[Samba] Question about silos and Authentication policies

Rob van der Linde rob at catalyst.net.nz
Mon Oct 23 21:03:48 UTC 2023 

Hi Stefan,

We had a long weekend in New Zealand, I'm catching up now to your emails.

Some of the slight differences between Windows tools I've already picked 
up on and are in my PR Andrew Bartlett mentioned on Friday, but I'm 
always open to learning what things are missing or different etc.

On 23/10/23 02:58, Stefan Kania via samba wrote:
> Talking to myself again ;-)
>
> Samba-tool is working a little bit different then the silo/policy 
> management on a Windows-DC.
> On a Windows-DC after assigning the user and host to the silo you have 
> to assign the silo to the user and the host. When assigning the user 
> and host to the silo with samba-tool, the assignment to the user and 
> the host will be done at the same time. So now my policy looks like that:
> -------------
> root at addc-01:~#  samba-tool domain auth policy view --name=winclient-pol
> {
>   "cn": "winclient-pol",
>   "distinguishedName": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN 
> Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>   "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy 
> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>   "instanceType": 4,
>   "msDS-AuthNPolicyEnforced": true,
>   "msDS-ServiceTGTLifetime": 60,
>   "msDS-StrongNTLMPolicy": 0,
>   "name": "winclient-pol",
>   "objectCategory": 
> "CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC=net",
>   "objectClass": [
>     "top",
>     "msDS-AuthNPolicy"
>   ],
>   "objectGUID": "21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d"
>
> -------------
>
> The silo looks like this:
> -------------
> root at addc-01:~#  samba-tool domain auth silo view --name=winclient-silo
> {
>   "cn": "winclient-silo",
>   "distinguishedName": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
> Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>   "dn": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN Policy 
> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>   "instanceType": 4,
>   "msDS-AuthNPolicySiloEnforced": true,
>   "msDS-AuthNPolicySiloMembers": [
>     "CN=WINCLIENT,CN=Computers,DC=example,DC=net",
>     "CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net"
>   ],
>   "msDS-ComputerAuthNPolicy": "CN=winclient-pol,CN=AuthN 
> Policies,CN=AuthN Policy 
> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>   "msDS-ServiceAuthNPolicy": "CN=winclient-pol,CN=AuthN 
> Policies,CN=AuthN Policy 
> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>   "msDS-UserAuthNPolicy": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN 
> Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>   "name": "winclient-silo",
>   "objectCategory": 
> "CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=example,DC=net",
>   "objectClass": [
>     "top",
>     "msDS-AuthNPolicySilo"
>   ],
>   "objectGUID": "f063b775-e1da-4b2d-962b-d30f2cc8ffad"
> -------------
>
> My user "cn=protected admin" looks like this:
> -------------
> dn: CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: protected admin
> sn: admin
> givenName: protected
> instanceType: 4
> whenCreated: 20231020125659.0Z
> displayName: protected admin
> uSNCreated: 4267
> name: protected admin
> objectGUID: 770c22a3-aa6d-4cea-bdbe-5bebce9c2994
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-3996049225-3177602564-2265300751-1106
> accountExpires: 9223372036854775807
> sAMAccountName: padmin
> sAMAccountType: 805306368
> userPrincipalName: padmin at example.net
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=net
> userAccountControl: 512
> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=net
> memberOf: CN=Protected Users,CN=Users,DC=example,DC=net
> lastLogonTimestamp: 133422806290994480
> msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN 
> Silos,CN=AuthN Polic
>  y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
> msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN 
> Silos,CN=AuthN Policy
>   Configuration,CN=Services,CN=Configuration,DC=example,DC=net
> pwdLastSet: 133424547343802100
> whenChanged: 20231022132534.0Z
> uSNChanged: 4319
> lastLogon: 133424547477453410
> logonCount: 12
> distinguishedName: CN=protected 
> admin,OU=users,OU=It,OU=Firma,DC=example,DC=ne
>  t
> -------------
>
> And the host:
> --------------
> dn: CN=WINCLIENT,CN=Computers,DC=example,DC=net
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: computer
> cn: WINCLIENT
> instanceType: 4
> whenCreated: 20231019160325.0Z
> uSNCreated: 4225
> name: WINCLIENT
> objectGUID: ca422c13-eb65-43ae-8ae9-7fea6950a972
> userAccountControl: 4096
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> pwdLastSet: 133422050057063700
> primaryGroupID: 515
> objectSid: S-1-5-21-3996049225-3177602564-2265300751-1104
> accountExpires: 9223372036854775807
> sAMAccountName: WINCLIENT$
> sAMAccountType: 805306369
> dNSHostName: winclient.example.net
> servicePrincipalName: HOST/winclient.example.net
> servicePrincipalName: RestrictedKrbHost/winclient.example.net
> servicePrincipalName: HOST/WINCLIENT
> servicePrincipalName: RestrictedKrbHost/WINCLIENT
> servicePrincipalName: WSMAN/winclient.example.net
> servicePrincipalName: WSMAN/winclient
> objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=net
> isCriticalSystemObject: FALSE
> lastLogonTimestamp: 133422050059426810
> operatingSystem: Windows 11 Pro
> operatingSystemVersion: 10.0 (22621)
> msDS-SupportedEncryptionTypes: 28
> msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN 
> Silos,CN=AuthN Polic
>  y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
> msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN 
> Silos,CN=AuthN Policy
>   Configuration,CN=Services,CN=Configuration,DC=example,DC=net
> whenChanged: 20231020163411.0Z
> uSNChanged: 4289
> lastLogon: 133424546464979900
> logonCount: 30
> distinguishedName: CN=WINCLIENT,CN=Computers,DC=example,DC=net
> --------------
>
> So in both objects you can see the two Attributes:
> ------------------
> msDS-AuthNPolicySiloMembersBL:
> msDS-AssignedAuthNPolicySilo:
> ------------------
>
> These Attributes look the same on a Windows Active Directory. I build 
> the same domain with Window-Server 2022 and FL 2016. There it works.
>
> In my Samba-domain I can assign everything, but my user "cn=protected 
> admin" can still log in to my host "winclient" :-(
>
> Has anyone tried it yet and get it working?
>
>
> Am 20.10.23 um 19:57 schrieb Stefan Kania via samba:
>> Now I created a policy with:
>>
>> ---------
>> samba-tool domain auth policy create --enforce --name winclient-pol
>> ---------
>>
>> and a silo with:
>>
>> ---------
>> samba-tool domain auth silo create --enforce --name=winclient-silo
>>
>> The I add the following objects to the silo
>> ---------
>> samba-tool domain auth silo member add --name=winclient-silo 
>> --member=padmin
>>
>> samba-tool domain auth silo member add --name=winclient-silo 
>> --member=winclient\$
>> ---------
>>
>> Then assigning the policy to the silo with:
>>
>> -------------
>> samba-tool domain auth silo modify --name=winclient-silo 
>> --policy=winclient-pol
>> -------------
>>
>> The next step would be to assign the silo to the user and the host, 
>> but I don't see any option in "samba-tool domain auth ..." to do 
>> this. The same with adding the host to the policy.
>>
>> On a windows-System I would do this with "ADAC" But I can't use it 
>> with a samba-DC.
>>
>> Is there a way to do it with samba-tool, or any other tool?
>>
>>
>
>

More information about the samba mailing list