On 29/04/2020 18:20, Alexander Bokovoy wrote:
> On ke, 29 huhti 2020, lejeczek via FreeIPA-users wrote:
>>
>>
>> On 16/01/2020 13:56, Alexander Bokovoy wrote:
>>> On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:
>>>> hi everybody.
>>>>
>>>> I see this subject might have been poked around many
>>>> times, a couple
>>>> times at least for sure. But, I thought I'll poke again
>>>> and hopefully
>>>> get some latest comments & thoughts on - how to make
>>>> IPA's Samba allow
>>>> password authentication to Win clients from outside of
>>>> IPA/AD domains?
>>>>
>>>> Would there, by now, possibly be a semi-official (by IPA
>>>> team) way of
>>>> getting there, since the subject first came up a longer
>>>> while ago?
>>>
>>> This particular use case (non-enrolled Windows machines)
>>> is not
>>> supported and not planned.
>>>
>>> There is no way right now and with FreeIPA 4.8 we are
>>> closing down
>>> ability to generate RC4 hashes for user passwords which
>>> means
>>> non-Kerberos authentication will not work.
>>>
>>> There will be some work in future around replacing NTLM
>>> method at least
>>> between open source projects. Both MIT Kerberos and
>>> Heimdal have now
>>> support for NegoEx extension which allows to tunnel
>>> non-Kerberos
>>> authentication method between a client and a server, in
>>> case you have
>>> other authentication source. There are no plugins that
>>> utilize it yet
>>> but Microsoft uses NegoEx to bind your Windows account to
>>> your cloud
>>> account (
live.com or some OIDC source) with PKU2U security
>>> package.
>>>
>>> In short, there might be means to explore these options
>>> but they aren't
>>> there yet.
>>>
>>>
>> some time later... :)
>> It seems that smblient from a separate/disconnected IPA
>> domain, from a master server of such domain, can connect
>> with no kerberos, password auth works.
>>
>> $ smbclient -L //knives.priv.dom -Upriv.dom\\me
>> Enter PRIV.DOM\me's password:
>>
>> Sharename Type Comment
>> ...
>> ...
>>
>> PRIV.DOM is ipa --version
>> VERSION: 4.6.6, API_VERSION: 2.231
>>
>> That must make one wonder - if Linux Samba tools can do pass
>> auth to IPA's Samba then Windows too must somehow persuaded
>> to do the same?
>
> No, it would not, at least in Windows UI. Windows
> _clients_ expect
> certain set of capabilities provided by the domain
> controller which
> FreeIPA is not providing yet.
>
>> Could it be a question of some policies/registries tuning &
>> tweaking in such a way that this would work?
>
> It is not about policies and tweaks, sorry.
>
And this:
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
is that obsolete and should be ignored?
That would not fix IPA's Samba to server Win10 (non-AD mode)
clients?
Correct. Even if sometimes people claim it is working, it is definitely
not something we would be willing to support. As I said, with FreeIPA
4.8 the whole NTLM story is gone for users already, so only Kerberos
authentication is going to be present until we'll create new secure
mechanism.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland