setting up authentication policies in 4.20rc2
Stefan Kania
stefan at kania-online.de
Mon Feb 19 16:28:24 UTC 2024
Am 19.02.24 um 02:48 schrieb Jo Sutton via samba-technical:
> On 18/02/24 6:11 am, Stefan Kania via samba-technical wrote:
>> Hi to all,
>>
>> I just tried to setup authentication policies and authentication silos
>> in 4.20rc2.
>> Following these steps:
>> 1. create a policy
>> samba-tool domain auth policy create --enforce --name winclient-pol
>>
>> 2. create a silo
>> samba-tool domain auth silo create --enforce --name=winclient-silo
>>
>> 3. adding a at least one user and one host to the silo
>> samba-tool domain auth silo member grant --name=winclient-silo
>> --member=winclient\$
>> samba-tool domain auth silo member grant --name=winclient-silo
>> --member=padmin
>>
>> BTW: In 4.19 it was "silo member add"
>>
>> 4. Set single policy for all principals in this silo. with 4.19 that
>> was possible and that's by the way also possible with a windows DC.
>> That's on a windows DC called "Use a single policy for all principals
>> that belog to this authentication silo"
>>
>> In 4.20 the option --policy is missing, you have only the option to add:
>> --user-authentication-policy=
>> --service-authentication-policy=
>> --computer-authentication-policy=
>> So it would be nice if the option --policy will be back
>>
>
> We removed this option in commit
> c22400fd8ef961e472ce2803cf4a2ec58b778795. I don’t remember our exact
> reasoning, but we must have thought that it didn’t make much sense for a
> user and a computer to share the same authentication policy.
In this picture us see the screenshot from (soory it's a german DC) that
you cann select either all policies or select one.
https://ibb.co/kGB3XhR
I think, with Samba we should have the same possibility.
>
>> The next step after creating the silo and the policy and adding the
>> clients and users to the silo would be adding:
>> --service-allowed-to-authenticate-from=SDDL
>> and/or
>> -service-allowed-to-authenticate-to=SDDL
>>
>> But were can I get the SDDL for the user and the client?
>>
>
> Can you explain what you’d like to accomplish in this scenario? If you
> want to make sure the user ‘padmin’ authenticates from the computer
> ‘winclient$’, you can use
> ‘--user-allowed-to-authenticate-from-device-silo=winclient-silo’, and
> make sure the user and the computer both belong to the silo. Or if you
> want to let only users in the silo authenticate to the computer
> ‘winclient$’, you can use
> ‘--computer-allowed-to-authenticate-to-by-silo=winclient-silo’.
>
I wan't to disallow the user padmin to login at the computer with the
name winclient. So all users who are member of the silo winclient-silo
should not be able to login to the computer winclient.
So for example I create a policy login-to-DCs, than add the group
"domain users" to the silo and the DCs. In a windows-Domain now I can
configure to allow all userers are equal to a list of users or not equal.
As you can see in the next picture, I can choose either if the user is
equal to the list to allow the access, or the user is not equal to the
list to allowed to access.
https://ibb.co/SxgRzZW
I'm missing the part of selecting "member of the list" or "not member of
the list"
Stefan
>> Stefan
>>
>>
>>
>>
>
> Cheers,
> Jo (she/her)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3477 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20240219/42d8b83c/smime.bin>
More information about the samba-technical
mailing list