-
Notifications
You must be signed in to change notification settings - Fork 0
/
03-sec.Rmd
320 lines (249 loc) · 10.7 KB
/
03-sec.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
# Password and Kerberos Policies {#sec}
```{r, echo=FALSE, out.width="30%", fig.align='center'}
knitr::include_graphics("sec-images/key.png")
```
\index{Policies!Password}
\index{Policies!Kerberos}
The purpose of these policies is to enforce password complexity and kerberos rules on a Samba Active Directory Domain Controller (ADDC). When a Linux client is not an ADDC, these policies are disabled and ignored automatically.
These policies are physically stored on the SYSVOL in the **MACHINE/Microsoft** \linebreak **/Windows NT/SecEdit/GptTmpl.inf** file in the subdirectory of the Group Policy Object. They are stored in ini format, and are easily modified manually using a text editor.
## Server Side Extension
The Group Policy Management Editor (GPME) contains a built in Server Side Extension for Password and Kerberos Policies. There is also a `samba-tool` command to modify these policies.
\index{Server Side Extensions}
### Managing Password and Kerberos Policies via the GPME
Open the GPME and navigate to `Computer Configuration > Policies > Windows Settings > Security Settings > Account Policy`.
#### Password Policies
The following password policies are applicable to a Samba ADDC:
* Maximum password age
* Minimum password age
* Minimum password length
* Password must meet complexity requirements
To set password policy settings using the Group Policy Management Editor (GPME), follow these steps:
1. Open the Group Policy Management Editor (GPME). For instructions on accessing the GPME, see chapter \@ref(manage) section \@ref(gpopen).
2. In the left pane of the GPME, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policy > Password Policy.
3. In the right pane, double-click the "Maximum password age" policy.
4. In the "Maximum password age" dialog box, click the Enabled option and enter 42 in the "Value" field.
5. Click OK to close the "Maximum password age" dialog box.
6. In the right pane, double-click the "Minimum password age" policy.
7. In the "Minimum password age" dialog box, click the Enabled option and enter 1 in the "Value" field.
8. Click OK to close the "Minimum password age" dialog box.
9. In the right pane, double-click the "Minimum password length" policy.
10. In the "Minimum password length" dialog box, click the Enabled option and enter 7 in the "Value" field.
11. Click OK to close the "Minimum password length" dialog box.
12. In the right pane, double-click the "Password must meet complexity requirements" policy.
13. In the "Password must meet complexity requirements" dialog box, click the Enabled option.
14. Click OK to close the "Password must meet complexity requirements" dialog box.
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "Password Policies"}
knitr::include_graphics("sec-images/passwd.png")
```
#### Kerberos Policies
The following Kerberos policies are applicable to a Samba ADDC:
* Maximum lifetime for service ticket
* Maximum lifetime for user ticket
* Maximum lifetime for user ticket renewal
To set Kerberos policy settings, follow these steps:
1. In the left pane of the GPME, navigate to `Computer Configuration > Policies > Windows Settings > Security Settings > Account Policy > Kerberos Policy`.
2. In the right pane, double-click the "Maximum lifetime for service ticket" policy.
3. In the "Maximum lifetime for service ticket" dialog box, click the Enabled option and enter 600 in the "Value" field.
4. Click OK to close the "Maximum lifetime for service ticket" dialog box.
5. In the right pane, double-click the "Maximum lifetime for user ticket" policy.
6. In the "Maximum lifetime for user ticket" dialog box, click the Enabled option and enter 10 in the "Value" field.
7. Click OK to close the "Maximum lifetime for user ticket" dialog box.
8. In the right pane, double-click the "Maximum lifetime for user ticket renewal" policy.
9. In the "Maximum lifetime for user ticket renewal" dialog box, click the Enabled option and enter 7 in the "Value" field.
10. Click OK to close the "Maximum lifetime for user ticket renewal" dialog box.
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "Kerberos Policies"}
knitr::include_graphics("sec-images/kerb.png")
```
### Managing Password and Kerberos Policies via samba-tool
The Password and Kerberos policies can also be set via `samba-tool gpo manage security set <gpo> <setting> <value>`.
The command accepts the following parameters:
1. `<gpo>`: The name of the GPO that you want to modify.
2. `<setting>`: The name of the smb.conf setting that you want to set.
3. `<value>`: The value that you want to set for the specified setting.
The `setting` parameter must be one of the following:
```{r, echo=FALSE}
knitr::kable(
data.frame(
"Setting" = c(
"MaxTicketAge",
"MaxServiceAge",
"MaxRenewAge",
"MinimumPasswordAge",
"MaximumPasswordAge",
"MinimumPasswordLength",
"PasswordComplexity"
),
"Description" = c(
"Maximum lifetime for user ticket",
"Maximum lifetime for service ticket",
"Maximum lifetime for user ticket renewal",
"Minimum password age",
"Maximum password age",
"Minimum password length",
"Password must meet complexity requirements"
)
)
, align="l")
```
## Client Side Extension
The Password and Kerberos policies are separated into two Client Side Extensions (CSE), `gp_access_ext` and `gp_krb_ext`. The Password policies (internally known as *System Access*) apply password complexity rules directly to the ADDC SamDB in the applicable LDAP attributes. The Kerberos policies are stored in our Group Policy Cache, and are fetched directly by the `samba` daemon when it loads.
\index{Client Side Extensions}
\index{Group Policy Cache}
In the previous section we saw that our Password and Kerberos policies were already initialized to some defaults. If we now go to our Linux client, and check the Resultant Set of Policy, we see this:
```
> sudo /usr/sbin/samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy
GPO: Default Domain Policy
=================================================================
CSE: gp_access_ext
-----------------------------------------------------------
Policy Type: System Access
-----------------------------------------------------------
[ MinimumPasswordAge ] = 1
[ MaximumPasswordAge ] = 42
[ MinimumPasswordLength ] = 7
[ PasswordComplexity ] = 1
-----------------------------------------------------------
-----------------------------------------------------------
CSE: gp_krb_ext
-----------------------------------------------------------
Policy Type: Kerberos Policy
-----------------------------------------------------------
[ MaxTicketAge ] = 10
[ MaxRenewAge ] = 7
[ MaxServiceAge ] = 600
-----------------------------------------------------------
-----------------------------------------------------------
=================================================================
```
\index{Resultant Set of Policy}
::: {#info style="color: green;"}
Remember that these policies will only be listed if your Linux client is a Samba ADDC.
:::
Let's now force a policy apply, and check that the settings have changed.
```
> sudo /usr/sbin/samba-gpupdate --force
> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
| sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
| xmllint --xpath "//gp_ext[@name='System Access' or
@name='Kerberos Policy']" -
<gp_ext name="System Access">
<attribute name="minPwdAge"/>
<attribute name="maxPwdAge"/>
<attribute name="minPwdLength"/>
<attribute name="pwdProperties"/>
</gp_ext>
<gp_ext name="Kerberos Policy">
<attribute name="kdc:user_ticket_lifetime"/>
<attribute name="kdc:renewal_lifetime"/>
<attribute name="kdc:service_ticket_lifetime"/>
</gp_ext>
> sudo tdbdump /var/lib/samba/gpo.tdb \
-k 'kdc:user_ticket_lifetime'; echo
10
> sudo tdbdump /var/lib/samba/gpo.tdb \
-k 'kdc:service_ticket_lifetime'; echo
10
> sudo tdbdump /var/lib/samba/gpo.tdb \
-k 'kdc:renewal_lifetime'; echo
168
```
You can see the Kerberos policies are all stored in their own keys in the Group Policy Cache (`/var/lib/samba/gpo.tdb`), and they are all stored in hours. On the SYSVOL, they are actually stored in hours, minutes, and days, respectively. The reason these are all stored in hours on the system is that the `samba` daemon expects these attributes in hours.
\index{Group Policy Cache}
If we check the contents of the GptTmpl.inf and do some conversion, we can confirm these are correct.
```ini
[Kerberos Policy]
MaxTicketAge = 10
MaxServiceAge = 600
MaxRenewAge = 7
```
```python
>>> from samba.gp.gp_sec_ext import mins_to_hours, days_to_hours
>>> MaxTicketAge = 10
>>> MaxServiceAge = 600
>>> MaxRenewAge = 7
>>> mins_to_hours(MaxServiceAge)
'10'
>>> days_to_hours(MaxRenewAge)
'168'
```
It also helps to know how these Kerberos policies map to the `samba` daemon settings.
```{r, echo=FALSE}
knitr::kable(
data.frame(
"Kerberos Policy" = c(
"MaxTicketAge",
"MaxServiceAge",
"MaxRenewAge"
),
"Samba Setting" = c(
"kdc:user_ticket_lifetime",
"kdc:service_ticket_lifetime",
"kdc:renewal_lifetime"
),
"Conversion" = c(
"None",
"Minutes to Hours",
"Days to Hours"
)
)
, align="l")
```
While the Kerberos policies have been stored to the Group Policy Log as expected, let's next verify that the Password policies have been applied using the following ldapsearch.
```
> ldapsearch -H ldap://lizardo.suse.de -x -W \
-D "[email protected]" \
-b DC=lizardo,DC=suse,DC=de \
-s base minPwdAge maxPwdAge minPwdLength pwdProperties
# lizardo.suse.de
dn: DC=lizardo,DC=suse,DC=de
maxPwdAge: -36288000000000
minPwdAge: -864000000000
minPwdLength: 7
pwdProperties: 1
```
We can confirm these were set correctly by checking the contents of the GptTmpl.inf, plus doing some type conversion.
```ini
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 42
MinimumPasswordLength = 7
PasswordComplexity = 1
```
```python
>>> from samba.gp.gp_sec_ext import days2rel_nttime
>>> MinimumPasswordAge = 1
>>> MaximumPasswordAge = 42
>>> MinimumPasswordLength = 7
>>> PasswordComplexity = 1
>>> days2rel_nttime(MaximumPasswordAge)
'-36288000000000'
>>> days2rel_nttime(MinimumPasswordAge)
'-864000000000'
```
Finally, here is how these policies map.
```{r, echo=FALSE}
knitr::kable(
data.frame(
"Password Policy" = c(
"MinimumPasswordAge",
"MaximumPasswordAge",
"MinimumPasswordLength",
"PasswordComplexity"
),
"LDAP Attribute" = c(
"minPwdAge",
"maxPwdAge",
"minPwdLength",
"pwdProperties"
),
"Conversion" = c(
"Days to NTTIME",
"Days to NTTIME",
"None",
"None"
)
)
, align="l")
```