Stefan Kania
2025-Jun-26 09:41 UTC
[Samba] setup auth-policies and auth-silos, a little howto
How to set up a authentication policy and authentication silo This little howto is showing, the setup of an authentication policy and am authentication silo to restrict a user to login in to a windows client: 1. Set up the policy samba-tool domain ?auth policy create --name win11-policy --enforce 2. Change ticket lifetime samba-tool domain ?auth policy modify --user-tgt-lifetime-mins=90 --name win11-policy 3. create a silo samba-tool domain auth silo create --name win11-silo --enforce 4. Add computer and user to the silo ?samba-tool domain auth silo member grant --name win11-silo --member=skania samba-tool domain auth silo member grant --name win11-silo --member=WINCLIENT11\$ (Don't forget the backslash in front of the dollar) 5. Set the condition for the policy samba-tool domain auth policy computer-allowed-to-authenticate-to set --by-silo=win11-silo --name=win11-policy 6. Assign the policy to the user and the computer samba-tool user auth policy assign --policy win11-policy skania samba-tool user auth policy assign --policy win11-policy winclient11\$ Now only user "skania" can login to the windows computer "winclient11". To change the setting, so that any user can login except "skania" you have to edit the condition 7. Changing the condition samba-tool domain auth policy modify --name win11-policy --computer-allowed-to-authenticate-to="O:SYG:SYD:(XA;OICI;CR;;;WD;(@USER.ad://ext/AuthenticationSilo != \"win11-silo\"))" That's it. -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20250626/7ff5a061/OpenPGP_signature.sig>