On 16/01/2020 13:56, Alexander Bokovoy wrote:
On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:
> hi everybody.
>
> I see this subject might have been poked around many
> times, a couple
> times at least for sure. But, I thought I'll poke again
> and hopefully
> get some latest comments & thoughts on - how to make
> IPA's Samba allow
> password authentication to Win clients from outside of
> IPA/AD domains?
>
> Would there, by now, possibly be a semi-official (by IPA
> team) way of
> getting there, since the subject first came up a longer
> while ago?
This particular use case (non-enrolled Windows machines)
is not
supported and not planned.
There is no way right now and with FreeIPA 4.8 we are
closing down
ability to generate RC4 hashes for user passwords which means
non-Kerberos authentication will not work.
There will be some work in future around replacing NTLM
method at least
between open source projects. Both MIT Kerberos and
Heimdal have now
support for NegoEx extension which allows to tunnel
non-Kerberos
authentication method between a client and a server, in
case you have
other authentication source. There are no plugins that
utilize it yet
but Microsoft uses NegoEx to bind your Windows account to
your cloud
account (
live.com or some OIDC source) with PKU2U security
package.
In short, there might be means to explore these options
but they aren't
there yet.
some time later... :)
It seems that smblient from a separate/disconnected IPA
domain, from a master server of such domain, can connect
with no kerberos, password auth works.
$ smbclient -L //knives.priv.dom -Upriv.dom\\me
Enter PRIV.DOM\me's password:
Sharename Type Comment
...
...
PRIV.DOM is ipa --version
VERSION: 4.6.6, API_VERSION: 2.231
That must make one wonder - if Linux Samba tools can do pass
auth to IPA's Samba then Windows too must somehow persuaded
to do the same?
Could it be a question of some policies/registries tuning &
tweaking in such a way that this would work?
many thanks, L.