setting up authentication policies in 4.20rc2

Rowland Penny rpenny at samba.org
Mon Feb 19 21:34:41 UTC 2024 

On Tue, 20 Feb 2024 09:38:35 +1300
Andrew Bartlett <abartlet at samba.org> wrote:

> On Mon, 2024-02-19 at 16:45 +0000, Rowland Penny via samba-technical
> wrote:
> > On Mon, 19 Feb 2024 14:48:06 +1300
> > Jo Sutton via samba-technical <
> > samba-technical at lists.samba.org
> > > wrote:
> > 
> > > On 18/02/24 6:11 am, Stefan Kania via samba-technical wrote:
> > > > Hi to all,
> > > > 
> > > > I just tried to setup authentication policies and authentication
> > > > silos in 4.20rc2.
> > > > Following these steps:
> > > > 1. create a policy
> > > > samba-tool domain auth policy create --enforce --name winclient-
> > > > pol
> > > > 
> > > > 2. create a silo
> > > > samba-tool domain auth silo create --enforce --name=winclient-
> > > > silo
> > > > 
> > > > 3. adding a at least one user and one host to the silo
> > > > samba-tool domain auth silo member grant --name=winclient-silo 
> > > > --member=winclient\$
> > > > samba-tool domain auth silo member grant --name=winclient-silo 
> > > > --member=padmin
> > > > 
> > > > BTW: In 4.19 it was "silo member add"
> > > > 
> > > > 4. Set single policy for all principals in this silo. with 4.19
> > > > that was possible and that's by the way also possible with a
> > > > windows DC. That's on a windows DC called "Use a single policy
> > > > for
> > > > all principals that belog to this authentication silo"
> > > > 
> > > > In 4.20 the option --policy is missing, you have only the option
> > > > to
> > > > add: --user-authentication-policy=
> > > > --service-authentication-policy=
> > > > --computer-authentication-policy=
> > > > So it would be nice if the option --policy will be back
> > > > 
> > > 
> > > We removed this option in commit 
> > > c22400fd8ef961e472ce2803cf4a2ec58b778795. I don’t remember our
> > > exact 
> > > reasoning, but we must have thought that it didn’t make much sense
> > > for a user and a computer to share the same authentication policy.
> > > 
> > 
> > Can I what was the reasoning about this ? Seeing as a computer in AD
> > is
> > just a user with an extra objectclass.
> > 
> > I am trying to get my head around all this, but I am struggling at
> > the
> > moment.
> 
> The difference is that user's log on to computers, but computers don't
> have anything else to log on to, so policies that say 'you must log on
> to from these computers' make no sense.
> 
> Computers can also authenticate users (check their password over
> NETLOGON) and are servers that can both accept NTLM and Kerberos, but
> yes, the introduction of authentication policies is the first point at
> which users and computers started to have a real difference in how
> they are treated when acting as a client.
> 
> This is also why the options were split, because in development we
> realised it was really easy to set a policy that made no sense, we
> even went to the point of banning some in the UI.  
> 
> But yes, we would like feedback on the real world application of these
> tools and while our work here is done (I can't promise that we have
> massive amounts of time to come back here and rework) if we do, every
> detail from the real world helps us rework once, not multiple times.
> 
> Andrew Bartlett

It makes sense when you describe it in that way, but how will it affect
the use of a machines ticket in an ldbsearch ?

Rowland

More information about the samba-technical mailing list