setting up authentication policies in 4.20rc2

Stefan Kania stefan at kania-online.de
Tue Feb 20 15:57:08 UTC 2024 


Am 20.02.24 um 00:53 schrieb Jo Sutton via samba-technical:
> On 20/02/24 5:28 am, Stefan Kania via samba-technical wrote:
>>
>>
>> Am 19.02.24 um 02:48 schrieb Jo Sutton via samba-technical:
>>> On 18/02/24 6:11 am, Stefan Kania via samba-technical wrote:
>>>> Hi to all,
>>>>
>>>> I just tried to setup authentication policies and authentication 
>>>> silos in 4.20rc2.
>>>> Following these steps:
>>>> 1. create a policy
>>>> samba-tool domain auth policy create --enforce --name winclient-pol
>>>>
>>>> 2. create a silo
>>>> samba-tool domain auth silo create --enforce --name=winclient-silo
>>>>
>>>> 3. adding a at least one user and one host to the silo
>>>> samba-tool domain auth silo member grant --name=winclient-silo 
>>>> --member=winclient\$
>>>> samba-tool domain auth silo member grant --name=winclient-silo 
>>>> --member=padmin
>>>>
>>>> BTW: In 4.19 it was "silo member add"
>>>>
>>>> 4. Set single policy for all principals in this silo. with 4.19 that 
>>>> was possible and that's by the way also possible with a windows DC. 
>>>> That's on a windows DC called "Use a single policy for all 
>>>> principals that belog to this authentication silo"
>>>>
>>>> In 4.20 the option --policy is missing, you have only the option to 
>>>> add:
>>>> --user-authentication-policy=
>>>> --service-authentication-policy=
>>>> --computer-authentication-policy=
>>>> So it would be nice if the option --policy will be back
>>>>
>>>
>>> We removed this option in commit 
>>> c22400fd8ef961e472ce2803cf4a2ec58b778795. I don’t remember our exact 
>>> reasoning, but we must have thought that it didn’t make much sense 
>>> for a user and a computer to share the same authentication policy.
>>
>>
>> In this picture us see the screenshot from (soory it's a german DC) 
>> that you cann select either all policies or select one.
>>
>> https://ibb.co/kGB3XhR
>>
>> I think, with Samba we should have the same possibility.
>>
>>>
>>>> The next step after creating the silo and the policy and adding the 
>>>> clients and users to the silo would be adding:
>>>>   --service-allowed-to-authenticate-from=SDDL
>>>> and/or
>>>> -service-allowed-to-authenticate-to=SDDL
>>>>
>>>> But were can I get the SDDL for the user and the client?
>>>>
>>>
>>> Can you explain what you’d like to accomplish in this scenario? If 
>>> you want to make sure the user ‘padmin’ authenticates from the 
>>> computer ‘winclient$’, you can use 
>>> ‘--user-allowed-to-authenticate-from-device-silo=winclient-silo’, and 
>>> make sure the user and the computer both belong to the silo. Or if 
>>> you want to let only users in the silo authenticate to the computer 
>>> ‘winclient$’, you can use 
>>> ‘--computer-allowed-to-authenticate-to-by-silo=winclient-silo’.
>>>
>>
>>
>>
>> I wan't to disallow the user padmin to login at the computer with the 
>> name winclient. So all users who are member of the silo winclient-silo 
>> should not be able to login to the computer winclient.
>> So for example I create a policy login-to-DCs, than add the group 
>> "domain users" to the silo and the DCs. In a windows-Domain now I can 
>> configure to allow all userers are equal to a list of users or not equal.
>> As you can see in the next picture, I can choose either if the user is 
>> equal to the list to allow the access, or the user is not equal to the 
>> list to allowed to access.
>>
>> https://ibb.co/SxgRzZW
>>
>> I'm missing the part of selecting "member of the list" or "not member 
>> of the list"
>>
>>
>>
>>
>>
>> Stefan
> 
> First, I think you’ll want to do:
> 
> samba-tool user auth silo assign winclient\$ --silo=winclient-silo
> samba-tool user auth silo assign padmin --silo=winclient-silo
> 
> to assign the silo to the user and the client.
> 
> I don’t think you want ‘--service-allowed-to…’. Those options apply to 
> Managed Service Accounts, which you don’t appear to be dealing with.
> 
> I think this might be the command you want? —
> 
> samba-tool domain auth policy modify --name=winclient-pol 
> --user-allowed-to-authenticate-from='O:SYG:SYD:(XA;OICI;CR;;;WD;(Not_Member_of SID(S-1-2-3)))'
> 
> where winclient’s SID is substituted for ‘S-1-2-3’.
> 
> That should prevent any users in the silo from authenticating, unless 
> they use FAST from a computer other than ‘winclient’.
> 
> Is that what you’re looking for?
> 
> Cheers,
> Jo (she/her)
> 
> 
looks good on the first view but:

I started from the beginning:
samba-tool domain auth policy create --enforce --name winclient-pol
samba-tool domain auth silo create --enforce --name=winclient-silo
samba-tool user auth silo assign winclient\$ --silo=winclient-silo
samba-tool user auth silo assign winclient11\$ --silo=winclient-silo
samba-tool domain auth silo member grant --name=winclient-silo 
--member=winclient\$
samba-tool domain auth silo member grant --name=winclient-silo 
--member=padmin
samba-tool domain auth policy modify --name=winclient-pol 
--user-allowed-to-authenticate-from='O:SYG:SYD:(XA;OICI;CR;;;WD;(Not_Member_of 
SID(S-1-5-21-2545884418-1286714830-2149023192-512)))'

But still the same, it dosn't matter if the user is member of the group 
'domain admins' or not, he can login.
listing the policy is showing:
--------------
root at addc420:~# samba-tool domain auth policy view --name winclient-pol
{
   "cn": "winclient-pol",
   "distinguishedName": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN 
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "instanceType": 4,
   "msDS-AuthNPolicyEnforced": true,
   "msDS-StrongNTLMPolicy": 0,
   "msDS-UserAllowedToAuthenticateFrom": 
"O:SYG:SYD:(XA;OICI;CR;;;WD;(Not_Member_of 
SID(S-1-5-21-2545884418-1286714830-2149023192-512)))",
   "name": "winclient-pol",
   "objectCategory": 
"CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC=net",
   "objectClass": [
     "top",
     "msDS-AuthNPolicy"
   ],
   "objectGUID": "fab89c1a-fa93-4014-ba0e-172e26f08d80"
--------------
And the silo:

--------------
root at addc420:~# samba-tool domain auth silo view --name winclient-silo
{
   "cn": "winclient-silo",
   "distinguishedName": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "dn": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "instanceType": 4,
   "msDS-AuthNPolicySiloEnforced": true,
   "msDS-AuthNPolicySiloMembers": [
     "CN=WINCLIENT,OU=stka,DC=example,DC=net",
     "CN=p admin,OU=stka,DC=example,DC=net"
   ],
   "msDS-ComputerAuthNPolicy": "CN=winclient-pol,CN=AuthN 
Policies,CN=AuthN Policy 
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "msDS-UserAuthNPolicy": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN 
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
   "name": "winclient-silo",
   "objectCategory": 
"CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=example,DC=net",
   "objectClass": [
     "top",
     "msDS-AuthNPolicySilo"
   ],
   "objectGUID": "8e272b33-fa8a-4e76-8972-990a16624d87"

--------------

Looking with ldbsearch at the two objects "winclient and "padmin" is 
showing:
----------------
ldbsearch --url=/var/lib/samba/private/sam.ldb "cn=p admin"
...
msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
Policy
   Configuration,CN=Services,CN=Configuration,DC=example,DC=net
whenChanged: 20240220152158.0Z
uSNChanged: 4406
msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
Polic
  y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
...


----------------
ldbsearch --url=/var/lib/samba/private/sam.ldb "cn=winclient"
...
msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
Policy
   Configuration,CN=Services,CN=Configuration,DC=example,DC=net
whenChanged: 20240220152138.0Z
uSNChanged: 4405
msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
Polic
  y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
distinguishedName: CN=WINCLIENT,OU=stka,DC=example,DC=net
...

So no change :-(

I again tried to set up the same with Windows and it works. The only 
diffrence (using the same names) is that the condition is different to 
the one samba is showing
condition in Windows
------------
msDS-UserAllowedToAuthenticateFrom: 
O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.example://ext/AuthenticationSilo != 
"winclient-silo"))
------------


Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3477 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20240220/ae2f7e43/smime.bin>

More information about the samba-technical mailing list