authentication policies in Samba 4.21
Stefan Kania
stefan at kania-online.de
Wed Oct 30 16:57:21 UTC 2024
Hi Douglas
Am 30.10.24 um 02:39 schrieb Douglas Bagnall via samba-technical:
> On 30/10/24 06:33, Stefan Kania wrote:
>> I still not getting it working like expected. I now set up a Windows
>> AD (Server 2022)to test it and get the ldap output for the user, the
>> computer, the policy and the silo. I will post it here as soon as I'm
>> finished to compare the results.
>
> Here is the next pitfall. With
>
> samba-tool domain auth policy modify --name win11-policy \
> --computer-allowed-to-authenticate-to \
> 'O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo !=
> "win11-silo"))'
>
> the '(@USER.ad://ext/AuthenticationSilo != "win11-silo")' condition will
> first look for '@USER.ad://ext/AuthenticationSilo'. If it does not exist
> (the user is in no silo) this will fail, and the condition will default
> to not-allowing.
>
> In effect this condition says the user needs to be in a silo that isn't
> "win11-silo".
Yes, I know that was something I tried.
Now I have configured the auth-policy and auth-silo on a Windows
2022-server Active Directory. I used the same names, so it is easy to
follow. Here you see what I get when searching for the user, the client,
the silo and the policy:
------------------------
root at debclient:~# ldbsearch -H ldap://win2022.winexample.net '(|(CN=st
ka)(CN=win11*)(cn=winclient11))' --cross-ncs -U administrator
Password for [WINEXAMPLE\administrator]:
# record 1
dn: CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=winexample,DC=net
objectClass: top
objectClass: msDS-AuthNPolicy
cn: win11-policy
distinguishedName: CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy
Configura
tion,CN=Services,CN=Configuration,DC=winexample,DC=net
instanceType: 4
whenCreated: 20241030153647.0Z
whenChanged: 20241030161452.0Z
uSNCreated: 20506
uSNChanged: 24650
name: win11-policy
objectGUID: 37e6612a-15bf-4540-b1b2-db136a1cb877
objectCategory:
CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=winexample
,DC=net
dSCorePropagationData: 20241030153647.0Z
dSCorePropagationData: 16010101000000.0Z
msDS-UserAllowedToAuthenticateTo::
AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABRIAAAA
BAQAAAAAABRIAAAACAHgAAQAAAAkDcAAAAQAAAQEAAAAAAAEAAAAAYXJ0ePk2AAAAYQBkADoALwAv
AGUAeAB0AC8AQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAFMAaQBsAG8AEBQAAAB3AGkAbgAxA
DEALQBzAGkAbABvAIAAAAA=
msDS-UserAllowedToAuthenticateFrom::
AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABRIAA
AABAQAAAAAABRIAAAACAHgAAQAAAAkDcAAAAQAAAQEAAAAAAAEAAAAAYXJ0ePk2AAAAYQBkADoALw
AvAGUAeAB0AC8AQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAFMAaQBsAG8AEBQAAAB3AGkAbgA
xADEALQBzAGkAbABvAIAAAAA=
msDS-UserTGTLifetime: 72000000000
msDS-ComputerAllowedToAuthenticateTo::
AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABRI
AAAABAQAAAAAABRIAAAACAHgAAQAAAAkDcAAAAQAAAQEAAAAAAAEAAAAAYXJ0ePk2AAAAYQBkADoA
LwAvAGUAeAB0AC8AQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAFMAaQBsAG8AEBQAAAB3AGkAb
gAxADEALQBzAGkAbABvAIAAAAA=
msDS-ServiceAllowedToAuthenticateTo::
AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABRIA
AAABAQAAAAAABRIAAAACAHgAAQAAAAkDcAAAAQAAAQEAAAAAAAEAAAAAYXJ0ePk2AAAAYQBkADoAL
wAvAGUAeAB0AC8AQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAFMAaQBsAG8AEBQAAAB3AGkAbg
AxADEALQBzAGkAbABvAIAAAAA=
msDS-ServiceAllowedToAuthenticateFrom::
AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABR
IAAAABAQAAAAAABRIAAAACAHgAAQAAAAkDcAAAAQAAAQEAAAAAAAEAAAAAYXJ0ePk2AAAAYQBkADo
ALwAvAGUAeAB0AC8AQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAFMAaQBsAG8AEBQAAAB3AGkA
bgAxADEALQBzAGkAbABvAIEAAAA=
msDS-UserAuthNPolicyBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy
Configura
tion,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-ComputerAuthNPolicyBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy
Confi
guration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-ServiceAuthNPolicyBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy
Config
uration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-AuthNPolicyEnforced: TRUE
msDS-UserAllowedNTLMNetworkAuthentication: FALSE
msDS-ServiceAllowedNTLMNetworkAuthentication: FALSE
msDS-StrongNTLMPolicy: 0
# record 2
dn: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=winexample,DC=net
objectClass: top
objectClass: msDS-AuthNPolicySilo
cn: win11-silo
distinguishedName: CN=win11-silo,CN=AuthN Silos,CN=AuthN Policy
Configuration,
CN=Services,CN=Configuration,DC=winexample,DC=net
instanceType: 4
whenCreated: 20241030154104.0Z
whenChanged: 20241030162958.0Z
uSNCreated: 20511
uSNChanged: 24683
name: win11-silo
objectGUID: b2ea79d2-8187-4a35-9839-6a807016857d
objectCategory:
CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=winex
ample,DC=net
dSCorePropagationData: 20241030154104.0Z
dSCorePropagationData: 16010101000000.0Z
msDS-AssignedAuthNPolicySiloBL: CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
msDS-AssignedAuthNPolicySiloBL: CN=st ka,OU=firma,DC=winexample,DC=net
msDS-AssignedAuthNPolicySiloBL: CN=WIN2022,OU=Domain
Controllers,DC=winexample
,DC=net
msDS-AuthNPolicySiloMembers: CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
msDS-AuthNPolicySiloMembers: CN=st ka,OU=firma,DC=winexample,DC=net
msDS-UserAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy
Config
uration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-ComputerAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN
Policy Co
nfiguration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-ServiceAuthNPolicy: CN=win11-policy,CN=AuthN Policies,CN=AuthN
Policy Con
figuration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-AuthNPolicySiloEnforced: TRUE
# record 3
dn: CN=st ka,OU=firma,DC=winexample,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: st ka
sn: ka
givenName: st
distinguishedName: CN=st ka,OU=firma,DC=winexample,DC=net
instanceType: 4
whenCreated: 20241030135710.0Z
whenChanged: 20241030161239.0Z
displayName: st ka
uSNCreated: 12810
memberOf: CN=mygroup,OU=firma,DC=winexample,DC=net
memberOf: CN=Protected Users,CN=Users,DC=winexample,DC=net
memberOf:: Q049RG9tw6RuZW4tQWRtaW5zLENOPVVzZXJzLERDPXdpbmV4YW1wbGUsREM9bmV0
uSNChanged: 24649
name: st ka
objectGUID: ec0bc2f7-f670-45f6-b58b-e1f93c0121e2
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 133747795013375240
pwdLastSet: 133747702303167784
primaryGroupID: 513
objectSid: S-1-5-21-876824351-968303257-185465824-1103
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 41
sAMAccountName: stka
sAMAccountType: 805306368
userPrincipalName: stka at winexample.net
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=winexample,DC=net
dSCorePropagationData: 20241030161239.0Z
dSCorePropagationData: 20241030135710.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133747742703371877
msDS-AssignedAuthNPolicySilo: CN=win11-silo,CN=AuthN Silos,CN=AuthN
Policy Con
figuration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN
Policy Co
nfiguration,CN=Services,CN=Configuration,DC=winexample,DC=net
# record 4
dn: CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: WINCLIENT11
distinguishedName: CN=WINCLIENT11,OU=firma,DC=winexample,DC=net
instanceType: 4
whenCreated: 20241030141150.0Z
whenChanged: 20241030154310.0Z
uSNCreated: 16410
uSNChanged: 20519
name: WINCLIENT11
objectGUID: 36b6c9a2-6297-452f-ac43-a6cb46635e63
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 133747794979471652
localPolicyFlags: 0
pwdLastSet: 133747711109077000
primaryGroupID: 515
objectSid: S-1-5-21-876824351-968303257-185465824-1106
accountExpires: 9223372036854775807
logonCount: 50
sAMAccountName: WINCLIENT11$
sAMAccountType: 805306369
operatingSystem: Windows 11 Pro
operatingSystemVersion: 10.0 (22631)
dNSHostName: winclient11.winexample.net
servicePrincipalName: RestrictedKrbHost/WINCLIENT11
servicePrincipalName: HOST/WINCLIENT11
servicePrincipalName: RestrictedKrbHost/winclient11.winexample.net
servicePrincipalName: HOST/winclient11.winexample.net
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=winexample,DC=net
isCriticalSystemObject: FALSE
dSCorePropagationData: 20241030141321.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133747711110786794
msDS-SupportedEncryptionTypes: 28
msDS-AssignedAuthNPolicySilo: CN=win11-silo,CN=AuthN Silos,CN=AuthN
Policy Con
figuration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-AuthNPolicySiloMembersBL: CN=win11-silo,CN=AuthN Silos,CN=AuthN
Policy Co
nfiguration,CN=Services,CN=Configuration,DC=winexample,DC=net
------------------------
and this is working :-)
As you can see, the policy is using UserAllowedToAuthenticateTo and the
assignment is different to the one we have in Samba
Here the value from UserAllowedToAuthenticateTo:
--------------
root at debclient:~# ldbsearch -H ldap://win2022.winexample.net '(|(CN=st
ka)(CN=win11*)(cn=winclient11))' --cross-ncs
msDS-UserAllowedToAuthenticateTo -U administrator
Password for [WINEXAMPLE\administrator]:
# record 1
dn: CN=win11-policy,CN=AuthN Policies,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=winexample,DC=net
msDS-UserAllowedToAuthenticateTo::
AQAEgBQAAAAgAAAAAAAAACwAAAABAQAAAAAABRIAAAA
BAQAAAAAABRIAAAACAHgAAQAAAAkDcAAAAQAAAQEAAAAAAAEAAAAAYXJ0ePk2AAAAYQBkADoALwAv
AGUAeAB0AC8AQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuAFMAaQBsAG8AEBQAAAB3AGkAbgAxA
DEALQBzAGkAbABvAIAAAAA=
--------------
I don't know how to translate the Attribut so that it is readable. If
you could give me a hint, i translate it, so that you can read it. It
should a base64 string but I can't convert it.
Stefan
>
> Douglas
>
>
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x52F6D4DD1BB68AB5.asc
Type: application/pgp-keys
Size: 636 bytes
Desc: OpenPGP public key
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241030/6c815b82/OpenPGP_0x52F6D4DD1BB68AB5.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20241030/6c815b82/OpenPGP_signature.sig>
More information about the samba-technical
mailing list