setting up authentication policies in 4.20rc2

Mon Feb 19 23:53:28 UTC 2024

On 20/02/24 5:28 am, Stefan Kania via samba-technical wrote:
> 
> 
> Am 19.02.24 um 02:48 schrieb Jo Sutton via samba-technical:
>> On 18/02/24 6:11 am, Stefan Kania via samba-technical wrote:
>>> Hi to all,
>>>
>>> I just tried to setup authentication policies and authentication 
>>> silos in 4.20rc2.
>>> Following these steps:
>>> 1. create a policy
>>> samba-tool domain auth policy create --enforce --name winclient-pol
>>>
>>> 2. create a silo
>>> samba-tool domain auth silo create --enforce --name=winclient-silo
>>>
>>> 3. adding a at least one user and one host to the silo
>>> samba-tool domain auth silo member grant --name=winclient-silo 
>>> --member=winclient\$
>>> samba-tool domain auth silo member grant --name=winclient-silo 
>>> --member=padmin
>>>
>>> BTW: In 4.19 it was "silo member add"
>>>
>>> 4. Set single policy for all principals in this silo. with 4.19 that 
>>> was possible and that's by the way also possible with a windows DC. 
>>> That's on a windows DC called "Use a single policy for all principals 
>>> that belog to this authentication silo"
>>>
>>> In 4.20 the option --policy is missing, you have only the option to add:
>>> --user-authentication-policy=
>>> --service-authentication-policy=
>>> --computer-authentication-policy=
>>> So it would be nice if the option --policy will be back
>>>
>>
>> We removed this option in commit 
>> c22400fd8ef961e472ce2803cf4a2ec58b778795. I don’t remember our exact 
>> reasoning, but we must have thought that it didn’t make much sense for 
>> a user and a computer to share the same authentication policy.
> 
> 
> In this picture us see the screenshot from (soory it's a german DC) that 
> you cann select either all policies or select one.
> 
> https://ibb.co/kGB3XhR
> 
> I think, with Samba we should have the same possibility.
> 
>>
>>> The next step after creating the silo and the policy and adding the 
>>> clients and users to the silo would be adding:
>>>   --service-allowed-to-authenticate-from=SDDL
>>> and/or
>>> -service-allowed-to-authenticate-to=SDDL
>>>
>>> But were can I get the SDDL for the user and the client?
>>>
>>
>> Can you explain what you’d like to accomplish in this scenario? If you 
>> want to make sure the user ‘padmin’ authenticates from the computer 
>> ‘winclient$’, you can use 
>> ‘--user-allowed-to-authenticate-from-device-silo=winclient-silo’, and 
>> make sure the user and the computer both belong to the silo. Or if you 
>> want to let only users in the silo authenticate to the computer 
>> ‘winclient$’, you can use 
>> ‘--computer-allowed-to-authenticate-to-by-silo=winclient-silo’.
>>
> 
> 
> 
> I wan't to disallow the user padmin to login at the computer with the 
> name winclient. So all users who are member of the silo winclient-silo 
> should not be able to login to the computer winclient.
> So for example I create a policy login-to-DCs, than add the group 
> "domain users" to the silo and the DCs. In a windows-Domain now I can 
> configure to allow all userers are equal to a list of users or not equal.
> As you can see in the next picture, I can choose either if the user is 
> equal to the list to allow the access, or the user is not equal to the 
> list to allowed to access.
> 
> https://ibb.co/SxgRzZW
> 
> I'm missing the part of selecting "member of the list" or "not member of 
> the list"
> 
> 
> 
> 
> 
> Stefan

First, I think you’ll want to do:

samba-tool user auth silo assign winclient\$ --silo=winclient-silo
samba-tool user auth silo assign padmin --silo=winclient-silo

to assign the silo to the user and the client.

I don’t think you want ‘--service-allowed-to…’. Those options apply to 
Managed Service Accounts, which you don’t appear to be dealing with.

I think this might be the command you want? —

samba-tool domain auth policy modify --name=winclient-pol 
--user-allowed-to-authenticate-from='O:SYG:SYD:(XA;OICI;CR;;;WD;(Not_Member_of 
SID(S-1-2-3)))'

where winclient’s SID is substituted for ‘S-1-2-3’.

That should prevent any users in the silo from authenticating, unless 
they use FAST from a computer other than ‘winclient’.

Is that what you’re looking for?

Cheers,
Jo (she/her)