setting up authentication policies in 4.20rc2

[Stefan Kania]

Am 19.02.24 um 02:48 schrieb Jo Sutton via samba-technical:
> On 18/02/24 6:11 am, Stefan Kania via samba-technical wrote:
>> Hi to all,
>>
>> I just tried to setup authentication policies and authentication silos 
>> in 4.20rc2.
>> Following these steps:
>> 1. create a policy
>> samba-tool domain auth policy create --enforce --name winclient-pol
>>
>> 2. create a silo
>> samba-tool domain auth silo create --enforce --name=winclient-silo
>>
>> 3. adding a at least one user and one host to the silo
>> samba-tool domain auth silo member grant --name=winclient-silo 
>> --member=winclient\$
>> samba-tool domain auth silo member grant --name=winclient-silo 
>> --member=padmin
>>
>> BTW: In 4.19 it was "silo member add"
>>
>> 4. Set single policy for all principals in this silo. with 4.19 that 
>> was possible and that's by the way also possible with a windows DC. 
>> That's on a windows DC called "Use a single policy for all principals 
>> that belog to this authentication silo"
>>
>> In 4.20 the option --policy is missing, you have only the option to add:
>> --user-authentication-policy=
>> --service-authentication-policy=
>> --computer-authentication-policy=
>> So it would be nice if the option --policy will be back
>>
> 
> We removed this option in commit 
> c22400fd8ef961e472ce2803cf4a2ec58b778795. I don’t remember our exact 
> reasoning, but we must have thought that it didn’t make much sense for a 
> user and a computer to share the same authentication policy.


In this picture us see the screenshot from (soory it's a german DC) that 
you cann select either all policies or select one.

https://ibb.co/kGB3XhR

I think, with Samba we should have the same possibility.

> 
>> The next step after creating the silo and the policy and adding the 
>> clients and users to the silo would be adding:
>>   --service-allowed-to-authenticate-from=SDDL
>> and/or
>> -service-allowed-to-authenticate-to=SDDL
>>
>> But were can I get the SDDL for the user and the client?
>>
> 
> Can you explain what you’d like to accomplish in this scenario? If you 
> want to make sure the user ‘padmin’ authenticates from the computer 
> ‘winclient$’, you can use 
> ‘--user-allowed-to-authenticate-from-device-silo=winclient-silo’, and 
> make sure the user and the computer both belong to the silo. Or if you 
> want to let only users in the silo authenticate to the computer 
> ‘winclient$’, you can use 
> ‘--computer-allowed-to-authenticate-to-by-silo=winclient-silo’.
> 



I wan't to disallow the user padmin to login at the computer with the 
name winclient. So all users who are member of the silo winclient-silo 
should not be able to login to the computer winclient.
So for example I create a policy login-to-DCs, than add the group 
"domain users" to the silo and the DCs. In a windows-Domain now I can 
configure to allow all userers are equal to a list of users or not equal.
As you can see in the next picture, I can choose either if the user is 
equal to the list to allow the access, or the user is not equal to the 
list to allowed to access.

https://ibb.co/SxgRzZW

I'm missing the part of selecting "member of the list" or "not member of 
the list"





Stefan
>> Stefan
>>
>>
>>
>>
> 
> Cheers,
> Jo (she/her)
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3477 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20240219/42d8b83c/smime.bin>