setting up authentication policies in 4.20rc2

Wed Feb 21 02:50:36 UTC 2024

On 21/02/24 4:57 am, Stefan Kania via samba-technical wrote:
> 
> 
> Am 20.02.24 um 00:53 schrieb Jo Sutton via samba-technical:
>> On 20/02/24 5:28 am, Stefan Kania via samba-technical wrote:
>>>
>>>
>>> Am 19.02.24 um 02:48 schrieb Jo Sutton via samba-technical:
>>>> On 18/02/24 6:11 am, Stefan Kania via samba-technical wrote:
>>>>> Hi to all,
>>>>>
>>>>> I just tried to setup authentication policies and authentication 
>>>>> silos in 4.20rc2.
>>>>> Following these steps:
>>>>> 1. create a policy
>>>>> samba-tool domain auth policy create --enforce --name winclient-pol
>>>>>
>>>>> 2. create a silo
>>>>> samba-tool domain auth silo create --enforce --name=winclient-silo
>>>>>
>>>>> 3. adding a at least one user and one host to the silo
>>>>> samba-tool domain auth silo member grant --name=winclient-silo 
>>>>> --member=winclient\$
>>>>> samba-tool domain auth silo member grant --name=winclient-silo 
>>>>> --member=padmin
>>>>>
>>>>> BTW: In 4.19 it was "silo member add"
>>>>>
>>>>> 4. Set single policy for all principals in this silo. with 4.19 
>>>>> that was possible and that's by the way also possible with a 
>>>>> windows DC. That's on a windows DC called "Use a single policy for 
>>>>> all principals that belog to this authentication silo"
>>>>>
>>>>> In 4.20 the option --policy is missing, you have only the option to 
>>>>> add:
>>>>> --user-authentication-policy=
>>>>> --service-authentication-policy=
>>>>> --computer-authentication-policy=
>>>>> So it would be nice if the option --policy will be back
>>>>>
>>>>
>>>> We removed this option in commit 
>>>> c22400fd8ef961e472ce2803cf4a2ec58b778795. I don’t remember our exact 
>>>> reasoning, but we must have thought that it didn’t make much sense 
>>>> for a user and a computer to share the same authentication policy.
>>>
>>>
>>> In this picture us see the screenshot from (soory it's a german DC) 
>>> that you cann select either all policies or select one.
>>>
>>> https://ibb.co/kGB3XhR
>>>
>>> I think, with Samba we should have the same possibility.
>>>
>>>>
>>>>> The next step after creating the silo and the policy and adding the 
>>>>> clients and users to the silo would be adding:
>>>>>   --service-allowed-to-authenticate-from=SDDL
>>>>> and/or
>>>>> -service-allowed-to-authenticate-to=SDDL
>>>>>
>>>>> But were can I get the SDDL for the user and the client?
>>>>>
>>>>
>>>> Can you explain what you’d like to accomplish in this scenario? If 
>>>> you want to make sure the user ‘padmin’ authenticates from the 
>>>> computer ‘winclient$’, you can use 
>>>> ‘--user-allowed-to-authenticate-from-device-silo=winclient-silo’, 
>>>> and make sure the user and the computer both belong to the silo. Or 
>>>> if you want to let only users in the silo authenticate to the 
>>>> computer ‘winclient$’, you can use 
>>>> ‘--computer-allowed-to-authenticate-to-by-silo=winclient-silo’.
>>>>
>>>
>>>
>>>
>>> I wan't to disallow the user padmin to login at the computer with the 
>>> name winclient. So all users who are member of the silo 
>>> winclient-silo should not be able to login to the computer winclient.
>>> So for example I create a policy login-to-DCs, than add the group 
>>> "domain users" to the silo and the DCs. In a windows-Domain now I can 
>>> configure to allow all userers are equal to a list of users or not 
>>> equal.
>>> As you can see in the next picture, I can choose either if the user 
>>> is equal to the list to allow the access, or the user is not equal to 
>>> the list to allowed to access.
>>>
>>> https://ibb.co/SxgRzZW
>>>
>>> I'm missing the part of selecting "member of the list" or "not member 
>>> of the list"
>>>
>>>
>>>
>>>
>>>
>>> Stefan
>>
>> First, I think you’ll want to do:
>>
>> samba-tool user auth silo assign winclient\$ --silo=winclient-silo
>> samba-tool user auth silo assign padmin --silo=winclient-silo
>>
>> to assign the silo to the user and the client.
>>
>> I don’t think you want ‘--service-allowed-to…’. Those options apply to 
>> Managed Service Accounts, which you don’t appear to be dealing with.
>>
>> I think this might be the command you want? —
>>
>> samba-tool domain auth policy modify --name=winclient-pol 
>> --user-allowed-to-authenticate-from='O:SYG:SYD:(XA;OICI;CR;;;WD;(Not_Member_of SID(S-1-2-3)))'
>>
>> where winclient’s SID is substituted for ‘S-1-2-3’.
>>
>> That should prevent any users in the silo from authenticating, unless 
>> they use FAST from a computer other than ‘winclient’.
>>
>> Is that what you’re looking for?
>>
>> Cheers,
>> Jo (she/her)
>>
>>
> looks good on the first view but:
> 
> I started from the beginning:
> samba-tool domain auth policy create --enforce --name winclient-pol
> samba-tool domain auth silo create --enforce --name=winclient-silo
> samba-tool user auth silo assign winclient\$ --silo=winclient-silo
> samba-tool user auth silo assign winclient11\$ --silo=winclient-silo

I guess you actually ran:

samba-tool user auth silo assign padmin --silo=winclient-silo

right?

> samba-tool domain auth silo member grant --name=winclient-silo 
> --member=winclient\$
> samba-tool domain auth silo member grant --name=winclient-silo 
> --member=padmin
> samba-tool domain auth policy modify --name=winclient-pol 
> --user-allowed-to-authenticate-from='O:SYG:SYD:(XA;OICI;CR;;;WD;(Not_Member_of SID(S-1-5-21-2545884418-1286714830-2149023192-512)))'
> 
> But still the same, it dosn't matter if the user is member of the group 
> 'domain admins' or not, he can login.
> listing the policy is showing:
> --------------
> root at addc420:~# samba-tool domain auth policy view --name winclient-pol
> {
>    "cn": "winclient-pol",
>    "distinguishedName": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN 
> Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>    "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy 
> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>    "instanceType": 4,
>    "msDS-AuthNPolicyEnforced": true,
>    "msDS-StrongNTLMPolicy": 0,
>    "msDS-UserAllowedToAuthenticateFrom": 
> "O:SYG:SYD:(XA;OICI;CR;;;WD;(Not_Member_of 
> SID(S-1-5-21-2545884418-1286714830-2149023192-512)))",
>    "name": "winclient-pol",
>    "objectCategory": 
> "CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC=net",
>    "objectClass": [
>      "top",
>      "msDS-AuthNPolicy"
>    ],
>    "objectGUID": "fab89c1a-fa93-4014-ba0e-172e26f08d80"
> --------------
> And the silo:
> 
> --------------
> root at addc420:~# samba-tool domain auth silo view --name winclient-silo
> {
>    "cn": "winclient-silo",
>    "distinguishedName": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
> Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>    "dn": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN Policy 
> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>    "instanceType": 4,
>    "msDS-AuthNPolicySiloEnforced": true,
>    "msDS-AuthNPolicySiloMembers": [
>      "CN=WINCLIENT,OU=stka,DC=example,DC=net",
>      "CN=p admin,OU=stka,DC=example,DC=net"
>    ],
>    "msDS-ComputerAuthNPolicy": "CN=winclient-pol,CN=AuthN 
> Policies,CN=AuthN Policy 
> Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>    "msDS-UserAuthNPolicy": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN 
> Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
>    "name": "winclient-silo",
>    "objectCategory": 
> "CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=example,DC=net",
>    "objectClass": [
>      "top",
>      "msDS-AuthNPolicySilo"
>    ],
>    "objectGUID": "8e272b33-fa8a-4e76-8972-990a16624d87"
> 
> --------------
> 
> Looking with ldbsearch at the two objects "winclient and "padmin" is 
> showing:
> ----------------
> ldbsearch --url=/var/lib/samba/private/sam.ldb "cn=p admin"
> ...
> msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
> Policy
>    Configuration,CN=Services,CN=Configuration,DC=example,DC=net
> whenChanged: 20240220152158.0Z
> uSNChanged: 4406
> msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
> Polic
>   y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
> ...
> 
> 
> ----------------
> ldbsearch --url=/var/lib/samba/private/sam.ldb "cn=winclient"
> ...
> msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
> Policy
>    Configuration,CN=Services,CN=Configuration,DC=example,DC=net
> whenChanged: 20240220152138.0Z
> uSNChanged: 4405
> msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN Silos,CN=AuthN 
> Polic
>   y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
> distinguishedName: CN=WINCLIENT,OU=stka,DC=example,DC=net
> ...
> 
> So no change :-(
> 
> I again tried to set up the same with Windows and it works. The only 
> diffrence (using the same names) is that the condition is different to 
> the one samba is showing
> condition in Windows
> ------------
> msDS-UserAllowedToAuthenticateFrom: 
> O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.example://ext/AuthenticationSilo != 
> "winclient-silo"))
> ------------
> 
> 
> Stefan

I think the problem is the SID in the authentication policy’s SDDL. 
S-1-5-21-2545884418-1286714830-2149023192-512 is the SID of the Domain 
Administrators group. Thus, what the SDDL means is “users with this 
authentication policy applied may authenticate from devices that don’t 
belong to the Domain Administrators group”. Note that it’s the *device* 
that the condition applies to, not the user. So it won’t make a 
difference if the user is in the Domain Administrators group or not.

If you want the policy to prevent users from logging into the computer 
‘winclient’, try using that computer’s SID instead of the Domain 
Administrators SID.

Cheers,
Jo (she/her)