for the user, the 
>> computer, the policy and the silo. I will post it here as soon as I'm 
>> finished to compare the results.
> 
> Here is the next pitfall. With
> 
>    samba-tool domain auth policy modify --name win11-policy \
>     --computer-allowed-to-authenticate-to \
>      'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo != 
> "win11-silo"))'
> 
> the '(@USER.ad://ext/AuthenticationSilo != "win11-silo")' condition will 
> first look for '@USER.ad://ext/AuthenticationSilo'. If it does not exist 
> (the user is in no silo) this will fail, and the condition will default 
> to not-allowing.
> 
> In effect this condition says the user needs to be in a silo that isn't 
> "win11-silo".

Yes, I know that was something I tried.

Now I have configured the auth-policy and auth-silo on a Windows 
2022-server Active Directory. I used the same names, so it is easy to 
follow. Here you see what I get when searching for the user, the client, 
the silo and the policy:
------------------------
root at debclient:~# ldbsearch -H ldap://win2022.winexample.net '(|(CN=st 
ka)(CN=win11*)(cn=winclient11))' --cross-ncs -U administrator
Password for [WINEXAMPLE\administrator]:
# record 1
dn: CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=winexample,DC=net
objectClass: top
objectClass: msDS-AuthNPolicy
cn: win11-policy
distinguishedName: CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy 
Configura
  tion,CN=Services,CN=Configuration,DC=winexample,DC=net
instanceType: 4
whenCreated: 20241030153647.0Z
whenChanged: 20241030161452.0Z
uSNCreated: 20506
uSNChanged: 24650
name: win11-policy
objectGUID: 37e6612a-15bf-4540-b1b2-db136a1cb877
objectCategory: 
CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=winexample
  ,DC=net
dSCorePropagationData: 20241030153647.0Z
dSCorePropagationData: 16010101000000.0Z
msDS-UserAllowedToAuthenticateTo:: 
AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABRIAAAA
  BAQAAAAAABRIAAAACAHgAAQAAAAkDcAAAAQAAAQEAAAAAAAEAAAAAYXJ0ePk2AAAAYQBkADoALwAv
  AGUAeAB0AC8AQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAFMAaQBsAG8AEBQAAAB3AGkAbgAxA
  DEALQBzAGkAbABvAIAAAAA=
msDS-UserAllowedToAuthenticateFrom:: 
AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABRIAA
  AABAQAAAAAABRIAAAACAHgAAQAAAAkDcAAAAQAAAQEAAAAAAAEAAAAAYXJ0ePk2AAAAYQBkADoALw
  AvAGUAeAB0AC8AQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAFMAaQBsAG8AEBQAAAB3AGkAbgA
  xADEALQBzAGkAbABvAIAAAAA=
msDS-UserTGTLifetime: 72000000000
msDS-ComputerAllowedToAuthenticateTo:: 
AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABRI
  AAAABAQAAAAAABRIAAAACAHgAAQAAAAkDcAAAAQAAAQEAAAAAAAEAAAAAYXJ0ePk2AAAAYQBkADoA
  LwAvAGUAeAB0AC8AQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAFMAaQBsAG8AEBQAAAB3AGkAb
  gAxADEALQBzAGkAbABvAIAAAAA=
msDS-ServiceAllowedToAuthenticateTo:: 
AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABRIA
  AAABAQAAAAAABRIAAAACAHgAAQAAAAkDcAAAAQAAAQEAAAAAAAEAAAAAYXJ0ePk2AAAAYQBkADoAL
  wAvAGUAeAB0AC8AQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAFMAaQBsAG8AEBQAAAB3AGkAbg
  AxADEALQBzAGkAbABvAIAAAAA=
msDS-ServiceAllowedToAuthenticateFrom:: 
AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABR
  IAAAABAQAAAAAABRIAAAACAHgAAQAAAAkDcAAAAQAAAQEAAAAAAAEAAAAAYXJ0ePk2AAAAYQBkADo
  ALwAvAGUAeAB0AC8AQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAFMAaQBsAG8AEBQAAAB3AGkA
  bgAxADEALQBzAGkAbABvAIEAAAA=
msDS-UserAuthNPolicyBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy 
Configura
  tion,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-ComputerAuthNPolicyBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy 
Confi
  guration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-ServiceAuthNPolicyBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy 
Config
  uration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-AuthNPolicyEnforced: TRUE
msDS-UserAllowedNTLMNetworkAuthentication: FALSE
msDS-ServiceAllowedNTLMNetworkAuthentication: FALSE
msDS-StrongNTLMPolicy: 0

# record 2
dn: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=winexample,DC=net
objectClass: top
objectClass: msDS-AuthNPolicySilo
cn: win11-silo
distinguishedName: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy 
Configuration,
  CN=Services,CN=Configuration,DC=winexample,DC=net
instanceType: 4
whenCreated: 20241030154104.0Z
whenChanged: 20241030162958.0Z
uSNCreated: 20511
uSNChanged: 24683
name: win11-silo
objectGUID: b2ea79d2-8187-4a35-9839-6a807016857d
objectCategory: 
CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=winex
  ample,DC=net
dSCorePropagationData: 20241030154104.0Z
dSCorePropagationData: 16010101000000.0Z
msDS-AssignedAuthNPolicySiloBL: CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
msDS-AssignedAuthNPolicySiloBL: CN=st ka,OU=firma,DC=winexample,DC=net
msDS-AssignedAuthNPolicySiloBL: CN=WIN2022,OU=Domain 
Controllers,DC=winexample
  ,DC=net
msDS-AuthNPolicySiloMembers: CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
msDS-AuthNPolicySiloMembers: CN=st ka,OU=firma,DC=winexample,DC=net
msDS-UserAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy 
Config
  uration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-ComputerAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN 
Policy Co
  nfiguration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-ServiceAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN 
Policy Con
  figuration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-AuthNPolicySiloEnforced: TRUE

# record 3
dn: CN=st ka,OU=firma,DC=winexample,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: st ka
sn: ka
givenName: st
distinguishedName: CN=st ka,OU=firma,DC=winexample,DC=net
instanceType: 4
whenCreated: 20241030135710.0Z
whenChanged: 20241030161239.0Z
displayName: st ka
uSNCreated: 12810
memberOf: CN=mygroup,OU=firma,DC=winexample,DC=net
memberOf: CN=Protected Users,CN=Users,DC=winexample,DC=net
memberOf:: Q049RG9tw6RuZW4tQWRtaW5zLENOPVVzZXJzLERDPXdpbmV4YW1wbGUsREM9bmV0
uSNChanged: 24649
name: st ka
objectGUID: ec0bc2f7-f670-45f6-b58b-e1f93c0121e2
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 133747795013375240
pwdLastSet: 133747702303167784
primaryGroupID: 513
objectSid: S-1-5-21-876824351-968303257-185465824-1103
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 41
sAMAccountName: stka
sAMAccountType: 805306368
userPrincipalName: stka at winexample.net
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=winexample,DC=net
dSCorePropagationData: 20241030161239.0Z
dSCorePropagationData: 20241030135710.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133747742703371877
msDS-AssignedAuthNPolicySilo: CN=win11-silo,CN=AuthN Silos,CN=AuthN 
Policy Con
  figuration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN 
Policy Co
  nfiguration,CN=Services,CN=Configuration,DC=winexample,DC=net

# record 4
dn: CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: WINCLIENT11
distinguishedName: CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
instanceType: 4
whenCreated: 20241030141150.0Z
whenChanged: 20241030154310.0Z
uSNCreated: 16410
uSNChanged: 20519
name: WINCLIENT11
objectGUID: 36b6c9a2-6297-452f-ac43-a6cb46635e63
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 133747794979471652
localPolicyFlags: 0
pwdLastSet: 133747711109077000
primaryGroupID: 515
objectSid: S-1-5-21-876824351-968303257-185465824-1106
accountExpires: 9223372036854775807
logonCount: 50
sAMAccountName: WINCLIENT11$
sAMAccountType: 805306369
operatingSystem: Windows 11 Pro
operatingSystemVersion: 10.0 (22631)
dNSHostName: winclient11.winexample.net
servicePrincipalName: RestrictedKrbHost/WINCLIENT11
servicePrincipalName: HOST/WINCLIENT11
servicePrincipalName: RestrictedKrbHost/winclient11.winexample.net
servicePrincipalName: HOST/winclient11.winexample.net
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=winexample,DC=net
isCriticalSystemObject: FALSE
dSCorePropagationData: 20241030141321.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133747711110786794
msDS-SupportedEncryptionTypes: 28
msDS-AssignedAuthNPolicySilo: CN=win11-silo,CN=AuthN Silos,CN=AuthN 
Policy Con
  figuration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN 
Policy Co
  nfiguration,CN=Services,CN=Configuration,DC=winexample,DC=net

------------------------
and this is working :-)
As you can see, the policy is using UserAllowedToAuthenticateTo and the 
assignment is different to the one we have in Samba

Here the value from UserAllowedToAuthenticateTo:
--------------
root at debclient:~# ldbsearch -H ldap://win2022.winexample.net '(|(CN=st 
ka)(CN=win11*)(cn=winclient11))' --cross-ncs 
msDS-UserAllowedToAuthenticateTo  -U administrator 

Password for [WINEXAMPLE\administrator]:
# record 1
dn: CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-UserAllowedToAuthenticateTo:: 
AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABRIAAAA 
BAQAAAAAABRIAAAACAHgAAQAAAAkDcAAAAQAAAQEAAAAAAAEAAAAAYXJ0ePk2AAAAYQBkADoALwAv 
AGUAeAB0AC8AQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAFMAaQBsAG8AEBQAAAB3AGkAbgAxA
  DEALQBzAGkAbABvAIAAAAA=
--------------
I don't know how to translate the Attribut so that it is readable. If 
you could give me a hint, i translate it, so that you can read it. It 
should a base64 string but I can't convert it.

Stefan


> 
> Douglas
> 
> 

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x52F6D4DD1BB68AB5.asc
Type: application/pgp-keys
Size: 636 bytes
Desc: OpenPGP public key
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241030/6c815b82/OpenPGP_0x52F6D4DD1BB68AB5.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241030/6c815b82/OpenPGP_signature.sig>


More information about the samba-technical mailing list