On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:
On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:
Hi guys.
I have an old - set up ~2 yrs ago - IPA domain which "survived"
updates/upgrades till this day in such a way that integrated Samba
serves up under different hostname/domain and serves non-enrolled
clients(win 10) too.
With new deployment, 4.9.6, just adding things to just DNS - which
worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients connect and
get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD
That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but
rather it is, that non-enrolled clients, linux & windows will fail
even if trying a "legitimate" master's Samba.
Is that the default behavior in current version - as I mentioned my
"old" with up-dates/grades IPA allows non-enrolled - and if so can it
be managed into allowing non-enrolled clients?
Lately it seems so much of freeipa's developers time is spent chasing
Active Directory and related issues, when something 'breaks' 'a small
business with a handful of windows boxes (maybe a mix of 'home' and
'professional' versions, and a mix of windows 7 or 8 or 10) sharing off
of freeipa's samba instance with no domain capability, used very basic
'map network dirve' and 'usernames and passwords' (entirely sufficient
for most businesses which are small and will never have money enough for
a full time IT staff member) I wonder if the upgrades still test for
that 'widely needed not too technically exciting' setup.
Log snippet off a master's Samba when non-enrolled Linux connects:
...
[2022/01/17 11:14:09.090933, 2, pid=35744]
ipa_sam.c:3645(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: me254
[2022/01/17 11:14:09.099720, 1, pid=35744]
../../source3/auth/check_samsec.c:454(check_sam_security)
Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED
[2022/01/17 11:14:09.099758, 2, pid=35744]
../../source3/auth/auth.c:348(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [me254] -> [me254]
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2022/01/17 11:14:09.099793, 2, pid=35744]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [CCN]\[me254] at [Mon, 17 Jan 2022
11:14:09.099772 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD]
workstation [DRUNK] remote host [ipv4:10.0.0.6:55170] mapped to
[CCN]\[me254]. local host [ipv4:10.0.0.16:445]
{"timestamp": "2022-01-17T11:14:09.099858+0000", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status":
"NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:10.0.0.16:445",
"remoteAddress": "ipv4:10.0.0.6:55170", "serviceDescription": "SMB2",
"authDescription": null, "clientDomain": "CCN", "clientAccount":
"me254", "workstation": "DRUNK", "becameAccount": null,
"becameDomain": null, "becameSid": null, "mappedAccount": "me254",
"mappedDomain": "CCN", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "NTLMv2", "duration": 12172}}
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
