[Samba] setup auth-policies and auth-silos, a little howto

[Stefan Kania]

How to set up a authentication policy and authentication silo

This little howto is showing, the setup of an authentication policy and am authentication silo to restrict a user to login in to a windows client:

1. Set up the policy
samba-tool domain  auth policy create --name win11-policy --enforce

2. Change ticket lifetime
samba-tool domain  auth policy modify --user-tgt-lifetime-mins=90 --name win11-policy

3. create a silo
samba-tool domain auth silo create --name win11-silo --enforce

4. Add computer and user to the silo
  samba-tool domain auth silo member grant --name win11-silo --member=skania
samba-tool domain auth silo member grant --name win11-silo --member=WINCLIENT11\$

(Don't forget the backslash in front of the dollar)

5. Set the condition for the policy
samba-tool domain auth policy computer-allowed-to-authenticate-to set --by-silo=win11-silo --name=win11-policy

6. Assign the policy to the user and the computer
samba-tool user auth policy assign --policy win11-policy skania
samba-tool user auth policy assign --policy win11-policy winclient11\$

Now only user "skania" can login to the windows computer "winclient11". To change the setting, so that any user can login except "skania" you have to edit the condition

7. Changing the condition
samba-tool domain auth policy modify --name win11-policy --computer-allowed-to-authenticate-to="O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo != \"win11-silo\"))"

That's it.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20250626/7ff5a061/OpenPGP_signature.sig>