Stefan Kania
2023-Oct-22 13:58 UTC
[Samba] Question about silos and Authentication policies
Talking to myself again ;-)
Samba-tool is working a little bit different then the silo/policy
management on a Windows-DC.
On a Windows-DC after assigning the user and host to the silo you have
to assign the silo to the user and the host. When assigning the user and
host to the silo with samba-tool, the assignment to the user and the
host will be done at the same time. So now my policy looks like that:
-------------
root at addc-01:~# samba-tool domain auth policy view --name=winclient-pol
{
"cn": "winclient-pol",
"distinguishedName": "CN=winclient-pol,CN=AuthN
Policies,CN=AuthN
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
"dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
"instanceType": 4,
"msDS-AuthNPolicyEnforced": true,
"msDS-ServiceTGTLifetime": 60,
"msDS-StrongNTLMPolicy": 0,
"name": "winclient-pol",
"objectCategory":
"CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC=net",
"objectClass": [
"top",
"msDS-AuthNPolicy"
],
"objectGUID": "21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d"
-------------
The silo looks like this:
-------------
root at addc-01:~# samba-tool domain auth silo view --name=winclient-silo
{
"cn": "winclient-silo",
"distinguishedName": "CN=winclient-silo,CN=AuthN
Silos,CN=AuthN
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
"dn": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
"instanceType": 4,
"msDS-AuthNPolicySiloEnforced": true,
"msDS-AuthNPolicySiloMembers": [
"CN=WINCLIENT,CN=Computers,DC=example,DC=net",
"CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net"
],
"msDS-ComputerAuthNPolicy": "CN=winclient-pol,CN=AuthN
Policies,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
"msDS-ServiceAuthNPolicy": "CN=winclient-pol,CN=AuthN
Policies,CN=AuthN Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
"msDS-UserAuthNPolicy": "CN=winclient-pol,CN=AuthN
Policies,CN=AuthN
Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net",
"name": "winclient-silo",
"objectCategory":
"CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=example,DC=net",
"objectClass": [
"top",
"msDS-AuthNPolicySilo"
],
"objectGUID": "f063b775-e1da-4b2d-962b-d30f2cc8ffad"
-------------
My user "cn=protected admin" looks like this:
-------------
dn: CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: protected admin
sn: admin
givenName: protected
instanceType: 4
whenCreated: 20231020125659.0Z
displayName: protected admin
uSNCreated: 4267
name: protected admin
objectGUID: 770c22a3-aa6d-4cea-bdbe-5bebce9c2994
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-3996049225-3177602564-2265300751-1106
accountExpires: 9223372036854775807
sAMAccountName: padmin
sAMAccountType: 805306368
userPrincipalName: padmin at example.net
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=net
userAccountControl: 512
memberOf: CN=Domain Admins,CN=Users,DC=example,DC=net
memberOf: CN=Protected Users,CN=Users,DC=example,DC=net
lastLogonTimestamp: 133422806290994480
msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN Silos,CN=AuthN
Polic
y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN Silos,CN=AuthN
Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net
pwdLastSet: 133424547343802100
whenChanged: 20231022132534.0Z
uSNChanged: 4319
lastLogon: 133424547477453410
logonCount: 12
distinguishedName: CN=protected
admin,OU=users,OU=It,OU=Firma,DC=example,DC=ne
t
-------------
And the host:
--------------
dn: CN=WINCLIENT,CN=Computers,DC=example,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: WINCLIENT
instanceType: 4
whenCreated: 20231019160325.0Z
uSNCreated: 4225
name: WINCLIENT
objectGUID: ca422c13-eb65-43ae-8ae9-7fea6950a972
userAccountControl: 4096
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
pwdLastSet: 133422050057063700
primaryGroupID: 515
objectSid: S-1-5-21-3996049225-3177602564-2265300751-1104
accountExpires: 9223372036854775807
sAMAccountName: WINCLIENT$
sAMAccountType: 805306369
dNSHostName: winclient.example.net
servicePrincipalName: HOST/winclient.example.net
servicePrincipalName: RestrictedKrbHost/winclient.example.net
servicePrincipalName: HOST/WINCLIENT
servicePrincipalName: RestrictedKrbHost/WINCLIENT
servicePrincipalName: WSMAN/winclient.example.net
servicePrincipalName: WSMAN/winclient
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=net
isCriticalSystemObject: FALSE
lastLogonTimestamp: 133422050059426810
operatingSystem: Windows 11 Pro
operatingSystemVersion: 10.0 (22621)
msDS-SupportedEncryptionTypes: 28
msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN Silos,CN=AuthN
Polic
y Configuration,CN=Services,CN=Configuration,DC=example,DC=net
msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN Silos,CN=AuthN
Policy
Configuration,CN=Services,CN=Configuration,DC=example,DC=net
whenChanged: 20231020163411.0Z
uSNChanged: 4289
lastLogon: 133424546464979900
logonCount: 30
distinguishedName: CN=WINCLIENT,CN=Computers,DC=example,DC=net
--------------
So in both objects you can see the two Attributes:
------------------
msDS-AuthNPolicySiloMembersBL:
msDS-AssignedAuthNPolicySilo:
------------------
These Attributes look the same on a Windows Active Directory. I build
the same domain with Window-Server 2022 and FL 2016. There it works.
In my Samba-domain I can assign everything, but my user "cn=protected
admin" can still log in to my host "winclient" :-(
Has anyone tried it yet and get it working?
Am 20.10.23 um 19:57 schrieb Stefan Kania via samba:> Now I created a policy with:
>
> ---------
> samba-tool domain auth policy create --enforce --name winclient-pol
> ---------
>
> and a silo with:
>
> ---------
> samba-tool domain auth silo create --enforce --name=winclient-silo
>
> The I add the following objects to the silo
> ---------
> samba-tool domain auth silo member add --name=winclient-silo
> --member=padmin
>
> samba-tool domain auth silo member add --name=winclient-silo
> --member=winclient\$
> ---------
>
> Then assigning the policy to the silo with:
>
> -------------
> samba-tool domain auth silo modify --name=winclient-silo
> --policy=winclient-pol
> -------------
>
> The next step would be to assign the silo to the user and the host, but
> I don't see any option in "samba-tool domain auth ..." to do
this. The
> same with adding the host to the policy.
>
> On a windows-System I would do this with "ADAC" But I can't
use it with
> a samba-DC.
>
> Is there a way to do it with samba-tool, or any other tool?
>
>
Rob van der Linde
2023-Oct-23 21:03 UTC
[Samba] Question about silos and Authentication policies
Hi Stefan, We had a long weekend in New Zealand, I'm catching up now to your emails. Some of the slight differences between Windows tools I've already picked up on and are in my PR Andrew Bartlett mentioned on Friday, but I'm always open to learning what things are missing or different etc. On 23/10/23 02:58, Stefan Kania via samba wrote:> Talking to myself again ;-) > > Samba-tool is working a little bit different then the silo/policy > management on a Windows-DC. > On a Windows-DC after assigning the user and host to the silo you have > to assign the silo to the user and the host. When assigning the user > and host to the silo with samba-tool, the assignment to the user and > the host will be done at the same time. So now my policy looks like that: > ------------- > root at addc-01:~#? samba-tool domain auth policy view --name=winclient-pol > { > ? "cn": "winclient-pol", > ? "distinguishedName": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN > Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "instanceType": 4, > ? "msDS-AuthNPolicyEnforced": true, > ? "msDS-ServiceTGTLifetime": 60, > ? "msDS-StrongNTLMPolicy": 0, > ? "name": "winclient-pol", > ? "objectCategory": > "CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC=net", > ? "objectClass": [ > ??? "top", > ??? "msDS-AuthNPolicy" > ? ], > ? "objectGUID": "21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d" > > ------------- > > The silo looks like this: > ------------- > root at addc-01:~#? samba-tool domain auth silo view --name=winclient-silo > { > ? "cn": "winclient-silo", > ? "distinguishedName": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN > Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "dn": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN Policy > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "instanceType": 4, > ? "msDS-AuthNPolicySiloEnforced": true, > ? "msDS-AuthNPolicySiloMembers": [ > ??? "CN=WINCLIENT,CN=Computers,DC=example,DC=net", > ??? "CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net" > ? ], > ? "msDS-ComputerAuthNPolicy": "CN=winclient-pol,CN=AuthN > Policies,CN=AuthN Policy > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "msDS-ServiceAuthNPolicy": "CN=winclient-pol,CN=AuthN > Policies,CN=AuthN Policy > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "msDS-UserAuthNPolicy": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN > Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "name": "winclient-silo", > ? "objectCategory": > "CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=example,DC=net", > ? "objectClass": [ > ??? "top", > ??? "msDS-AuthNPolicySilo" > ? ], > ? "objectGUID": "f063b775-e1da-4b2d-962b-d30f2cc8ffad" > ------------- > > My user "cn=protected admin" looks like this: > ------------- > dn: CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: protected admin > sn: admin > givenName: protected > instanceType: 4 > whenCreated: 20231020125659.0Z > displayName: protected admin > uSNCreated: 4267 > name: protected admin > objectGUID: 770c22a3-aa6d-4cea-bdbe-5bebce9c2994 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-3996049225-3177602564-2265300751-1106 > accountExpires: 9223372036854775807 > sAMAccountName: padmin > sAMAccountType: 805306368 > userPrincipalName: padmin at example.net > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=net > userAccountControl: 512 > memberOf: CN=Domain Admins,CN=Users,DC=example,DC=net > memberOf: CN=Protected Users,CN=Users,DC=example,DC=net > lastLogonTimestamp: 133422806290994480 > msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN > Silos,CN=AuthN Polic > ?y Configuration,CN=Services,CN=Configuration,DC=example,DC=net > msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN > Silos,CN=AuthN Policy > ? Configuration,CN=Services,CN=Configuration,DC=example,DC=net > pwdLastSet: 133424547343802100 > whenChanged: 20231022132534.0Z > uSNChanged: 4319 > lastLogon: 133424547477453410 > logonCount: 12 > distinguishedName: CN=protected > admin,OU=users,OU=It,OU=Firma,DC=example,DC=ne > ?t > ------------- > > And the host: > -------------- > dn: CN=WINCLIENT,CN=Computers,DC=example,DC=net > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > objectClass: computer > cn: WINCLIENT > instanceType: 4 > whenCreated: 20231019160325.0Z > uSNCreated: 4225 > name: WINCLIENT > objectGUID: ca422c13-eb65-43ae-8ae9-7fea6950a972 > userAccountControl: 4096 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > pwdLastSet: 133422050057063700 > primaryGroupID: 515 > objectSid: S-1-5-21-3996049225-3177602564-2265300751-1104 > accountExpires: 9223372036854775807 > sAMAccountName: WINCLIENT$ > sAMAccountType: 805306369 > dNSHostName: winclient.example.net > servicePrincipalName: HOST/winclient.example.net > servicePrincipalName: RestrictedKrbHost/winclient.example.net > servicePrincipalName: HOST/WINCLIENT > servicePrincipalName: RestrictedKrbHost/WINCLIENT > servicePrincipalName: WSMAN/winclient.example.net > servicePrincipalName: WSMAN/winclient > objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=net > isCriticalSystemObject: FALSE > lastLogonTimestamp: 133422050059426810 > operatingSystem: Windows 11 Pro > operatingSystemVersion: 10.0 (22621) > msDS-SupportedEncryptionTypes: 28 > msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN > Silos,CN=AuthN Polic > ?y Configuration,CN=Services,CN=Configuration,DC=example,DC=net > msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN > Silos,CN=AuthN Policy > ? Configuration,CN=Services,CN=Configuration,DC=example,DC=net > whenChanged: 20231020163411.0Z > uSNChanged: 4289 > lastLogon: 133424546464979900 > logonCount: 30 > distinguishedName: CN=WINCLIENT,CN=Computers,DC=example,DC=net > -------------- > > So in both objects you can see the two Attributes: > ------------------ > msDS-AuthNPolicySiloMembersBL: > msDS-AssignedAuthNPolicySilo: > ------------------ > > These Attributes look the same on a Windows Active Directory. I build > the same domain with Window-Server 2022 and FL 2016. There it works. > > In my Samba-domain I can assign everything, but my user "cn=protected > admin" can still log in to my host "winclient" :-( > > Has anyone tried it yet and get it working? > > > Am 20.10.23 um 19:57 schrieb Stefan Kania via samba: >> Now I created a policy with: >> >> --------- >> samba-tool domain auth policy create --enforce --name winclient-pol >> --------- >> >> and a silo with: >> >> --------- >> samba-tool domain auth silo create --enforce --name=winclient-silo >> >> The I add the following objects to the silo >> --------- >> samba-tool domain auth silo member add --name=winclient-silo >> --member=padmin >> >> samba-tool domain auth silo member add --name=winclient-silo >> --member=winclient\$ >> --------- >> >> Then assigning the policy to the silo with: >> >> ------------- >> samba-tool domain auth silo modify --name=winclient-silo >> --policy=winclient-pol >> ------------- >> >> The next step would be to assign the silo to the user and the host, >> but I don't see any option in "samba-tool domain auth ..." to do >> this. The same with adding the host to the policy. >> >> On a windows-System I would do this with "ADAC" But I can't use it >> with a samba-DC. >> >> Is there a way to do it with samba-tool, or any other tool? >> >> > >