On 1/17/22 11:08, lejeczek via FreeIPA-users wrote:
On 17/01/2022 16:06, Harry G. Coin via FreeIPA-users wrote:
>
> On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:
>> On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:
>>> Hi guys.
>>>
>>> I have an old - set up ~2 yrs ago - IPA domain which "survived"
>>> updates/upgrades till this day in such a way that integrated Samba
>>> serves up under different hostname/domain and serves non-enrolled
>>> clients(win 10) too.
>>>
>>> With new deployment, 4.9.6, just adding things to just DNS - which
>>> worked in that "old" domain - does _not_ do the trick.
>>> With only such "simple" DNS Samba does respond, clients connect and
>>> get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD
>>>
>> That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but
>> rather it is, that non-enrolled clients, linux & windows will fail
>> even if trying a "legitimate" master's Samba.
>>
>> Is that the default behavior in current version - as I mentioned my
>> "old" with up-dates/grades IPA allows non-enrolled - and if so can
>> it be managed into allowing non-enrolled clients?
>
>
> Lately it seems so much of freeipa's developers time is spent chasing
> Active Directory and related issues, when something 'breaks' 'a small
> business with a handful of windows boxes (maybe a mix of 'home' and
> 'professional' versions, and a mix of windows 7 or 8 or 10) sharing
> off of freeipa's samba instance with no domain capability, used very
> basic 'map network dirve' and 'usernames and passwords' (entirely
> sufficient for most businesses which are small and will never have
> money enough for a full time IT staff member) I wonder if the
> upgrades still test for that 'widely needed not too technically
> exciting' setup.
I'm of that same mind and shared my thoughts on occasions such as this
in the past.
That setup I did long ago was such that system policies needed to be
'LEGACY' and non-enrolled Linux & win clients connected to IPA
deployed that way - off the LEGACY, worked beautifully with Samba -
so, not much hacking.
I understand there might be large customers with large ADs with IPA
only glued somewhere next to it but the rest of us I imagine must be
like that - small deployments which mixes everything and do _not_!
need AD, and securities... are taken of with all sorts of other means.
I saw during one upgrade 'CLASSIC IPA" - or something alike - migrated
to "IPA PRIMARY" or something like that. I'd imagine that was/when NEW
installation changed so non-enrolled do not work now.
If I can vote, my vote shall go to - IPA devel re/consider changes to
reintroduce (as an option) such a deployment mode where Samba would
"weaken" the setup/config so all those non-enrolled customers can
connect with _passwords_
many thanks, L.
I'm not even close to sure what it would look like exactly, but maybe
what we're seeing is the 'Large-Corp' 'MS-IBM-i-zation' of
redhat/freeipa fedora/centos and something like a 'rocky linux' version
of what freeipa does is called for. Most all the business in the world
is small business, while most of the money to pay developers does not
come from there. Large corporations want to own things and need
recurring revenue. Small business values tools that do the job and
prefer not to buy new tools until the old one breaks. Software does not
rust. So there's this disconnect. So very many businesses see nothing
in Windows 11 that helps them generate revenue that wasn't in Windows
7. I bet as more folks move to quickbooks 'on line' version the
justification for having windows systems at all in many small businesses
goes away now as linux based corporate workstations are completely
sufficient.
Bind is doing internally much of what freeipa's added dnssec aims for.
In small business, dns changes are infrequent so updating flat files and
the occasional 'rndc' command is enough for the bind interface
(bind-dns-ldap goes away) (An integrated dhcp server would be nice).
Samba has its own internal ldap server as I understand it. Maybe a
'roll of freeipa' where it's assumed samba will be the ad/dc (to the
extent one is needed anyhow, but it turns on ldap in samba and retires
the need for an external ns-slapd).
Something to think about.