setting up authentication policies in 4.20rc2
Andrew Bartlett
abartlet at samba.org
Mon Feb 19 20:38:35 UTC 2024
On Mon, 2024-02-19 at 16:45 +0000, Rowland Penny via samba-technical
wrote:
> On Mon, 19 Feb 2024 14:48:06 +1300
> Jo Sutton via samba-technical <
> samba-technical at lists.samba.org
> > wrote:
>
> > On 18/02/24 6:11 am, Stefan Kania via samba-technical wrote:
> > > Hi to all,
> > >
> > > I just tried to setup authentication policies and authentication
> > > silos in 4.20rc2.
> > > Following these steps:
> > > 1. create a policy
> > > samba-tool domain auth policy create --enforce --name winclient-
> > > pol
> > >
> > > 2. create a silo
> > > samba-tool domain auth silo create --enforce --name=winclient-
> > > silo
> > >
> > > 3. adding a at least one user and one host to the silo
> > > samba-tool domain auth silo member grant --name=winclient-silo
> > > --member=winclient\$
> > > samba-tool domain auth silo member grant --name=winclient-silo
> > > --member=padmin
> > >
> > > BTW: In 4.19 it was "silo member add"
> > >
> > > 4. Set single policy for all principals in this silo. with 4.19
> > > that was possible and that's by the way also possible with a
> > > windows DC. That's on a windows DC called "Use a single policy
> > > for
> > > all principals that belog to this authentication silo"
> > >
> > > In 4.20 the option --policy is missing, you have only the option
> > > to
> > > add: --user-authentication-policy=
> > > --service-authentication-policy=
> > > --computer-authentication-policy=
> > > So it would be nice if the option --policy will be back
> > >
> >
> > We removed this option in commit
> > c22400fd8ef961e472ce2803cf4a2ec58b778795. I don’t remember our
> > exact
> > reasoning, but we must have thought that it didn’t make much sense
> > for a user and a computer to share the same authentication policy.
> >
>
> Can I what was the reasoning about this ? Seeing as a computer in AD
> is
> just a user with an extra objectclass.
>
> I am trying to get my head around all this, but I am struggling at
> the
> moment.
The difference is that user's log on to computers, but computers don't
have anything else to log on to, so policies that say 'you must log on
to from these computers' make no sense.
Computers can also authenticate users (check their password over
NETLOGON) and are servers that can both accept NTLM and Kerberos, but
yes, the introduction of authentication policies is the first point at
which users and computers started to have a real difference in how they
are treated when acting as a client.
This is also why the options were split, because in development we
realised it was really easy to set a policy that made no sense, we even
went to the point of banning some in the UI.
But yes, we would like feedback on the real world application of these
tools and while our work here is done (I can't promise that we have
massive amounts of time to come back here and rework) if we do, every
detail from the real world helps us rework once, not multiple times.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba-technical
mailing list