setting up authentication policies in 4.20rc2

Mon Feb 19 22:57:36 UTC 2024

On Mon, 2024-02-19 at 21:34 +0000, Rowland Penny via samba-technical
wrote:
> On Tue, 20 Feb 2024 09:38:35 +1300
> Andrew Bartlett <
> abartlet at samba.org
> > wrote:
> 
> > On Mon, 2024-02-19 at 16:45 +0000, Rowland Penny via samba-
> > technical
> > wrote:
> > > On Mon, 19 Feb 2024 14:48:06 +1300
> > > Jo Sutton via samba-technical <
> > > samba-technical at lists.samba.org
> > > 
> > > > wrote:
> > > > On 18/02/24 6:11 am, Stefan Kania via samba-technical wrote:
> > > > > Hi to all,
> > > > > 
> > > > > I just tried to setup authentication policies and
> > > > > authentication
> > > > > silos in 4.20rc2.
> > > > > Following these steps:
> > > > > 1. create a policy
> > > > > samba-tool domain auth policy create --enforce --name
> > > > > winclient-
> > > > > pol
> > > > > 
> > > > > 2. create a silo
> > > > > samba-tool domain auth silo create --enforce --
> > > > > name=winclient-
> > > > > silo
> > > > > 
> > > > > 3. adding a at least one user and one host to the silo
> > > > > samba-tool domain auth silo member grant --name=winclient-
> > > > > silo 
> > > > > --member=winclient\$
> > > > > samba-tool domain auth silo member grant --name=winclient-
> > > > > silo 
> > > > > --member=padmin
> > > > > 
> > > > > BTW: In 4.19 it was "silo member add"
> > > > > 
> > > > > 4. Set single policy for all principals in this silo. with
> > > > > 4.19
> > > > > that was possible and that's by the way also possible with a
> > > > > windows DC. That's on a windows DC called "Use a single
> > > > > policy
> > > > > for
> > > > > all principals that belog to this authentication silo"
> > > > > 
> > > > > In 4.20 the option --policy is missing, you have only the
> > > > > option
> > > > > to
> > > > > add: --user-authentication-policy=
> > > > > --service-authentication-policy=
> > > > > --computer-authentication-policy=
> > > > > So it would be nice if the option --policy will be back
> > > > > 
> > > > 
> > > > We removed this option in commit 
> > > > c22400fd8ef961e472ce2803cf4a2ec58b778795. I don’t remember our
> > > > exact 
> > > > reasoning, but we must have thought that it didn’t make much
> > > > sense
> > > > for a user and a computer to share the same authentication
> > > > policy.
> > > > 
> > > 
> > > Can I what was the reasoning about this ? Seeing as a computer in
> > > AD
> > > is
> > > just a user with an extra objectclass.
> > > 
> > > I am trying to get my head around all this, but I am struggling
> > > at
> > > the
> > > moment.
> > 
> > The difference is that user's log on to computers, but computers
> > don't
> > have anything else to log on to, so policies that say 'you must log
> > on
> > to from these computers' make no sense.
> > 
> > Computers can also authenticate users (check their password over
> > NETLOGON) and are servers that can both accept NTLM and Kerberos,
> > but
> > yes, the introduction of authentication policies is the first point
> > at
> > which users and computers started to have a real difference in how
> > they are treated when acting as a client.
> > 
> > This is also why the options were split, because in development we
> > realised it was really easy to set a policy that made no sense, we
> > even went to the point of banning some in the UI.  
> > 
> > But yes, we would like feedback on the real world application of
> > these
> > tools and while our work here is done (I can't promise that we have
> > massive amounts of time to come back here and rework) if we do,
> > every
> > detail from the real world helps us rework once, not multiple
> > times.
> > 
> > Andrew Bartlett
> 
> It makes sense when you describe it in that way, but how will it
> affect
> the use of a machines ticket in an ldbsearch ?

It is more that if you wanted a user ticket for running ldbsearch, you
should make sure to get it with FAST, armored with the machine account (kinit can help you with this, if you have access to the machine's credential cache, but we need to extend winbindd to help with this for the unprivileged case).

This might be needed if you have a policy that the user account can
only log in from a particular computer. 

Machine accounts end up with fewer restrictions, as they otherwise
don't make sense. 

Andrew Bartlett
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions