setting up authentication policies in 4.20rc2

[Jo Sutton]

On 22/02/24 9:44 pm, Stefan Kania via samba-technical wrote:
> 
> 
> Am 21.02.24 um 03:50 schrieb Jo Sutton via samba-technical:
>> I think the problem is the SID in the authentication policy’s SDDL. 
>> S-1-5-21-2545884418-1286714830-2149023192-512 is the SID of the Domain 
>> Administrators group. Thus, what the SDDL means is “users with this 
>> authentication policy applied may authenticate from devices that don’t 
>> belong to the Domain Administrators group”. Note that it’s the 
>> *device* that the condition applies to, not the user. So it won’t make 
>> a difference if the user is in the Domain Administrators group or not.
>>
>> If you want the policy to prevent users from logging into the computer 
>> ‘winclient’, try using that computer’s SID instead of the Domain 
>> Administrators SID.
>>
>> Cheers,
>> Jo (she/her)
> 
> Hi Jo,
> 
> this makes no sens at all. Normally you don't need a silo at all, you 
> can just create a policy add some hosts and users to the policy define a 
> condition and every time you need anew host or user assign the policy to 
> the user. Compare it with the filesystem (I know it's not the same) it 
> would be the same giving permission via ACL to every single user. Nobody 
> would do this. You assign a group to the directories ACL and give the 
> group the permission and assign users to the group.
> 

Sorry? You told me you wanted to forbid all users who were members of a 
certain silo from logging on to a specific computer. If that’s not what 
you’re after, can you more clearly state what you’re trying to do?

> The same should be done with the policies. You create the policy with 
> the condition (that's the permission comparing to a filesystem ACL). 
> Then you create the silo and assign all the users and hosts to the silo. 
> Then you add the silo to the permission. So I can have different silos 
> with different users and hosts and assign the policy to them.
> 
> But with samba-tool it's not possible to assign a silo to a policy with
> samba-tool domain auth policy modify --name=winclient-pol 
> --user-allowed-to-authenticate-from=winclient-silo
> 

You don’t assign a silo to a policy, you set a policy on a silo.

‘--user-allowed-to-authenticate-from’ specifies the conditions a device 
must meet in order for a user to be able to authenticate from it. It 
corresponds to the ‘msDS-UserAllowedToAuthenticateFrom’ attribute in 
Active Directory, and it takes SDDL, not the name of a silo.

‘--user-allowed-to-authenticate-from-device-silo=winclient-silo’, on the 
other hand, takes the name of a silo to which a device must belong for a 
user to be able to authenticate from it. Is that perhaps closer to what 
you’re looking for?

Cheers,
Jo (she/her)