setting up authentication policies in 4.20rc2

Rowland Penny rpenny at samba.org
Mon Feb 19 17:10:41 UTC 2024 

On Mon, 19 Feb 2024 17:56:45 +0100
Stefan Kania via samba-technical <samba-technical at lists.samba.org>
wrote:

> 
> 
> Am 19.02.24 um 17:45 schrieb Rowland Penny via samba-technical:
> > On Mon, 19 Feb 2024 14:48:06 +1300
> > Jo Sutton via samba-technical <samba-technical at lists.samba.org>
> > wrote:
> > 
> >> On 18/02/24 6:11 am, Stefan Kania via samba-technical wrote:
> >>> Hi to all,
> >>>
> >>> I just tried to setup authentication policies and authentication
> >>> silos in 4.20rc2.
> >>> Following these steps:
> >>> 1. create a policy
> >>> samba-tool domain auth policy create --enforce --name
> >>> winclient-pol
> >>>
> >>> 2. create a silo
> >>> samba-tool domain auth silo create --enforce --name=winclient-silo
> >>>
> >>> 3. adding a at least one user and one host to the silo
> >>> samba-tool domain auth silo member grant --name=winclient-silo
> >>> --member=winclient\$
> >>> samba-tool domain auth silo member grant --name=winclient-silo
> >>> --member=padmin
> >>>
> >>> BTW: In 4.19 it was "silo member add"
> >>>
> >>> 4. Set single policy for all principals in this silo. with 4.19
> >>> that was possible and that's by the way also possible with a
> >>> windows DC. That's on a windows DC called "Use a single policy for
> >>> all principals that belog to this authentication silo"
> >>>
> >>> In 4.20 the option --policy is missing, you have only the option
> >>> to add: --user-authentication-policy=
> >>> --service-authentication-policy=
> >>> --computer-authentication-policy=
> >>> So it would be nice if the option --policy will be back
> >>>
> >>
> >> We removed this option in commit
> >> c22400fd8ef961e472ce2803cf4a2ec58b778795. I don’t remember our
> >> exact reasoning, but we must have thought that it didn’t make much
> >> sense for a user and a computer to share the same authentication
> >> policy.
> >>
> > 
> Hi Rowland
> 
> everything about auth-policies and auth-silos is a bit complicated,

That might just be an understatement :-)

> it could have been made much easier ;-) I try to explain it again how
> it works in Windows
> create a policy
> create a silo with users and hosts
> add the silo to the policy AND add a condition
> 
> The condition is the most important part, wich is missing (at the
> moment in Samba) the condition defines if only access to a host is
> allowed for members of the silo or only for non-members of the silo.
> I tried to explain it here:
> https://www.spinics.net/lists/samba/msg181014.html

I am going to have to consider that, my eyes glazed over.
However it sounds like a variation on allow/deny.

Rowland

More information about the samba-technical mailing list