On ma, 17 tammi 2022, Harry G. Coin wrote:
On 1/17/22 10:26, Alexander Bokovoy wrote:
>On ma, 17 tammi 2022, Harry G. Coin via FreeIPA-users wrote:
>>
>>On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:
>>>On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:
>>>>Hi guys.
>>>>
>>>>I have an old - set up ~2 yrs ago - IPA domain which
>>>>"survived" updates/upgrades till this day in such a way that
>>>>integrated Samba serves up under different hostname/domain and
>>>>serves non-enrolled clients(win 10) too.
>>>>
>>>>With new deployment, 4.9.6, just adding things to just DNS -
>>>>which worked in that "old" domain - does _not_ do the trick.
>>>>With only such "simple" DNS Samba does respond, clients
>>>>connect and get password prompt but Samba says:
>>>>NT_STATUS_WRONG_PASSWORD
>>>>
>>>That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env
>>>but rather it is, that non-enrolled clients, linux & windows
>>>will fail even if trying a "legitimate" master's Samba.
>>>
>>>Is that the default behavior in current version - as I mentioned
>>>my "old" with up-dates/grades IPA allows non-enrolled - and if
>>>so can it be managed into allowing non-enrolled clients?
>>
>>
>>Lately it seems so much of freeipa's developers time is spent
>>chasing Active Directory and related issues, when something
>>'breaks' 'a small business with a handful of windows boxes (maybe
>>a mix of 'home' and 'professional' versions, and a mix of windows
>>7 or 8 or 10) sharing off of freeipa's samba instance with no
>>domain capability, used very basic 'map network dirve' and
>>'usernames and passwords' (entirely sufficient for most businesses
>>which are small and will never have money enough for a full time
>>IT staff member) I wonder if the upgrades still test for that
>>'widely needed not too technically exciting' setup.
>
>FreeIPA team never claimed to provide any support for non-domain joined
>Windows systems. On contrary, this is explicitly not supported. We do
>not test these configurations because they are not supported for a
>reason.
>
>This does not stop brave sysadmins to try to hack their configurations
>into what they think could be done. It might work or might not. Samba
>upstream has too little resources to focus on all these configurations
>as well. The focus there is more on Samba AD and most of very specific
>file serving setups for AD domain members.
>
>Life of NT4 domains and not joined clients using NTLM is long gone for
>most of deployments that care about security. We (Samba and FreeIPA
>teams upstream) are working with Microsoft to make a path forward
>without insecure use of RC4 cipher in NTLM. Hopefully, we'll get
>somewhere and not joined clients could get better support but we aren't
>there.
>
An underappreciated realmĀ of 'care about security' are what you might
call 'walled gardens' that have no expectation interior systems
provide more than vandalism-level security, as they have little to no
routine connection to the internet, and the key on the office door,
security cameras and off-site backups are all that's needed.
While there are configurations like that, a much more real is a social
engineering factor where a system within your security perimeter is
compromised due to other factors and then exploited to attack internal
infrastructure.
Known attacks on RC4 hashes were within 52 hours to decrypt the has five
years ago. This is using CPU. With GPU it is even faster, so this is not
a fairy tale stuff, it is pretty much real.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland