setting up authentication policies in 4.20rc2

Stefan Kania stefan at kania-online.de
Thu Feb 22 08:44:08 UTC 2024 


Am 21.02.24 um 03:50 schrieb Jo Sutton via samba-technical:
> I think the problem is the SID in the authentication policy’s SDDL. 
> S-1-5-21-2545884418-1286714830-2149023192-512 is the SID of the Domain 
> Administrators group. Thus, what the SDDL means is “users with this 
> authentication policy applied may authenticate from devices that don’t 
> belong to the Domain Administrators group”. Note that it’s the *device* 
> that the condition applies to, not the user. So it won’t make a 
> difference if the user is in the Domain Administrators group or not.
> 
> If you want the policy to prevent users from logging into the computer 
> ‘winclient’, try using that computer’s SID instead of the Domain 
> Administrators SID.
> 
> Cheers,
> Jo (she/her)

Hi Jo,

this makes no sens at all. Normally you don't need a silo at all, you 
can just create a policy add some hosts and users to the policy define a 
condition and every time you need anew host or user assign the policy to 
the user. Compare it with the filesystem (I know it's not the same) it 
would be the same giving permission via ACL to every single user. Nobody 
would do this. You assign a group to the directories ACL and give the 
group the permission and assign users to the group.

The same should be done with the policies. You create the policy with 
the condition (that's the permission comparing to a filesystem ACL). 
Then you create the silo and assign all the users and hosts to the silo. 
Then you add the silo to the permission. So I can have different silos 
with different users and hosts and assign the policy to them.

But with samba-tool it's not possible to assign a silo to a policy with
samba-tool domain auth policy modify --name=winclient-pol 
--user-allowed-to-authenticate-from=winclient-silo

That's what you are doing in a Windows domain.

Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3477 bytes
Desc: Kryptografische S/MIME-Signatur
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20240222/2d8a76d2/smime.bin>

More information about the samba-technical mailing list