Rob van der Linde
2023-Oct-23 21:03 UTC
[Samba] Question about silos and Authentication policies
Hi Stefan, We had a long weekend in New Zealand, I'm catching up now to your emails. Some of the slight differences between Windows tools I've already picked up on and are in my PR Andrew Bartlett mentioned on Friday, but I'm always open to learning what things are missing or different etc. On 23/10/23 02:58, Stefan Kania via samba wrote:> Talking to myself again ;-) > > Samba-tool is working a little bit different then the silo/policy > management on a Windows-DC. > On a Windows-DC after assigning the user and host to the silo you have > to assign the silo to the user and the host. When assigning the user > and host to the silo with samba-tool, the assignment to the user and > the host will be done at the same time. So now my policy looks like that: > ------------- > root at addc-01:~#? samba-tool domain auth policy view --name=winclient-pol > { > ? "cn": "winclient-pol", > ? "distinguishedName": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN > Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "instanceType": 4, > ? "msDS-AuthNPolicyEnforced": true, > ? "msDS-ServiceTGTLifetime": 60, > ? "msDS-StrongNTLMPolicy": 0, > ? "name": "winclient-pol", > ? "objectCategory": > "CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC=net", > ? "objectClass": [ > ??? "top", > ??? "msDS-AuthNPolicy" > ? ], > ? "objectGUID": "21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d" > > ------------- > > The silo looks like this: > ------------- > root at addc-01:~#? samba-tool domain auth silo view --name=winclient-silo > { > ? "cn": "winclient-silo", > ? "distinguishedName": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN > Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "dn": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN Policy > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "instanceType": 4, > ? "msDS-AuthNPolicySiloEnforced": true, > ? "msDS-AuthNPolicySiloMembers": [ > ??? "CN=WINCLIENT,CN=Computers,DC=example,DC=net", > ??? "CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net" > ? ], > ? "msDS-ComputerAuthNPolicy": "CN=winclient-pol,CN=AuthN > Policies,CN=AuthN Policy > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "msDS-ServiceAuthNPolicy": "CN=winclient-pol,CN=AuthN > Policies,CN=AuthN Policy > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "msDS-UserAuthNPolicy": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN > Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > ? "name": "winclient-silo", > ? "objectCategory": > "CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=example,DC=net", > ? "objectClass": [ > ??? "top", > ??? "msDS-AuthNPolicySilo" > ? ], > ? "objectGUID": "f063b775-e1da-4b2d-962b-d30f2cc8ffad" > ------------- > > My user "cn=protected admin" looks like this: > ------------- > dn: CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: protected admin > sn: admin > givenName: protected > instanceType: 4 > whenCreated: 20231020125659.0Z > displayName: protected admin > uSNCreated: 4267 > name: protected admin > objectGUID: 770c22a3-aa6d-4cea-bdbe-5bebce9c2994 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-3996049225-3177602564-2265300751-1106 > accountExpires: 9223372036854775807 > sAMAccountName: padmin > sAMAccountType: 805306368 > userPrincipalName: padmin at example.net > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=net > userAccountControl: 512 > memberOf: CN=Domain Admins,CN=Users,DC=example,DC=net > memberOf: CN=Protected Users,CN=Users,DC=example,DC=net > lastLogonTimestamp: 133422806290994480 > msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN > Silos,CN=AuthN Polic > ?y Configuration,CN=Services,CN=Configuration,DC=example,DC=net > msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN > Silos,CN=AuthN Policy > ? Configuration,CN=Services,CN=Configuration,DC=example,DC=net > pwdLastSet: 133424547343802100 > whenChanged: 20231022132534.0Z > uSNChanged: 4319 > lastLogon: 133424547477453410 > logonCount: 12 > distinguishedName: CN=protected > admin,OU=users,OU=It,OU=Firma,DC=example,DC=ne > ?t > ------------- > > And the host: > -------------- > dn: CN=WINCLIENT,CN=Computers,DC=example,DC=net > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > objectClass: computer > cn: WINCLIENT > instanceType: 4 > whenCreated: 20231019160325.0Z > uSNCreated: 4225 > name: WINCLIENT > objectGUID: ca422c13-eb65-43ae-8ae9-7fea6950a972 > userAccountControl: 4096 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > pwdLastSet: 133422050057063700 > primaryGroupID: 515 > objectSid: S-1-5-21-3996049225-3177602564-2265300751-1104 > accountExpires: 9223372036854775807 > sAMAccountName: WINCLIENT$ > sAMAccountType: 805306369 > dNSHostName: winclient.example.net > servicePrincipalName: HOST/winclient.example.net > servicePrincipalName: RestrictedKrbHost/winclient.example.net > servicePrincipalName: HOST/WINCLIENT > servicePrincipalName: RestrictedKrbHost/WINCLIENT > servicePrincipalName: WSMAN/winclient.example.net > servicePrincipalName: WSMAN/winclient > objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=net > isCriticalSystemObject: FALSE > lastLogonTimestamp: 133422050059426810 > operatingSystem: Windows 11 Pro > operatingSystemVersion: 10.0 (22621) > msDS-SupportedEncryptionTypes: 28 > msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN > Silos,CN=AuthN Polic > ?y Configuration,CN=Services,CN=Configuration,DC=example,DC=net > msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN > Silos,CN=AuthN Policy > ? Configuration,CN=Services,CN=Configuration,DC=example,DC=net > whenChanged: 20231020163411.0Z > uSNChanged: 4289 > lastLogon: 133424546464979900 > logonCount: 30 > distinguishedName: CN=WINCLIENT,CN=Computers,DC=example,DC=net > -------------- > > So in both objects you can see the two Attributes: > ------------------ > msDS-AuthNPolicySiloMembersBL: > msDS-AssignedAuthNPolicySilo: > ------------------ > > These Attributes look the same on a Windows Active Directory. I build > the same domain with Window-Server 2022 and FL 2016. There it works. > > In my Samba-domain I can assign everything, but my user "cn=protected > admin" can still log in to my host "winclient" :-( > > Has anyone tried it yet and get it working? > > > Am 20.10.23 um 19:57 schrieb Stefan Kania via samba: >> Now I created a policy with: >> >> --------- >> samba-tool domain auth policy create --enforce --name winclient-pol >> --------- >> >> and a silo with: >> >> --------- >> samba-tool domain auth silo create --enforce --name=winclient-silo >> >> The I add the following objects to the silo >> --------- >> samba-tool domain auth silo member add --name=winclient-silo >> --member=padmin >> >> samba-tool domain auth silo member add --name=winclient-silo >> --member=winclient\$ >> --------- >> >> Then assigning the policy to the silo with: >> >> ------------- >> samba-tool domain auth silo modify --name=winclient-silo >> --policy=winclient-pol >> ------------- >> >> The next step would be to assign the silo to the user and the host, >> but I don't see any option in "samba-tool domain auth ..." to do >> this. The same with adding the host to the policy. >> >> On a windows-System I would do this with "ADAC" But I can't use it >> with a samba-DC. >> >> Is there a way to do it with samba-tool, or any other tool? >> >> > >
Andrew Bartlett
2023-Oct-23 23:08 UTC
[Samba] Question about silos and Authentication policies
Thanks Rob for chiming in. Stefan, I do want to be very clear, one of the big challanges that we as developers face building these kind of tools is that we don't run AD domains day-to-day. So we really value good feedback on the ergonomics. If you can test with our work in progress, we are keen to adapt the tooling where possible to be more in line with what is 'naturally expected, so please do keep up the feedback. This area is already quite complex, we would love for this to 'just work' for the initial use cases. Andrew Bartlett On Tue, 2023-10-24 at 10:03 +1300, Rob van der Linde via samba wrote:> Hi Stefan, > > We had a long weekend in New Zealand, I'm catching up now to your > emails. > > Some of the slight differences between Windows tools I've already > picked > up on and are in my PR Andrew Bartlett mentioned on Friday, but I'm > always open to learning what things are missing or different etc. > > On 23/10/23 02:58, Stefan Kania via samba wrote: > > Talking to myself again ;-) > > > > Samba-tool is working a little bit different then the silo/policy > > management on a Windows-DC. > > On a Windows-DC after assigning the user and host to the silo you > > have > > to assign the silo to the user and the host. When assigning the > > user > > and host to the silo with samba-tool, the assignment to the user > > and > > the host will be done at the same time. So now my policy looks like > > that: > > ------------- > > root at addc-01:~# samba-tool domain auth policy view -- > > name=winclient-pol > > { > > "cn": "winclient-pol", > > "distinguishedName": "CN=winclient-pol,CN=AuthN > > Policies,CN=AuthN > > Policy > > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > > "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy > > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > > "instanceType": 4, > > "msDS-AuthNPolicyEnforced": true, > > "msDS-ServiceTGTLifetime": 60, > > "msDS-StrongNTLMPolicy": 0, > > "name": "winclient-pol", > > "objectCategory": > > "CN=ms-DS-AuthN- > > Policy,CN=Schema,CN=Configuration,DC=example,DC=net", > > "objectClass": [ > > "top", > > "msDS-AuthNPolicy" > > ], > > "objectGUID": "21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d" > > > > ------------- > > > > The silo looks like this: > > ------------- > > root at addc-01:~# samba-tool domain auth silo view --name=winclient- > > silo > > { > > "cn": "winclient-silo", > > "distinguishedName": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN > > Policy > > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > > "dn": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN Policy > > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > > "instanceType": 4, > > "msDS-AuthNPolicySiloEnforced": true, > > "msDS-AuthNPolicySiloMembers": [ > > "CN=WINCLIENT,CN=Computers,DC=example,DC=net", > > "CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net" > > ], > > "msDS-ComputerAuthNPolicy": "CN=winclient-pol,CN=AuthN > > Policies,CN=AuthN Policy > > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > > "msDS-ServiceAuthNPolicy": "CN=winclient-pol,CN=AuthN > > Policies,CN=AuthN Policy > > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > > "msDS-UserAuthNPolicy": "CN=winclient-pol,CN=AuthN > > Policies,CN=AuthN > > Policy > > Configuration,CN=Services,CN=Configuration,DC=example,DC=net", > > "name": "winclient-silo", > > "objectCategory": > > "CN=ms-DS-AuthN-Policy- > > Silo,CN=Schema,CN=Configuration,DC=example,DC=net", > > "objectClass": [ > > "top", > > "msDS-AuthNPolicySilo" > > ], > > "objectGUID": "f063b775-e1da-4b2d-962b-d30f2cc8ffad" > > ------------- > > > > My user "cn=protected admin" looks like this: > > ------------- > > dn: CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net > > objectClass: top > > objectClass: person > > objectClass: organizationalPerson > > objectClass: user > > cn: protected admin > > sn: admin > > givenName: protected > > instanceType: 4 > > whenCreated: 20231020125659.0Z > > displayName: protected admin > > uSNCreated: 4267 > > name: protected admin > > objectGUID: 770c22a3-aa6d-4cea-bdbe-5bebce9c2994 > > badPwdCount: 0 > > codePage: 0 > > countryCode: 0 > > badPasswordTime: 0 > > lastLogoff: 0 > > primaryGroupID: 513 > > objectSid: S-1-5-21-3996049225-3177602564-2265300751-1106 > > accountExpires: 9223372036854775807 > > sAMAccountName: padmin > > sAMAccountType: 805306368 > > userPrincipalName: > > padmin at example.net > > > > objectCategory: > > CN=Person,CN=Schema,CN=Configuration,DC=example,DC=net > > userAccountControl: 512 > > memberOf: CN=Domain Admins,CN=Users,DC=example,DC=net > > memberOf: CN=Protected Users,CN=Users,DC=example,DC=net > > lastLogonTimestamp: 133422806290994480 > > msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN > > Silos,CN=AuthN Polic > > y Configuration,CN=Services,CN=Configuration,DC=example,DC=net > > msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN > > Silos,CN=AuthN Policy > > Configuration,CN=Services,CN=Configuration,DC=example,DC=net > > pwdLastSet: 133424547343802100 > > whenChanged: 20231022132534.0Z > > uSNChanged: 4319 > > lastLogon: 133424547477453410 > > logonCount: 12 > > distinguishedName: CN=protected > > admin,OU=users,OU=It,OU=Firma,DC=example,DC=ne > > t > > ------------- > > > > And the host: > > -------------- > > dn: CN=WINCLIENT,CN=Computers,DC=example,DC=net > > objectClass: top > > objectClass: person > > objectClass: organizationalPerson > > objectClass: user > > objectClass: computer > > cn: WINCLIENT > > instanceType: 4 > > whenCreated: 20231019160325.0Z > > uSNCreated: 4225 > > name: WINCLIENT > > objectGUID: ca422c13-eb65-43ae-8ae9-7fea6950a972 > > userAccountControl: 4096 > > badPwdCount: 0 > > codePage: 0 > > countryCode: 0 > > badPasswordTime: 0 > > lastLogoff: 0 > > pwdLastSet: 133422050057063700 > > primaryGroupID: 515 > > objectSid: S-1-5-21-3996049225-3177602564-2265300751-1104 > > accountExpires: 9223372036854775807 > > sAMAccountName: WINCLIENT$ > > sAMAccountType: 805306369 > > dNSHostName: winclient.example.net > > servicePrincipalName: HOST/winclient.example.net > > servicePrincipalName: RestrictedKrbHost/winclient.example.net > > servicePrincipalName: HOST/WINCLIENT > > servicePrincipalName: RestrictedKrbHost/WINCLIENT > > servicePrincipalName: WSMAN/winclient.example.net > > servicePrincipalName: WSMAN/winclient > > objectCategory: > > CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=net > > isCriticalSystemObject: FALSE > > lastLogonTimestamp: 133422050059426810 > > operatingSystem: Windows 11 Pro > > operatingSystemVersion: 10.0 (22621) > > msDS-SupportedEncryptionTypes: 28 > > msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN > > Silos,CN=AuthN Polic > > y Configuration,CN=Services,CN=Configuration,DC=example,DC=net > > msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN > > Silos,CN=AuthN Policy > > Configuration,CN=Services,CN=Configuration,DC=example,DC=net > > whenChanged: 20231020163411.0Z > > uSNChanged: 4289 > > lastLogon: 133424546464979900 > > logonCount: 30 > > distinguishedName: CN=WINCLIENT,CN=Computers,DC=example,DC=net > > -------------- > > > > So in both objects you can see the two Attributes: > > ------------------ > > msDS-AuthNPolicySiloMembersBL: > > msDS-AssignedAuthNPolicySilo: > > ------------------ > > > > These Attributes look the same on a Windows Active Directory. I > > build > > the same domain with Window-Server 2022 and FL 2016. There it > > works. > > > > In my Samba-domain I can assign everything, but my user > > "cn=protected > > admin" can still log in to my host "winclient" :-( > > > > Has anyone tried it yet and get it working? > > > > > > Am 20.10.23 um 19:57 schrieb Stefan Kania via samba: > > > Now I created a policy with: > > > > > > --------- > > > samba-tool domain auth policy create --enforce --name winclient- > > > pol > > > --------- > > > > > > and a silo with: > > > > > > --------- > > > samba-tool domain auth silo create --enforce --name=winclient- > > > silo > > > > > > The I add the following objects to the silo > > > --------- > > > samba-tool domain auth silo member add --name=winclient-silo > > > --member=padmin > > > > > > samba-tool domain auth silo member add --name=winclient-silo > > > --member=winclient\$ > > > --------- > > > > > > Then assigning the policy to the silo with: > > > > > > ------------- > > > samba-tool domain auth silo modify --name=winclient-silo > > > --policy=winclient-pol > > > ------------- > > > > > > The next step would be to assign the silo to the user and the > > > host, > > > but I don't see any option in "samba-tool domain auth ..." to do > > > this. The same with adding the host to the policy. > > > > > > On a windows-System I would do this with "ADAC" But I can't use > > > it > > > with a samba-DC. > > > > > > Is there a way to do it with samba-tool, or any other tool? > > > > > > > > > > > >-- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Stefan Kania
2023-Oct-24 08:04 UTC
[Samba] Question about silos and Authentication policies
Hi Rob, I'm also not a Windows-Admin ;-) But I have customers who need this kind of things, so I have to test it. At the moment I can't even get it run in a pure windoes-environment :-( but I kno someone who can help me. So far I compaired the lidif of the object of a user and a computer when assign a silo to these objects. That is the same in Windows and Samba. The objects of a auth-polic and auth-silo looking a bit different on both systems. As soon as I know more and maybe get it working, you will get more infos from me. Stefan Am 23.10.23 um 23:03 schrieb Rob van der Linde via samba:> Hi Stefan, > > We had a long weekend in New Zealand, I'm catching up now to your emails. > > Some of the slight differences between Windows tools I've already picked > up on and are in my PR Andrew Bartlett mentioned on Friday, but I'm > always open to learning what things are missing or different etc. > > On 23/10/23 02:58, Stefan Kania via samba wrote: >> Talking to myself again ;-) >> >> Samba-tool is working a little bit different then the silo/policy >> management on a Windows-DC. >> On a Windows-DC after assigning the user and host to the silo you have >> to assign the silo to the user and the host. When assigning the user >> and host to the silo with samba-tool, the assignment to the user and >> the host will be done at the same time. So now my policy looks like that: >> ------------- >> root at addc-01:~#? samba-tool domain auth policy view --name=winclient-pol >> { >> ? "cn": "winclient-pol", >> ? "distinguishedName": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN >> Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net", >> ? "dn": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN Policy >> Configuration,CN=Services,CN=Configuration,DC=example,DC=net", >> ? "instanceType": 4, >> ? "msDS-AuthNPolicyEnforced": true, >> ? "msDS-ServiceTGTLifetime": 60, >> ? "msDS-StrongNTLMPolicy": 0, >> ? "name": "winclient-pol", >> ? "objectCategory": >> "CN=ms-DS-AuthN-Policy,CN=Schema,CN=Configuration,DC=example,DC=net", >> ? "objectClass": [ >> ??? "top", >> ??? "msDS-AuthNPolicy" >> ? ], >> ? "objectGUID": "21bc8ece-13c0-4ab1-8a79-38bdd6f6ea8d" >> >> ------------- >> >> The silo looks like this: >> ------------- >> root at addc-01:~#? samba-tool domain auth silo view --name=winclient-silo >> { >> ? "cn": "winclient-silo", >> ? "distinguishedName": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN >> Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net", >> ? "dn": "CN=winclient-silo,CN=AuthN Silos,CN=AuthN Policy >> Configuration,CN=Services,CN=Configuration,DC=example,DC=net", >> ? "instanceType": 4, >> ? "msDS-AuthNPolicySiloEnforced": true, >> ? "msDS-AuthNPolicySiloMembers": [ >> ??? "CN=WINCLIENT,CN=Computers,DC=example,DC=net", >> ??? "CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net" >> ? ], >> ? "msDS-ComputerAuthNPolicy": "CN=winclient-pol,CN=AuthN >> Policies,CN=AuthN Policy >> Configuration,CN=Services,CN=Configuration,DC=example,DC=net", >> ? "msDS-ServiceAuthNPolicy": "CN=winclient-pol,CN=AuthN >> Policies,CN=AuthN Policy >> Configuration,CN=Services,CN=Configuration,DC=example,DC=net", >> ? "msDS-UserAuthNPolicy": "CN=winclient-pol,CN=AuthN Policies,CN=AuthN >> Policy Configuration,CN=Services,CN=Configuration,DC=example,DC=net", >> ? "name": "winclient-silo", >> ? "objectCategory": >> "CN=ms-DS-AuthN-Policy-Silo,CN=Schema,CN=Configuration,DC=example,DC=net", >> ? "objectClass": [ >> ??? "top", >> ??? "msDS-AuthNPolicySilo" >> ? ], >> ? "objectGUID": "f063b775-e1da-4b2d-962b-d30f2cc8ffad" >> ------------- >> >> My user "cn=protected admin" looks like this: >> ------------- >> dn: CN=protected admin,OU=users,OU=It,OU=Firma,DC=example,DC=net >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: user >> cn: protected admin >> sn: admin >> givenName: protected >> instanceType: 4 >> whenCreated: 20231020125659.0Z >> displayName: protected admin >> uSNCreated: 4267 >> name: protected admin >> objectGUID: 770c22a3-aa6d-4cea-bdbe-5bebce9c2994 >> badPwdCount: 0 >> codePage: 0 >> countryCode: 0 >> badPasswordTime: 0 >> lastLogoff: 0 >> primaryGroupID: 513 >> objectSid: S-1-5-21-3996049225-3177602564-2265300751-1106 >> accountExpires: 9223372036854775807 >> sAMAccountName: padmin >> sAMAccountType: 805306368 >> userPrincipalName: padmin at example.net >> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=net >> userAccountControl: 512 >> memberOf: CN=Domain Admins,CN=Users,DC=example,DC=net >> memberOf: CN=Protected Users,CN=Users,DC=example,DC=net >> lastLogonTimestamp: 133422806290994480 >> msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN >> Silos,CN=AuthN Polic >> ?y Configuration,CN=Services,CN=Configuration,DC=example,DC=net >> msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN >> Silos,CN=AuthN Policy >> ? Configuration,CN=Services,CN=Configuration,DC=example,DC=net >> pwdLastSet: 133424547343802100 >> whenChanged: 20231022132534.0Z >> uSNChanged: 4319 >> lastLogon: 133424547477453410 >> logonCount: 12 >> distinguishedName: CN=protected >> admin,OU=users,OU=It,OU=Firma,DC=example,DC=ne >> ?t >> ------------- >> >> And the host: >> -------------- >> dn: CN=WINCLIENT,CN=Computers,DC=example,DC=net >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: user >> objectClass: computer >> cn: WINCLIENT >> instanceType: 4 >> whenCreated: 20231019160325.0Z >> uSNCreated: 4225 >> name: WINCLIENT >> objectGUID: ca422c13-eb65-43ae-8ae9-7fea6950a972 >> userAccountControl: 4096 >> badPwdCount: 0 >> codePage: 0 >> countryCode: 0 >> badPasswordTime: 0 >> lastLogoff: 0 >> pwdLastSet: 133422050057063700 >> primaryGroupID: 515 >> objectSid: S-1-5-21-3996049225-3177602564-2265300751-1104 >> accountExpires: 9223372036854775807 >> sAMAccountName: WINCLIENT$ >> sAMAccountType: 805306369 >> dNSHostName: winclient.example.net >> servicePrincipalName: HOST/winclient.example.net >> servicePrincipalName: RestrictedKrbHost/winclient.example.net >> servicePrincipalName: HOST/WINCLIENT >> servicePrincipalName: RestrictedKrbHost/WINCLIENT >> servicePrincipalName: WSMAN/winclient.example.net >> servicePrincipalName: WSMAN/winclient >> objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=example,DC=net >> isCriticalSystemObject: FALSE >> lastLogonTimestamp: 133422050059426810 >> operatingSystem: Windows 11 Pro >> operatingSystemVersion: 10.0 (22621) >> msDS-SupportedEncryptionTypes: 28 >> msDS-AuthNPolicySiloMembersBL: CN=winclient-silo,CN=AuthN >> Silos,CN=AuthN Polic >> ?y Configuration,CN=Services,CN=Configuration,DC=example,DC=net >> msDS-AssignedAuthNPolicySilo: CN=winclient-silo,CN=AuthN >> Silos,CN=AuthN Policy >> ? Configuration,CN=Services,CN=Configuration,DC=example,DC=net >> whenChanged: 20231020163411.0Z >> uSNChanged: 4289 >> lastLogon: 133424546464979900 >> logonCount: 30 >> distinguishedName: CN=WINCLIENT,CN=Computers,DC=example,DC=net >> -------------- >> >> So in both objects you can see the two Attributes: >> ------------------ >> msDS-AuthNPolicySiloMembersBL: >> msDS-AssignedAuthNPolicySilo: >> ------------------ >> >> These Attributes look the same on a Windows Active Directory. I build >> the same domain with Window-Server 2022 and FL 2016. There it works. >> >> In my Samba-domain I can assign everything, but my user "cn=protected >> admin" can still log in to my host "winclient" :-( >> >> Has anyone tried it yet and get it working? >> >> >> Am 20.10.23 um 19:57 schrieb Stefan Kania via samba: >>> Now I created a policy with: >>> >>> --------- >>> samba-tool domain auth policy create --enforce --name winclient-pol >>> --------- >>> >>> and a silo with: >>> >>> --------- >>> samba-tool domain auth silo create --enforce --name=winclient-silo >>> >>> The I add the following objects to the silo >>> --------- >>> samba-tool domain auth silo member add --name=winclient-silo >>> --member=padmin >>> >>> samba-tool domain auth silo member add --name=winclient-silo >>> --member=winclient\$ >>> --------- >>> >>> Then assigning the policy to the silo with: >>> >>> ------------- >>> samba-tool domain auth silo modify --name=winclient-silo >>> --policy=winclient-pol >>> ------------- >>> >>> The next step would be to assign the silo to the user and the host, >>> but I don't see any option in "samba-tool domain auth ..." to do >>> this. The same with adding the host to the policy. >>> >>> On a windows-System I would do this with "ADAC" But I can't use it >>> with a samba-DC. >>> >>> Is there a way to do it with samba-tool, or any other tool? >>> >>> >> >> >-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html Neuer GPG-Key der public key befindet sich im Anhang -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 236 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20231024/8ee42471/OpenPGP_signature.sig>