The branch, master has been updated via 0b74adb3f01 samba-tool: Improve help messages for "samba-tool domain auth policy" via 828d534c47f docs-xml: Improve and consolidate "samba-tool domain auth policy create/modify" docs via 9c5a7d12445 netcmd: auth: set better metavar that matches the docs from 14b17c3de6d libcli/security/tests: gunzip the oversized-acls test vectors
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 0b74adb3f01e8211f13391f021792799d528ebba Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 23 17:31:23 2023 +1300 samba-tool: Improve help messages for "samba-tool domain auth policy" Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Mon Nov 27 04:05:46 UTC 2023 on atb-devel-224 commit 828d534c47fbee23349107e09f60b530a24cbd55 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Nov 23 12:47:04 2023 +1300 docs-xml: Improve and consolidate "samba-tool domain auth policy create/modify" docs Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> commit 9c5a7d1244554136d1fc4f556b6f1bf91df61a7f Author: Rob van der Linde <r...@catalyst.net.nz> Date: Thu Nov 23 14:08:04 2023 +1300 netcmd: auth: set better metavar that matches the docs Signed-off-by: Rob van der Linde <r...@catalyst.net.nz> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: docs-xml/manpages/samba-tool.8.xml | 346 +++++++++++++----------------- python/samba/netcmd/domain/auth/policy.py | 81 ++++--- python/samba/netcmd/domain/auth/silo.py | 18 +- 3 files changed, 212 insertions(+), 233 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index e96ee4fc048..227fd291eb0 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -723,8 +723,13 @@ <term>--user-allow-ntlm-auth</term> <listitem> <para> - Allow NTLM network authentication when user - is restricted to selected devices. + Allow <constant>NTLM</constant> and <constant> + Interactive NETLOGON SamLogon</constant> + authentication despite the + fact that + <constant>allowed-to-authenticate-from</constant> + is in use, which would + otherwise restrict the user to selected devices. </para> </listitem> </varlistentry> @@ -732,10 +737,19 @@ <term>--user-allowed-to-authenticate-from</term> <listitem> <para> - Conditions user is allowed to authenticate from. + Conditions a device must meet + for users covered by this + policy to be allowed to + authenticate. While this is a + restriction on the device, + any conditional ACE rules are + expressed as if the device was + a user. </para> <para> - Must be a valid SDDL string. + Must be a valid SDDL string + without reference to Device + keywords. </para> <para> Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) @@ -746,7 +760,11 @@ <term>--user-allowed-to-authenticate-from-silo</term> <listitem> <para> - User is allowed to authenticate from a given silo. + User is allowed to + authenticate, if the device they + authenticate from is assigned + and granted membership of a + given silo. </para> <para> This attribute avoids the need to write SDDL by hand and @@ -755,24 +773,54 @@ </listitem> </varlistentry> <varlistentry> - <term>--user-allowed-to-authenticate-to</term> + <term>--user-allowed-to-authenticate-to=SDDL</term> <listitem> <para> - Conditions user is allowed to authenticate to. + This policy, applying to a + user account that is offering + a service, eg a web server + with a user account, restricts + which accounts may access it. </para> <para> Must be a valid SDDL string. + The SDDL can reference both + bare (user) and Device conditions. + </para> + <para> + SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))</constant> + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>--user-allowed-to-authenticate-to-by-group=GROUP</term> + <listitem> + <para> + The user account, offering a + network service, covered by + this policy, will only be allowed + access from other accounts + that are members of the given + <constant>GROUP</constant>. </para> <para> - Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)})) + This attribute avoids the need to write SDDL by hand and + cannot be used with --user-allowed-to-authenticate-to </para> </listitem> </varlistentry> <varlistentry> - <term>--user-allowed-to-authenticate-to-by-silo</term> + <term>--user-allowed-to-authenticate-to-by-silo=SILO</term> <listitem> <para> - User is allowed to authenticate to by a given silo. + The user account, offering a + network service, covered by + this policy, will only be + allowed access from other accounts + that are assigned to, + granted membership of (and + meet any authentication + conditions of) the given SILO. </para> <para> This attribute avoids the need to write SDDL by hand and @@ -801,21 +849,36 @@ <term>--service-allowed-to-authenticate-from</term> <listitem> <para> - Conditions service is allowed to authenticate from. + Conditions a device must meet + for service accounts covered + by this policy to be allowed + to authenticate. While this + is a restriction on the + device, any conditional ACE + rules are expressed as if the + device was a user. </para> <para> - Must be a valid SDDL string. + Must be a valid SDDL string + without reference to Device + keywords. </para> <para> - Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) + SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))</constant> </para> </listitem> </varlistentry> <varlistentry> - <term>--service-allowed-to-authenticate-from-silo</term> + <term>--service-allowed-to-authenticate-from-device-silo=SILO</term> <listitem> <para> - Service is allowed to authenticate from a given silo. + The service account (eg a Managed + Service Account, Group Managed + Service Account) is allowed to + authenticate, if the device it + authenticates from is assigned + and granted membership of a + given <constant>SILO</constant>. </para> <para> This attribute avoids the need to write SDDL by hand and @@ -824,255 +887,148 @@ </listitem> </varlistentry> <varlistentry> - <term>--service-allowed-to-authenticate-to</term> + <term>--service-allowed-to-authenticate-from-device-group=GROUP</term> <listitem> <para> - Conditions service is allowed to authenticate to. - </para> - <para> - Must be a valid SDDL string. - </para> - <para> - Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)})) - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--service-allowed-to-authenticate-to-by-silo</term> - <listitem> - <para> - Service is allowed to authenticate to by a given silo. + The service account (eg a Managed + Service Account, Group Managed + Service Account is allowed to + authenticate, if the device it + authenticates from is a member + of the given <constant>group</constant>. </para> <para> This attribute avoids the need to write SDDL by hand and - cannot be used with --service-allowed-to-authenticate-to - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--computer-tgt-lifetime-mins</term> - <listitem> - <para> - Ticket-Granting-Ticket lifetime for computer accounts. + cannot be used with --service-allowed-to-authenticate-from </para> </listitem> </varlistentry> <varlistentry> - <term>-computer-allowed-to-authenticate-to</term> + <term>--service-allowed-to-authenticate-to=SDDL</term> <listitem> <para> - Conditions computer is allowed to authenticate to. + This policy, applying to a + service account (eg a Managed + Service Account, Group Managed + Service Account), restricts + which accounts may access it. </para> <para> Must be a valid SDDL string. + The SDDL can reference both + bare (user) and Device conditions. </para> <para> - Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) + SDDL Example: <constant>O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))</constant> </para> </listitem> </varlistentry> <varlistentry> - <term>--computer-allowed-to-authenticate-to-by-silo</term> + <term>--service-allowed-to-authenticate-to-by-group=GROUP</term> <listitem> <para> - Computer is allowed to authenticate to by a given silo. + The service account (eg a Managed + Service Account, Group Managed + Service Account), will only be + allowed access by other accounts + that are members of the given + <constant>GROUP</constant>. </para> <para> This attribute avoids the need to write SDDL by hand and - cannot be used with --computer-allowed-to-authenticate-to - </para> - </listitem> - </varlistentry> - </variablelist> -</refsect3> - -<refsect3> - <title>domain auth policy modify</title> - <para>Modify authentication policies on the domain.</para> - <variablelist> - <varlistentry> - <term>-H, --URL</term> - <listitem><para> - LDB URL for database or target server. - </para></listitem> - </varlistentry> - <varlistentry> - <term>--name</term> - <listitem><para> - Name of the authentication policy (required). - </para></listitem> - </varlistentry> - <varlistentry> - <term>--description</term> - <listitem><para> - Optional description for the authentication policy. - </para></listitem> - </varlistentry> - <varlistentry> - <term>--protect</term> - <listitem> - <para> - Protect authentication policy from accidental deletion. - </para> - <para> - Cannot be used together with --unprotect. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--unprotect</term> - <listitem> - <para> - Unprotect authentication policy from accidental deletion. - </para> - <para> - Cannot be used together with --protect. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--audit</term> - <listitem> - <para> - Only audit authentication policy. - </para> - <para> - Cannot be used together with --enforce. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--enforce</term> - <listitem> - <para> - Enforce authentication policy. - </para> - <para> - Cannot be used together with --audit. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--strong-ntlm-policy</term> - <listitem> - <para> - Strong NTLM Policy (Disabled, Optional, Required). - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--user-tgt-lifetime-mins</term> - <listitem> - <para> - Ticket-Granting-Ticket lifetime for user accounts. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--user-allow-ntlm-auth</term> - <listitem> - <para> - Allow NTLM network authentication when user - is restricted to selected devices. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--user-allowed-to-authenticate-from</term> - <listitem> - <para> - Conditions user is allowed to authenticate from. - </para> - <para> - Must be a valid SDDL string. - </para> - <para> - Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) + cannot be used with --service-allowed-to-authenticate-to </para> </listitem> </varlistentry> <varlistentry> - <term>--user-allowed-to-authenticate-to</term> + <term>--service-allowed-to-authenticate-to-by-silo=SILO</term> <listitem> <para> - Conditions user is allowed to authenticate to. - </para> - <para> - Must be a valid SDDL string. - </para> - <para> - Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)})) + The service account (eg a + Managed Service Account, Group + Managed Service Account), will + only be allowed access by other + accounts that are assigned + to, granted membership of (and + meet any authentication + conditions of) the given SILO. </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--service-tgt-lifetime-mins</term> - <listitem> <para> - Ticket-Granting-Ticket lifetime for service accounts. + This attribute avoids the need to write SDDL by hand and + cannot be used with --service-allowed-to-authenticate-to </para> </listitem> </varlistentry> <varlistentry> - <term>--service-allow-ntlm-auth</term> + <term>--computer-tgt-lifetime-mins</term> <listitem> <para> - Allow NTLM network authentication when service - is restricted to selected devices. + Ticket-Granting-Ticket lifetime for computer accounts. </para> </listitem> </varlistentry> <varlistentry> - <term>--service-allowed-to-authenticate-from</term> + <term>--computer-allowed-to-authenticate-to=SDDL</term> <listitem> <para> - Conditions service is allowed to authenticate from. + This policy, applying to a + computer account (eg a server + or workstation), restricts + which accounts may access it. </para> <para> Must be a valid SDDL string. + The SDDL can reference both + bare (user) and Device conditions. </para> <para> - Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) + SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)})) </para> </listitem> </varlistentry> <varlistentry> - <term>--service-allowed-to-authenticate-to</term> + <term>--computer-allowed-to-authenticate-to-by-group=GROUP</term> <listitem> <para> - Conditions service is allowed to authenticate to. + The computer account (eg a server + or workstation), will only be + allowed access by other accounts + that are members of the given + <constant>GROUP</constant>. </para> <para> - Must be a valid SDDL string. - </para> - <para> - Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)})) - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>--computer-tgt-lifetime-mins</term> - <listitem> - <para> - Ticket-Granting-Ticket lifetime for computer accounts. + This attribute avoids the need to write SDDL by hand and + cannot be used with --computer-allowed-to-authenticate-to </para> </listitem> </varlistentry> <varlistentry> - <term>-computer-allowed-to-authenticate-to</term> + <term>--computer-allowed-to-authenticate-to-by-silo=SILO</term> <listitem> <para> - Conditions computer is allowed to authenticate to. + The computer account (eg a + server or workstation), will + only be allowed access by + other accounts that are + assigned to, granted + membership of (and meet any + authentication conditions of) + the given SILO. </para> <para> - Must be a valid SDDL string. - </para> - <para> - Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)})) + This attribute avoids the need to write SDDL by hand and + cannot be used with --computer-allowed-to-authenticate-to </para> </listitem> </varlistentry> - </variablelist> + + </variablelist> +</refsect3> + +<refsect3> + <title>domain auth policy modify</title> + <para>Modify authentication policies on the domain. The same + options apply as for <constant>domain auth policy create</constant>.</para> </refsect3> <refsect3> diff --git a/python/samba/netcmd/domain/auth/policy.py b/python/samba/netcmd/domain/auth/policy.py index 32a24adafee..de9ce4b004f 100644 --- a/python/samba/netcmd/domain/auth/policy.py +++ b/python/samba/netcmd/domain/auth/policy.py @@ -53,34 +53,40 @@ class UserOptions(options.OptionGroup): callback=self.set_option, validators=[Range(min=MIN_TGT_LIFETIME, max=MAX_TGT_LIFETIME)]) self.add_option("--user-allow-ntlm-auth", - help="Allow NTLM network authentication when user " + help="Allow NTLM network authentication despite the fact that the user " "is restricted to selected devices.", dest="allow_ntlm_auth", default=False, action="callback", callback=self.set_option) self.add_option("--user-allowed-to-authenticate-from", -- Samba Shared Repository