On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:
> hi everybody.
>
> I see this subject might have been poked around many times, a couple
> times at least for sure. But, I thought I'll poke again and hopefully
> get some latest comments & thoughts on - how to make IPA's Samba allow
> password authentication to Win clients from outside of IPA/AD domains?
>
> Would there, by now, possibly be a semi-official (by IPA team) way of
> getting there, since the subject first came up a longer while ago?
This particular use case (non-enrolled Windows machines) is not
supported and not planned.
There is no way right now and with FreeIPA 4.8 we are closing down
ability to generate RC4 hashes for user passwords which means
non-Kerberos authentication will not work.
There will be some work in future around replacing NTLM method at least
between open source projects. Both MIT Kerberos and Heimdal have now
support for NegoEx extension which allows to tunnel non-Kerberos
authentication method between a client and a server, in case you have
other authentication source. There are no plugins that utilize it yet
but Microsoft uses NegoEx to bind your Windows account to your cloud
account (
live.com or some OIDC source) with PKU2U security package.
In short, there might be means to explore these options but they aren't
there yet.
Many thanks for clarifying all this.
On a related subject - While Samba got "integrated" with
'ipa-adtrust-install'. Can it be un-integrated later at any time without
any impact on IPA and if yes, then how?