On ma, 17 tammi 2022, Harry G. Coin via FreeIPA-users wrote:
On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:
>On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:
>>Hi guys.
>>
>>I have an old - set up ~2 yrs ago - IPA domain which "survived"
>>updates/upgrades till this day in such a way that integrated Samba
>>serves up under different hostname/domain and serves non-enrolled
>>clients(win 10) too.
>>
>>With new deployment, 4.9.6, just adding things to just DNS - which
>>worked in that "old" domain - does _not_ do the trick.
>>With only such "simple" DNS Samba does respond, clients connect
>>and get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD
>>
>That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but
>rather it is, that non-enrolled clients, linux & windows will fail
>even if trying a "legitimate" master's Samba.
>
>Is that the default behavior in current version - as I mentioned my
>"old" with up-dates/grades IPA allows non-enrolled - and if so can
>it be managed into allowing non-enrolled clients?
Lately it seems so much of freeipa's developers time is spent chasing
Active Directory and related issues, when something 'breaks' 'a small
business with a handful of windows boxes (maybe a mix of 'home' and
'professional' versions, and a mix of windows 7 or 8 or 10) sharing
off of freeipa's samba instance with no domain capability, used very
basic 'map network dirve' and 'usernames and passwords' (entirely
sufficient for most businesses which are small and will never have
money enough for a full time IT staff member) I wonder if the upgrades
still test for that 'widely needed not too technically exciting'
setup.
FreeIPA team never claimed to provide any support for non-domain joined
Windows systems. On contrary, this is explicitly not supported. We do
not test these configurations because they are not supported for a
reason.
This does not stop brave sysadmins to try to hack their configurations
into what they think could be done. It might work or might not. Samba
upstream has too little resources to focus on all these configurations
as well. The focus there is more on Samba AD and most of very specific
file serving setups for AD domain members.
Life of NT4 domains and not joined clients using NTLM is long gone for
most of deployments that care about security. We (Samba and FreeIPA
teams upstream) are working with Microsoft to make a path forward
without insecure use of RC4 cipher in NTLM. Hopefully, we'll get
somewhere and not joined clients could get better support but we aren't
there.
>
>Log snippet off a master's Samba when non-enrolled Linux connects:
>
>...
>
>[2022/01/17 11:14:09.090933, 2, pid=35744]
>ipa_sam.c:3645(init_sam_from_ldap)
> init_sam_from_ldap: Entry found for user: me254
>[2022/01/17 11:14:09.099720, 1, pid=35744]
>../../source3/auth/check_samsec.c:454(check_sam_security)
> Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED
>[2022/01/17 11:14:09.099758, 2, pid=35744]
>../../source3/auth/auth.c:348(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [me254] -> [me254]
>FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
>[2022/01/17 11:14:09.099793, 2, pid=35744]
>../../auth/auth_log.c:653(log_authentication_event_human_readable)
> Auth: [SMB2,(null)] user [CCN]\[me254] at [Mon, 17 Jan 2022
>11:14:09.099772 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD]
>workstation [DRUNK] remote host [ipv4:10.0.0.6:55170] mapped to
>[CCN]\[me254]. local host [ipv4:10.0.0.16:445]
> {"timestamp": "2022-01-17T11:14:09.099858+0000",
"type":
>"Authentication", "Authentication": {"version":
{"major": 1,
>"minor": 2}, "eventId": 4625, "logonId": "0",
"logonType": 3,
>"status": "NT_STATUS_WRONG_PASSWORD", "localAddress":
>"ipv4:10.0.0.16:445", "remoteAddress":
"ipv4:10.0.0.6:55170",
>"serviceDescription": "SMB2", "authDescription": null,
>"clientDomain": "CCN", "clientAccount":
"me254", "workstation":
>"DRUNK", "becameAccount": null, "becameDomain": null,
"becameSid":
>null, "mappedAccount": "me254", "mappedDomain":
"CCN",
>"netlogonComputer": null, "netlogonTrustAccount": null,
>"netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType":
>0, "netlogonTrustAccountSid": null, "passwordType":
"NTLMv2",
>"duration": 12172}}
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>To unsubscribe send an email to
>freeipa-users-leave(a)lists.fedorahosted.org
>Fedora Code of Conduct:
>https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>Do not reply to spam on the list, report it:
>https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland