On ke, 29 huhti 2020, lejeczek via FreeIPA-users wrote:
On 29/04/2020 18:20, Alexander Bokovoy wrote:
On ke, 29 huhti 2020, lejeczek via FreeIPA-users wrote:
On 16/01/2020 13:56, Alexander Bokovoy wrote:
On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:
hi everybody.
I see this subject might have been poked around many
times, a couple
times at least for sure. But, I thought I'll poke again
and hopefully
get some latest comments & thoughts on - how to make
IPA's Samba allow
password authentication to Win clients from outside of
IPA/AD domains?
Would there, by now, possibly be a semi-official (by IPA
team) way of
getting there, since the subject first came up a longer
while ago?
This particular use case (non-enrolled Windows machines)
is not
supported and not planned.
There is no way right now and with FreeIPA 4.8 we are
closing down
ability to generate RC4 hashes for user passwords which
means
non-Kerberos authentication will not work.
There will be some work in future around replacing NTLM
method at least
between open source projects. Both MIT Kerberos and
Heimdal have now
support for NegoEx extension which allows to tunnel
non-Kerberos
authentication method between a client and a server, in
case you have
other authentication source. There are no plugins that
utilize it yet
but Microsoft uses NegoEx to bind your Windows account to
your cloud
account (live.com or some OIDC source) with PKU2U security
package.
In short, there might be means to explore these options
but they aren't
there yet.
some time later... :)
It seems that smblient from a separate/disconnected IPA
domain, from a master server of such domain, can connect
with no kerberos, password auth works.
$ smbclient -L //knives.priv.dom -Upriv.dom\\me
Enter PRIV.DOM\me's password:
Sharename Type Comment
...
...
PRIV.DOM is ipa --version
VERSION: 4.6.6, API_VERSION: 2.231
That must make one wonder - if Linux Samba tools can do pass
auth to IPA's Samba then Windows too must somehow persuaded
to do the same?
No, it would not, at least in Windows UI. Windows
_clients_ expect
certain set of capabilities provided by the domain
controller which
FreeIPA is not providing yet.
Could it be a question of some policies/registries tuning &
tweaking in such a way that this would work?
It is not about policies and tweaks, sorry.
And this:
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
is that obsolete and should be ignored?
That would not fix IPA's Samba to server Win10 (non-AD mode)
clients?
Correct. Even if sometimes people claim it is working, it is definitely
not something we would be willing to support. As I said, with FreeIPA
4.8 the whole NTLM story is gone for users already, so only Kerberos
authentication is going to be present until we'll create new secure
mechanism.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
