setting up authentication policies in 4.20rc2
Stefan Kania
stefan at kania-online.de
Mon Feb 19 16:56:45 UTC 2024
Am 19.02.24 um 17:45 schrieb Rowland Penny via samba-technical:
> On Mon, 19 Feb 2024 14:48:06 +1300
> Jo Sutton via samba-technical <samba-technical at lists.samba.org> wrote:
>
>> On 18/02/24 6:11 am, Stefan Kania via samba-technical wrote:
>>> Hi to all,
>>>
>>> I just tried to setup authentication policies and authentication
>>> silos in 4.20rc2.
>>> Following these steps:
>>> 1. create a policy
>>> samba-tool domain auth policy create --enforce --name winclient-pol
>>>
>>> 2. create a silo
>>> samba-tool domain auth silo create --enforce --name=winclient-silo
>>>
>>> 3. adding a at least one user and one host to the silo
>>> samba-tool domain auth silo member grant --name=winclient-silo
>>> --member=winclient\$
>>> samba-tool domain auth silo member grant --name=winclient-silo
>>> --member=padmin
>>>
>>> BTW: In 4.19 it was "silo member add"
>>>
>>> 4. Set single policy for all principals in this silo. with 4.19
>>> that was possible and that's by the way also possible with a
>>> windows DC. That's on a windows DC called "Use a single policy for
>>> all principals that belog to this authentication silo"
>>>
>>> In 4.20 the option --policy is missing, you have only the option to
>>> add: --user-authentication-policy=
>>> --service-authentication-policy=
>>> --computer-authentication-policy=
>>> So it would be nice if the option --policy will be back
>>>
>>
>> We removed this option in commit
>> c22400fd8ef961e472ce2803cf4a2ec58b778795. I don’t remember our exact
>> reasoning, but we must have thought that it didn’t make much sense
>> for a user and a computer to share the same authentication policy.
>>
>
Hi Rowland
everything about auth-policies and auth-silos is a bit complicated, it
could have been made much easier ;-) I try to explain it again how it
works in Windows
create a policy
create a silo with users and hosts
add the silo to the policy AND add a condition
The condition is the most important part, wich is missing (at the moment
in Samba) the condition defines if only access to a host is allowed for
members of the silo or only for non-members of the silo. I tried to
explain it here:
https://www.spinics.net/lists/samba/msg181014.html
There you can also see two policies with different conditions.
Stefan
> Can I what was the reasoning about this ? Seeing as a computer in AD is
> just a user with an extra objectclass.
>
> I am trying to get my head around all this, but I am struggling at the
> moment.
>
> Rowland
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3477 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20240219/af53c7a7/smime.bin>
More information about the samba-technical
mailing list