From 06c0a07f9c0f6a6442b7ee12761d05e64265fe11 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Mon, 15 Jan 2024 15:22:27 +1300 Subject: [PATCH 1/3] WHATSNEW: note "acl_claims evaluation" smb.conf option BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566 Signed-off-by: Douglas Bagnall --- WHATSNEW.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 8158a80288c..bd9685ad833 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -127,6 +127,7 @@ smb.conf changes Parameter Name Description Default -------------- ----------- ------- smb3 unix extensions Per share - + acl claims evaluation new AD DC only KNOWN ISSUES -- GitLab From 1ef714ca9ccb510b5ffb347345a8f4a053a649c6 Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Mon, 15 Jan 2024 15:21:11 +1300 Subject: [PATCH 2/3] WHATSNEW: Add some information about new conditional aces feature BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566 Signed-off-by: Douglas Bagnall --- WHATSNEW.txt | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index bd9685ad833..c568b236635 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -108,6 +108,30 @@ New options added are: and all files/directories below. - '--restore savefile' Restores the stored DACLS to files in directory +Conditional ACEs and Resource Attribute ACEs +-------------------------------------------- + +Ordinary Access Control Entries (ACEs) unconditionally allow or deny +access to a given user or group. Conditional ACEs have an additional +section that describes conditions under which the ACE applies. If the +conditional expression is true, the ACE works like an ordinary ACE, +otherwise it is ignored. The condition terms can refer to claims, +group memberships, and attributes on the object itself. These +attributes are described in Resource Attribute ACEs that occur in the +object's System Access Control List (SACL). Conditional ACEs are +described in Microsoft documentation. + +Conditional ACE evaluation is controlled by the "acl claims +evaluation" smb.conf option. The default value is "AD DC only" which +enables them in AD DC settings. The other option is "never", which +disables them altogether. There is currently no option to enable them +on the file server (this is likely to change in future releases). + +The Security Descriptor Definition Language has extensions for +conditional ACEs and resource attribute ACEs; these are now supported +by Samba. + + REMOVED FEATURES ================ -- GitLab From 24b589537b8b0847f98f29e1ad20305f455424af Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 1 Feb 2024 11:33:27 +1300 Subject: [PATCH 3/3] WHATSNEW: Explain new AD DC Claims, authentication policies and Silos BUG: https://bugzilla.samba.org/show_bug.cgi?id=15566 Signed-off-by: Andrew Bartlett --- WHATSNEW.txt | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index c568b236635..f7c38dc9f0e 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -108,6 +108,66 @@ New options added are: and all files/directories below. - '--restore savefile' Restores the stored DACLS to files in directory +Samba-tool extensions for AD Claims, Authentication Policies and Silos +---------------------------------------------------------------------- + +samba-tool now allows users to be associated with claims. In the +Samba AD DC, claims derive from Active Directory attributes mapped +into specific names. These claims can be used in rules, which are +conditional ACEs in a security descriptor, that decide if a user is +restricted by an authentication policy. + +samba-tool also allows the creation and management of authentication +policies, which are rules about where a user may authenticate from, +if NTLM is permitted, and what services a user may authenticate to. + +Finally, support is added for the creation and management of +authentication silos, which are helpful in defining network boundaries +by grouping users and the services they connect to. + +Please note: The command line syntax for these tools is not final, and +may change before the next release, as we gain user feedback. The +syntax will be locked in once Samba offers 2016 AD Functional Level as +a default. + +AD DC support for Authentication Silos and Authentication Policies +------------------------------------------------------------------ + +The Samba AD DC now also honours any existing claims, authentication +policy and authentication silo configuration previously created (eg +from an import of a Microsoft AD), as well as new configurations +created with samba-tool. The use of Microsoft's Powershell based +client tools is not expected to work. + +To use this feature, the functional level must be set to 2012_R2 or +later with: + + ad dc functional level = 2016 + +in the smb.conf. + +The smb.conf file on each DC must have 'ad dc functional level = 2016' +set to have the partially complete feature available. This will also, +at first startup, update the server's own AD entry with the configured +functional level. + +For new domains, add these parameters to 'samba-tool provision' + +--option="ad dc functional level = 2016" --function-level=2016 + +The second option, setting the overall domain functional level +indicates that all DCs should be at this functional level. + +To raise the domain functional level of an existing domain, after +updating the smb.conf and restarting Samba run +samba-tool domain schemaupgrade --schema=2019 +samba-tool domain functionalprep --function-level=2016 +samba-tool domain level raise --domain-level=2016 --forest-level=2016 + +This support is still new, so is not enabled by default in this +release. The above instructions are set at 2016, which while not +complete, matches what our testing environment validates. + Conditional ACEs and Resource Attribute ACEs -------------------------------------------- -- GitLab