Rob van der Linde
2023-Oct-27 00:32 UTC
[Samba] Question about silos and Authentication policies
Hi Stefan, Yes it looks like your testing has found a gap in the functionality. First of all, the single --policy I removed that, it's just the individual args now --user-authentication-policy, --service-authentication-policy, --computer-authentication-policy I know this is longer, but I wanted it to be consistent with the PowerShell tooling (to a point). This is explained in MR !3325 on Gitlab that should get merged soon. The missing functionality is --silo and --policy on modify user, and probably also create user commands. Right now if I add a user to two silos, it automatically sets the assigned silo to the last one I did, this is probably not the desired behaviour. On 21/10/23 06:57, Stefan Kania via samba wrote:> Now I created a policy with: > > --------- > samba-tool domain auth policy create --enforce --name winclient-pol > --------- > > and a silo with: > > --------- > samba-tool domain auth silo create --enforce --name=winclient-silo > > The I add the following objects to the silo > --------- > samba-tool domain auth silo member add --name=winclient-silo > --member=padmin > > samba-tool domain auth silo member add --name=winclient-silo > --member=winclient\$ > --------- > > Then assigning the policy to the silo with: > > ------------- > samba-tool domain auth silo modify --name=winclient-silo > --policy=winclient-pol > ------------- > > The next step would be to assign the silo to the user and the host, > but I don't see any option in "samba-tool domain auth ..." to do this. > The same with adding the host to the policy. > > On a windows-System I would do this with "ADAC" But I can't use it > with a samba-DC. > > Is there a way to do it with samba-tool, or any other tool? > >
Stefan Kania
2023-Oct-27 09:38 UTC
[Samba] Question about silos and Authentication policies
Ok, this will fix the missing function to add the silo to a user, but will not fix the missing condition ;-). Wihtout it ist's not possible to prevent a user from login to a defined computer. Am 27.10.23 um 02:32 schrieb Rob van der Linde via samba:> Hi Stefan, > > Yes it looks like your testing has found a gap in the functionality. > > First of all, the single --policy I removed that, it's just the > individual args now --user-authentication-policy, > --service-authentication-policy, --computer-authentication-policy I know > this is longer, but I wanted it to be consistent with the PowerShell > tooling (to a point). This is explained in MR !3325 on Gitlab that > should get merged soon. > > The missing functionality is --silo and --policy on modify user, and > probably also create user commands. > > Right now if I add a user to two silos, it automatically sets the > assigned silo to the last one I did, this is probably not the desired > behaviour. > > On 21/10/23 06:57, Stefan Kania via samba wrote: >> Now I created a policy with: >> >> --------- >> samba-tool domain auth policy create --enforce --name winclient-pol >> --------- >> >> and a silo with: >> >> --------- >> samba-tool domain auth silo create --enforce --name=winclient-silo >> >> The I add the following objects to the silo >> --------- >> samba-tool domain auth silo member add --name=winclient-silo >> --member=padmin >> >> samba-tool domain auth silo member add --name=winclient-silo >> --member=winclient\$ >> --------- >> >> Then assigning the policy to the silo with: >> >> ------------- >> samba-tool domain auth silo modify --name=winclient-silo >> --policy=winclient-pol >> ------------- >> >> The next step would be to assign the silo to the user and the host, >> but I don't see any option in "samba-tool domain auth ..." to do this. >> The same with adding the host to the policy. >> >> On a windows-System I would do this with "ADAC" But I can't use it >> with a samba-DC. >> >> Is there a way to do it with samba-tool, or any other tool? >> >> >-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html Neuer GPG-Key der public key befindet sich im Anhang -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20231027/c454f6f6/OpenPGP_signature.sig>
Stefan Kania
2023-Oct-27 14:54 UTC
[Samba] Question about silos and Authentication policies
Am 27.10.23 um 02:32 schrieb Rob van der Linde via samba:> The missing functionality is --silo and --policy on modify user, and > probably also create user commands.That's exacly right, that's also the way Windows is handling this.