setting up authentication policies in 4.20rc2

Jo Sutton jsutton at samba.org
Mon Feb 19 01:48:06 UTC 2024 

On 18/02/24 6:11 am, Stefan Kania via samba-technical wrote:
> Hi to all,
> 
> I just tried to setup authentication policies and authentication silos 
> in 4.20rc2.
> Following these steps:
> 1. create a policy
> samba-tool domain auth policy create --enforce --name winclient-pol
> 
> 2. create a silo
> samba-tool domain auth silo create --enforce --name=winclient-silo
> 
> 3. adding a at least one user and one host to the silo
> samba-tool domain auth silo member grant --name=winclient-silo 
> --member=winclient\$
> samba-tool domain auth silo member grant --name=winclient-silo 
> --member=padmin
> 
> BTW: In 4.19 it was "silo member add"
> 
> 4. Set single policy for all principals in this silo. with 4.19 that was 
> possible and that's by the way also possible with a windows DC. That's 
> on a windows DC called "Use a single policy for all principals that 
> belog to this authentication silo"
> 
> In 4.20 the option --policy is missing, you have only the option to add:
> --user-authentication-policy=
> --service-authentication-policy=
> --computer-authentication-policy=
> So it would be nice if the option --policy will be back
> 

We removed this option in commit 
c22400fd8ef961e472ce2803cf4a2ec58b778795. I don’t remember our exact 
reasoning, but we must have thought that it didn’t make much sense for a 
user and a computer to share the same authentication policy.

> The next step after creating the silo and the policy and adding the 
> clients and users to the silo would be adding:
>   --service-allowed-to-authenticate-from=SDDL
> and/or
> -service-allowed-to-authenticate-to=SDDL
> 
> But were can I get the SDDL for the user and the client?
> 

Can you explain what you’d like to accomplish in this scenario? If you 
want to make sure the user ‘padmin’ authenticates from the computer 
‘winclient$’, you can use 
‘--user-allowed-to-authenticate-from-device-silo=winclient-silo’, and 
make sure the user and the computer both belong to the silo. Or if you 
want to let only users in the silo authenticate to the computer 
‘winclient$’, you can use 
‘--computer-allowed-to-authenticate-to-by-silo=winclient-silo’.

> Stefan
> 
> 
> 
> 

Cheers,
Jo (she/her)

More information about the samba-technical mailing list