diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index e96ee4fc048..227fd291eb0 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -723,8 +723,13 @@
--user-allow-ntlm-auth
- Allow NTLM network authentication when user
- is restricted to selected devices.
+ Allow NTLM and
+ Interactive NETLOGON SamLogon
+ authentication despite the
+ fact that
+ allowed-to-authenticate-from
+ is in use, which would
+ otherwise restrict the user to selected devices.
@@ -732,10 +737,19 @@
--user-allowed-to-authenticate-from
- Conditions user is allowed to authenticate from.
+ Conditions a device must meet
+ for users covered by this
+ policy to be allowed to
+ authenticate. While this is a
+ restriction on the device,
+ any conditional ACE rules are
+ expressed as if the device was
+ a user.
- Must be a valid SDDL string.
+ Must be a valid SDDL string
+ without reference to Device
+ keywords.
Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
@@ -746,7 +760,11 @@
--user-allowed-to-authenticate-from-silo
- User is allowed to authenticate from a given silo.
+ User is allowed to
+ authenticate, if the device they
+ authenticate from is assigned
+ and granted membership of a
+ given silo.
This attribute avoids the need to write SDDL by hand and
@@ -755,24 +773,54 @@
- --user-allowed-to-authenticate-to
+ --user-allowed-to-authenticate-to=SDDL
- Conditions user is allowed to authenticate to.
+ This policy, applying to a
+ user account that is offering
+ a service, eg a web server
+ with a user account, restricts
+ which accounts may access it.
Must be a valid SDDL string.
+ The SDDL can reference both
+ bare (user) and Device conditions.
- Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
+ SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
- --user-allowed-to-authenticate-to-by-silo
+ --user-allowed-to-authenticate-to-by-group=GROUP
- User is allowed to authenticate to by a given silo.
+ The user account, offering a
+ network service, covered by
+ this policy, will only be allowed
+ access from other accounts
+ that are members of the given
+ GROUP.
+
+
+ This attribute avoids the need to write SDDL by hand and
+ cannot be used with --user-allowed-to-authenticate-to
+
+
+
+
+ --user-allowed-to-authenticate-to-by-silo=SILO
+
+
+ The user account, offering a
+ network service, covered by
+ this policy, will only be
+ allowed access from other accounts
+ that are assigned to,
+ granted membership of (and
+ meet any authentication
+ conditions of) the given SILO.
This attribute avoids the need to write SDDL by hand and
@@ -801,21 +849,36 @@
--service-allowed-to-authenticate-from
- Conditions service is allowed to authenticate from.
+ Conditions a device must meet
+ for service accounts covered
+ by this policy to be allowed
+ to authenticate. While this
+ is a restriction on the
+ device, any conditional ACE
+ rules are expressed as if the
+ device was a user.
- Must be a valid SDDL string.
+ Must be a valid SDDL string
+ without reference to Device
+ keywords.
- Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
+ SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
- --service-allowed-to-authenticate-from-silo
+ --service-allowed-to-authenticate-from-device-silo=SILO
- Service is allowed to authenticate from a given silo.
+ The service account (eg a Managed
+ Service Account, Group Managed
+ Service Account) is allowed to
+ authenticate, if the device it
+ authenticates from is assigned
+ and granted membership of a
+ given SILO.
This attribute avoids the need to write SDDL by hand and
@@ -824,24 +887,71 @@
- --service-allowed-to-authenticate-to
+ --service-allowed-to-authenticate-from-device-group=GROUP
- Conditions service is allowed to authenticate to.
+ The service account (eg a Managed
+ Service Account, Group Managed
+ Service Account is allowed to
+ authenticate, if the device it
+ authenticates from is a member
+ of the given group.
- Must be a valid SDDL string.
-
-
- Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
+ This attribute avoids the need to write SDDL by hand and
+ cannot be used with --service-allowed-to-authenticate-from
- --service-allowed-to-authenticate-to-by-silo
+ --service-allowed-to-authenticate-to=SDDL
- Service is allowed to authenticate to by a given silo.
+ This policy, applying to a
+ service account (eg a Managed
+ Service Account, Group Managed
+ Service Account), restricts
+ which accounts may access it.
+
+
+ Must be a valid SDDL string.
+ The SDDL can reference both
+ bare (user) and Device conditions.
+
+
+ SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
+
+
+
+
+ --service-allowed-to-authenticate-to-by-group=GROUP
+
+
+ The service account (eg a Managed
+ Service Account, Group Managed
+ Service Account), will only be
+ allowed access by other accounts
+ that are members of the given
+ GROUP.
+
+
+ This attribute avoids the need to write SDDL by hand and
+ cannot be used with --service-allowed-to-authenticate-to
+
+
+
+
+ --service-allowed-to-authenticate-to-by-silo=SILO
+
+
+ The service account (eg a
+ Managed Service Account, Group
+ Managed Service Account), will
+ only be allowed access by other
+ accounts that are assigned
+ to, granted membership of (and
+ meet any authentication
+ conditions of) the given SILO.
This attribute avoids the need to write SDDL by hand and
@@ -858,24 +968,33 @@
- -computer-allowed-to-authenticate-to
+ --computer-allowed-to-authenticate-to=SDDL
- Conditions computer is allowed to authenticate to.
+ This policy, applying to a
+ computer account (eg a server
+ or workstation), restricts
+ which accounts may access it.
Must be a valid SDDL string.
+ The SDDL can reference both
+ bare (user) and Device conditions.
- Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
+ SDDL Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
- --computer-allowed-to-authenticate-to-by-silo
+ --computer-allowed-to-authenticate-to-by-group=GROUP
- Computer is allowed to authenticate to by a given silo.
+ The computer account (eg a server
+ or workstation), will only be
+ allowed access by other accounts
+ that are members of the given
+ GROUP.
This attribute avoids the need to write SDDL by hand and
@@ -883,196 +1002,33 @@
-
+
+ --computer-allowed-to-authenticate-to-by-silo=SILO
+
+
+ The computer account (eg a
+ server or workstation), will
+ only be allowed access by
+ other accounts that are
+ assigned to, granted
+ membership of (and meet any
+ authentication conditions of)
+ the given SILO.
+
+
+ This attribute avoids the need to write SDDL by hand and
+ cannot be used with --computer-allowed-to-authenticate-to
+
+
+
+
+
domain auth policy modify
- Modify authentication policies on the domain.
-
-
- -H, --URL
-
- LDB URL for database or target server.
-
-
-
- --name
-
- Name of the authentication policy (required).
-
-
-
- --description
-
- Optional description for the authentication policy.
-
-
-
- --protect
-
-
- Protect authentication policy from accidental deletion.
-
-
- Cannot be used together with --unprotect.
-
-
-
-
- --unprotect
-
-
- Unprotect authentication policy from accidental deletion.
-
-
- Cannot be used together with --protect.
-
-
-
-
- --audit
-
-
- Only audit authentication policy.
-
-
- Cannot be used together with --enforce.
-
-
-
-
- --enforce
-
-
- Enforce authentication policy.
-
-
- Cannot be used together with --audit.
-
-
-
-
- --strong-ntlm-policy
-
-
- Strong NTLM Policy (Disabled, Optional, Required).
-
-
-
-
- --user-tgt-lifetime-mins
-
-
- Ticket-Granting-Ticket lifetime for user accounts.
-
-
-
-
- --user-allow-ntlm-auth
-
-
- Allow NTLM network authentication when user
- is restricted to selected devices.
-
-
-
-
- --user-allowed-to-authenticate-from
-
-
- Conditions user is allowed to authenticate from.
-
-
- Must be a valid SDDL string.
-
-
- Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
-
-
-
-
- --user-allowed-to-authenticate-to
-
-
- Conditions user is allowed to authenticate to.
-
-
- Must be a valid SDDL string.
-
-
- Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
-
-
-
-
- --service-tgt-lifetime-mins
-
-
- Ticket-Granting-Ticket lifetime for service accounts.
-
-
-
-
- --service-allow-ntlm-auth
-
-
- Allow NTLM network authentication when service
- is restricted to selected devices.
-
-
-
-
- --service-allowed-to-authenticate-from
-
-
- Conditions service is allowed to authenticate from.
-
-
- Must be a valid SDDL string.
-
-
- Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
-
-
-
-
- --service-allowed-to-authenticate-to
-
-
- Conditions service is allowed to authenticate to.
-
-
- Must be a valid SDDL string.
-
-
- Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AO)}))
-
-
-
-
- --computer-tgt-lifetime-mins
-
-
- Ticket-Granting-Ticket lifetime for computer accounts.
-
-
-
-
- -computer-allowed-to-authenticate-to
-
-
- Conditions computer is allowed to authenticate to.
-
-
- Must be a valid SDDL string.
-
-
- Example: O:SYG:SYD:(XA;OICI;CR;;;WD;(Member_of {SID(AU)}))
-
-
-
-
+ Modify authentication policies on the domain. The same
+ options apply as for domain auth policy create.