On 25/01/2022 12:11, Alexander Bokovoy wrote:
On ti, 25 tammi 2022, lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> If that can be a news for some - I'd like to share a finding: it's
> possible to have ipa-integrated Samba serving non-enrolled clients,
> both Linux & Windows, with passwords for authentication. (which has
> been long & will continue to be a must-have for me)
>
> Question for @devel - above I get with simply by switching to
> 'LEGACY' - is it possible to do that but only for IPA-Samba(+
> whatever required bits) as oppose to system-widely?
>
> It would be great to have IPA capable of that - perhaps an
> "enhancement" to future releases.
FreeIPA is not a single application, so it is hard to apply that.
I wonder if DEFAULT:AD-SUPPORT would work for you too? Or something on
top of AD-SUPPORT one? The following is what I have on Fedora 35:
$ cat /usr/share/crypto-policies/policies/modules/AD-SUPPORT.pmod
# AD-SUPPORT subpolicy is intended to be used in Active Directory
# environments where either accounts or trusted domain objects were
not yet
# migrated to AES or future encryption types. Active Directory implicitly
# requires RC4 and MD5 (arcfour-hmac-md5) in Kerberos by default.
cipher@kerberos = RC4-128+
hash@kerberos = MD5+
Samba uses GnuTLS, so may be expanding @gnutls scope in a similar way
would work?
E.g., add /etc/crypto-policies/policies/modules/MY-MODULE.pmod that
includes
cipher@kerberos = RC4-128+
hash@kerberos = MD5+
cipher@gnutls = RC4-128+
hash@gnutls = MD5+
and then set sytem-wide policy to use DEFAULT:MY-MODULE as a policy.
This doesn't define it per application but at least limits use of
insecure types to Kerberos and any application using GnuTLS.
I actually haven't tried this all.
Testing with this policy now and nope, Samba 4.15.3 says:
...
[2022/01/25 14:21:55.930113, 2, pid=16175]
ipa_sam.c:3645(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: dupa
[2022/01/25 14:21:55.947759, 1, pid=16175]
../../source3/auth/check_samsec.c:454(check_sam_security)
Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED
[2022/01/25 14:21:55.947834, 2, pid=16175]
../../source3/auth/auth.c:348(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [dupa] -> [dupa] FAILED
with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2022/01/25 14:21:55.947889, 2, pid=16175]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [INCCN]\[dupa] at [Tue, 25 Jan 2022
14:21:55.947867 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD]
workstation [CCN-dupa] remote host [ipv4:10.8.0.144:59930] mapped to
[INCCN]\[dupa]. local host [ipv4:10.8.0.1:445]
{"timestamp": "2022-01-25T14:21:55.948030+0000", "type":
"Authentication", "Authentication": {"version":
{"major": 1, "minor":
2}, "eventId": 4625, "logonId": "0", "logonType":
3, "status":
"NT_STATUS_WRONG_PASSWORD", "localAddress":
"ipv4:10.8.0.1:445",
"remoteAddress": "ipv4:10.8.0.144:59930",
"serviceDescription": "SMB2",
"authDescription": null, "clientDomain": "INCCN",
"clientAccount":
"dupa", "workstation": "CCN-dupa",
"becameAccount": null,
"becameDomain": null, "becameSid": null, "mappedAccount":
"dupa",
"mappedDomain": "INCCN", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags":
"0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "NTLMv2", "duration": 24664}}
thanks, L.