[Samba] Question about silos and Authentication policies
Stefan Kania
stefan at kania-online.de
Sat Nov 4 16:34:33 UTC 2023
Hi Rob,
I had some more time to test a little bit. So I took the LDAP Account
Manager (LAM) connect to my Active Directory with Samba 4.19 and to
cn=configuration,dc=example,dc=net. I found the policy and the silo. The
I took the value from may Windows 2022 domain for the Attribute
UserAllowedToAuthenticateFrom
and added it to the Atribute: msDS-UserAllowedToAuthenticateFrom of my
Samba-domain. Doing this creates the condition. So my attribute looks
like this:
O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo !=
"winclient-silo"))
Then the policy is working the user added to the silo can not login on
computer also added to the silo.
But, execute
-------------------
samba-tool domain auth policy view --name winclient-pol
{
"cn": "winclient-pol",
"distinguishedName": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
"dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
"instanceType": 4,
"msDS-AuthNPolicyEnforced": true,
"msDS-ServiceTGTLifetime": 60,
"msDS-StrongNTLMPolicy": 0,
"name": "winclient-pol",
"objectCategory":
"CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC=net",
"objectClass": [
"top",
"msDS-AuthNPolicy"
],
"objectGUID": "21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d"
}
-------------------
is not showing the condition :-(.
But with ldbsearch I can see the condition:
-------------------
root at addc-01:~# ldbsearch --cross-ncs
--url=/var/lib/samba/private/sam.ldb "cn=winclient-pol"
# record 1
dn: CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net
objectClass: top
objectClass: msDS-AuthNPolicy
cn: winclient-pol
instanceType: 4
whenCreated: 20231020164016.0Z
uSNCreated: 4291
name: winclient-pol
objectGUID: 21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d
objectCategory:
CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC
=net
msDS-AuthNPolicyEnforced: TRUE
msDS-StrongNTLMPolicy: 0
msDS-ComputerAuthNPolicyBL: CN=winclient-silo,CN=AuthN Silos,CN=AuthN
Policy C
onfiguration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-ServiceAuthNPolicyBL: CN=winclient-silo,CN=AuthN Silos,CN=AuthN
Policy Co
nfiguration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-UserAuthNPolicyBL: CN=winclient-silo,CN=AuthN Silos,CN=AuthN Policy
Confi
guration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-ServiceTGTLifetime: 60
msDS-UserAllowedToAuthenticateFrom:
O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext
/AuthenticationSilo != "winclient-silo"))
whenChanged: 20231104162516.0Z
uSNChanged: 4513
distinguishedName: CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy
Configur
ation,CN=Services,CN=Configuration,DC=example,DC=net
-------------------
So auth-policies and auth-silos are working with Samba :-).
Don't ask me what is the meaning of the (I think) ACL in the attribute.
Maybe that will help you.
Stefan
Am 31.10.23 um 00:43 schrieb Rob van der Linde via samba:
> I was playing around again with Windows and when you add members to
> silos, or remove them, it should not set/unset assigned silo on the user.
>
> So I've got a new pull request in Draft state still where I remove that
> functionality, as well as add some new commands to samba-tool user command.
>
> It turned out to be easier to add sub commands to user, as edit user
> wasn't quite what I thought it was and I had realised that after writing
> my last email.
>
> samba-tool user auth silo assign/remove/view
> samba-tool user auth policy assign/remove/view
>
> I probably completely have the wording wrong still, I'm going to look at
> using the same wording as Windows does so please consider this PR a
> draft only. I'm having a look at the Windows tooling in detail now.
>
> On 28/10/23 03:54, Stefan Kania via samba wrote:
>>
>>
>> Am 27.10.23 um 02:32 schrieb Rob van der Linde via samba:
>>> The missing functionality is --silo and --policy on modify user, and
>>> probably also create user commands.
>>
>> That's exacly right, that's also the way Windows is handling this.
>>
>
More information about the samba
mailing list