On ti, 25 tammi 2022, lejeczek via FreeIPA-users wrote:
On 25/01/2022 12:11, Alexander Bokovoy wrote:
>On ti, 25 tammi 2022, lejeczek via FreeIPA-users wrote:
>>Hi guys.
>>
>>If that can be a news for some - I'd like to share a finding: it's
>>possible to have ipa-integrated Samba serving non-enrolled
>>clients, both Linux & Windows, with passwords for authentication.
>>(which has been long & will continue to be a must-have for me)
>>
>>Question for @devel - above I get with simply by switching to
>>'LEGACY' - is it possible to do that but only for IPA-Samba(+
>>whatever required bits) as oppose to system-widely?
>>
>>It would be great to have IPA capable of that - perhaps an
>>"enhancement" to future releases.
>
>FreeIPA is not a single application, so it is hard to apply that.
>
>I wonder if DEFAULT:AD-SUPPORT would work for you too? Or something on
>top of AD-SUPPORT one? The following is what I have on Fedora 35:
>
>$ cat /usr/share/crypto-policies/policies/modules/AD-SUPPORT.pmod
># AD-SUPPORT subpolicy is intended to be used in Active Directory
># environments where either accounts or trusted domain objects were
>not yet
># migrated to AES or future encryption types. Active Directory implicitly
># requires RC4 and MD5 (arcfour-hmac-md5) in Kerberos by default.
>
>cipher@kerberos = RC4-128+
>hash@kerberos = MD5+
>
>Samba uses GnuTLS, so may be expanding @gnutls scope in a similar way
>would work?
>
>E.g., add /etc/crypto-policies/policies/modules/MY-MODULE.pmod that
>includes
>
>cipher@kerberos = RC4-128+
>hash@kerberos = MD5+
>cipher@gnutls = RC4-128+
>hash@gnutls = MD5+
>
>and then set sytem-wide policy to use DEFAULT:MY-MODULE as a policy.
>
>This doesn't define it per application but at least limits use of
>insecure types to Kerberos and any application using GnuTLS.
>
>I actually haven't tried this all.
>
Testing with this policy now and nope, Samba 4.15.3 says:
...
[2022/01/25 14:21:55.930113, 2, pid=16175]
ipa_sam.c:3645(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: dupa
[2022/01/25 14:21:55.947759, 1, pid=16175]
../../source3/auth/check_samsec.c:454(check_sam_security)
Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED
All these modifications of the policy will not change the fact that we
do not implement modification of SAM entry in IPA SAM module. This means
you are getting in a different code path here.
So probably more changes to the policy are needed...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland