By coincidence I posted a very similar question yesterday - https://www.redhat.com/archives/freeipa-users/2015-May/msg00103.html.
+1 for the necessary support for out-of-domain Windows clients and NTLMSSP. Is there a time-table for this? Thanks, Dylan. On 7 May 2015 at 08:48, Alexander Bokovoy <[email protected]> wrote: > On Thu, 07 May 2015, box 31978 wrote: >> >> Hello Alexander, >> >> Thank you very much for your answers! >> >>> If Windows client is not a part of the domain, there is no SSO and no >>> Kerberos. Windows client will attempt using NTLMSSP authentication. >>> ... >>> Right now -- yes. You are saying you've following "FreeIPA's Samba >>> integration guide" which I assume is >>> >>> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> >> , >>> >>> which only works for Kerberos authentication because NTLMSSP is not >>> supported by the SSSD. >> >> >> Yes, your assumption is absolutely exact ;-) >> >> That's clear now, my thoughts went on this direction too: anyone is >> handling a new kerberos ticket request because of authentication type. >> >>> Not really. The story is more complex than it seems and right now there >>> is no ready-made solution for out-of-domain Windows clients. >> >> >> Ok, I understand. >> >> Then, I'd go for an LDAP approach pointing Samba to IPA's directory (this >> works fine on Samba3 and 389-DS), but I'm not sure about the >> configuration. >> Can file-server's SSSD have Kerberos auth (result of ipa-client-install) >> and LDAP auth (added settings in sssd.conf) at the same time for the same >> domain? Will it work together or will I've to choose on of the two? > > SSSD can but you need Samba to be aware of these things because Samba > needs way more than just passwords. FreeIPA uses different LDAP schema > for the additional attributes compared to what standard Samba PASSDB > module for LDAP expects so if you enable that one in smb.conf, you'll > get nothing. > > As Christoph pointed in the another email, you may try to enable older > Samba-compatible scheme but that wouldn't play well with IPA's support > for SIDs (including on SSSD side) as we are using different attributes > and you'll be forced to maintain certain aspects manually. > > There is hope to get NTLMSSP support implemented but not soon, we have > bits in place but there is still work to be done. > > -- > / Alexander Bokovoy > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
