hi everybody.
I see this subject might have been poked around many times, a couple times at least for sure. But, I thought I'll poke again and hopefully get some latest comments & thoughts on - how to make IPA's Samba allow password authentication to Win clients from outside of IPA/AD domains?
Would there, by now, possibly be a semi-official (by IPA team) way of getting there, since the subject first came up a longer while ago?
many thanks, L.
On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:
hi everybody.
I see this subject might have been poked around many times, a couple times at least for sure. But, I thought I'll poke again and hopefully get some latest comments & thoughts on - how to make IPA's Samba allow password authentication to Win clients from outside of IPA/AD domains?
Would there, by now, possibly be a semi-official (by IPA team) way of getting there, since the subject first came up a longer while ago?
This particular use case (non-enrolled Windows machines) is not supported and not planned.
There is no way right now and with FreeIPA 4.8 we are closing down ability to generate RC4 hashes for user passwords which means non-Kerberos authentication will not work.
There will be some work in future around replacing NTLM method at least between open source projects. Both MIT Kerberos and Heimdal have now support for NegoEx extension which allows to tunnel non-Kerberos authentication method between a client and a server, in case you have other authentication source. There are no plugins that utilize it yet but Microsoft uses NegoEx to bind your Windows account to your cloud account (live.com or some OIDC source) with PKU2U security package.
In short, there might be means to explore these options but they aren't there yet.
On 16/01/2020 13:56, Alexander Bokovoy wrote:
On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:
hi everybody.
I see this subject might have been poked around many times, a couple times at least for sure. But, I thought I'll poke again and hopefully get some latest comments & thoughts on - how to make IPA's Samba allow password authentication to Win clients from outside of IPA/AD domains?
Would there, by now, possibly be a semi-official (by IPA team) way of getting there, since the subject first came up a longer while ago?
This particular use case (non-enrolled Windows machines) is not supported and not planned.
There is no way right now and with FreeIPA 4.8 we are closing down ability to generate RC4 hashes for user passwords which means non-Kerberos authentication will not work.
There will be some work in future around replacing NTLM method at least between open source projects. Both MIT Kerberos and Heimdal have now support for NegoEx extension which allows to tunnel non-Kerberos authentication method between a client and a server, in case you have other authentication source. There are no plugins that utilize it yet but Microsoft uses NegoEx to bind your Windows account to your cloud account (live.com or some OIDC source) with PKU2U security package.
In short, there might be means to explore these options but they aren't there yet.
Many thanks for clarifying all this.
On a related subject - While Samba got "integrated" with 'ipa-adtrust-install'. Can it be un-integrated later at any time without any impact on IPA and if yes, then how?
On 16/01/2020 13:56, Alexander Bokovoy wrote:
On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:
hi everybody.
I see this subject might have been poked around many times, a couple times at least for sure. But, I thought I'll poke again and hopefully get some latest comments & thoughts on - how to make IPA's Samba allow password authentication to Win clients from outside of IPA/AD domains?
Would there, by now, possibly be a semi-official (by IPA team) way of getting there, since the subject first came up a longer while ago?
This particular use case (non-enrolled Windows machines) is not supported and not planned.
There is no way right now and with FreeIPA 4.8 we are closing down ability to generate RC4 hashes for user passwords which means non-Kerberos authentication will not work.
There will be some work in future around replacing NTLM method at least between open source projects. Both MIT Kerberos and Heimdal have now support for NegoEx extension which allows to tunnel non-Kerberos authentication method between a client and a server, in case you have other authentication source. There are no plugins that utilize it yet but Microsoft uses NegoEx to bind your Windows account to your cloud account (live.com or some OIDC source) with PKU2U security package.
In short, there might be means to explore these options but they aren't there yet.
some time later... :) It seems that smblient from a separate/disconnected IPA domain, from a master server of such domain, can connect with no kerberos, password auth works.
$ smbclient -L //knives.priv.dom -Upriv.dom\me Enter PRIV.DOM\me's password:
Sharename Type Comment ... ...
PRIV.DOM is ipa --version VERSION: 4.6.6, API_VERSION: 2.231
That must make one wonder - if Linux Samba tools can do pass auth to IPA's Samba then Windows too must somehow persuaded to do the same? Could it be a question of some policies/registries tuning & tweaking in such a way that this would work?
many thanks, L.
On ke, 29 huhti 2020, lejeczek via FreeIPA-users wrote:
On 16/01/2020 13:56, Alexander Bokovoy wrote:
On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:
hi everybody.
I see this subject might have been poked around many times, a couple times at least for sure. But, I thought I'll poke again and hopefully get some latest comments & thoughts on - how to make IPA's Samba allow password authentication to Win clients from outside of IPA/AD domains?
Would there, by now, possibly be a semi-official (by IPA team) way of getting there, since the subject first came up a longer while ago?
This particular use case (non-enrolled Windows machines) is not supported and not planned.
There is no way right now and with FreeIPA 4.8 we are closing down ability to generate RC4 hashes for user passwords which means non-Kerberos authentication will not work.
There will be some work in future around replacing NTLM method at least between open source projects. Both MIT Kerberos and Heimdal have now support for NegoEx extension which allows to tunnel non-Kerberos authentication method between a client and a server, in case you have other authentication source. There are no plugins that utilize it yet but Microsoft uses NegoEx to bind your Windows account to your cloud account (live.com or some OIDC source) with PKU2U security package.
In short, there might be means to explore these options but they aren't there yet.
some time later... :) It seems that smblient from a separate/disconnected IPA domain, from a master server of such domain, can connect with no kerberos, password auth works.
$ smbclient -L //knives.priv.dom -Upriv.dom\me Enter PRIV.DOM\me's password:
Sharename Type Comment ... ...
PRIV.DOM is ipa --version VERSION: 4.6.6, API_VERSION: 2.231
That must make one wonder - if Linux Samba tools can do pass auth to IPA's Samba then Windows too must somehow persuaded to do the same?
No, it would not, at least in Windows UI. Windows _clients_ expect certain set of capabilities provided by the domain controller which FreeIPA is not providing yet.
Could it be a question of some policies/registries tuning & tweaking in such a way that this would work?
It is not about policies and tweaks, sorry.
On 29/04/2020 18:20, Alexander Bokovoy wrote:
On ke, 29 huhti 2020, lejeczek via FreeIPA-users wrote:
On 16/01/2020 13:56, Alexander Bokovoy wrote:
On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:
hi everybody.
I see this subject might have been poked around many times, a couple times at least for sure. But, I thought I'll poke again and hopefully get some latest comments & thoughts on - how to make IPA's Samba allow password authentication to Win clients from outside of IPA/AD domains?
Would there, by now, possibly be a semi-official (by IPA team) way of getting there, since the subject first came up a longer while ago?
This particular use case (non-enrolled Windows machines) is not supported and not planned.
There is no way right now and with FreeIPA 4.8 we are closing down ability to generate RC4 hashes for user passwords which means non-Kerberos authentication will not work.
There will be some work in future around replacing NTLM method at least between open source projects. Both MIT Kerberos and Heimdal have now support for NegoEx extension which allows to tunnel non-Kerberos authentication method between a client and a server, in case you have other authentication source. There are no plugins that utilize it yet but Microsoft uses NegoEx to bind your Windows account to your cloud account (live.com or some OIDC source) with PKU2U security package.
In short, there might be means to explore these options but they aren't there yet.
some time later... :) It seems that smblient from a separate/disconnected IPA domain, from a master server of such domain, can connect with no kerberos, password auth works.
$ smbclient -L //knives.priv.dom -Upriv.dom\me Enter PRIV.DOM\me's password:
Sharename Type Comment ... ...
PRIV.DOM is ipa --version VERSION: 4.6.6, API_VERSION: 2.231
That must make one wonder - if Linux Samba tools can do pass auth to IPA's Samba then Windows too must somehow persuaded to do the same?
No, it would not, at least in Windows UI. Windows _clients_ expect certain set of capabilities provided by the domain controller which FreeIPA is not providing yet.
Could it be a question of some policies/registries tuning & tweaking in such a way that this would work?
It is not about policies and tweaks, sorry.
And this: https://www.freeipa.org/page/Windows_authentication_against_FreeIPA is that obsolete and should be ignored? That would not fix IPA's Samba to server Win10 (non-AD mode) clients?
many thanks, L.
On ke, 29 huhti 2020, lejeczek via FreeIPA-users wrote:
On 29/04/2020 18:20, Alexander Bokovoy wrote:
On ke, 29 huhti 2020, lejeczek via FreeIPA-users wrote:
On 16/01/2020 13:56, Alexander Bokovoy wrote:
On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:
hi everybody.
I see this subject might have been poked around many times, a couple times at least for sure. But, I thought I'll poke again and hopefully get some latest comments & thoughts on - how to make IPA's Samba allow password authentication to Win clients from outside of IPA/AD domains?
Would there, by now, possibly be a semi-official (by IPA team) way of getting there, since the subject first came up a longer while ago?
This particular use case (non-enrolled Windows machines) is not supported and not planned.
There is no way right now and with FreeIPA 4.8 we are closing down ability to generate RC4 hashes for user passwords which means non-Kerberos authentication will not work.
There will be some work in future around replacing NTLM method at least between open source projects. Both MIT Kerberos and Heimdal have now support for NegoEx extension which allows to tunnel non-Kerberos authentication method between a client and a server, in case you have other authentication source. There are no plugins that utilize it yet but Microsoft uses NegoEx to bind your Windows account to your cloud account (live.com or some OIDC source) with PKU2U security package.
In short, there might be means to explore these options but they aren't there yet.
some time later... :) It seems that smblient from a separate/disconnected IPA domain, from a master server of such domain, can connect with no kerberos, password auth works.
$ smbclient -L //knives.priv.dom -Upriv.dom\me Enter PRIV.DOM\me's password:
Sharename Type Comment ... ...
PRIV.DOM is ipa --version VERSION: 4.6.6, API_VERSION: 2.231
That must make one wonder - if Linux Samba tools can do pass auth to IPA's Samba then Windows too must somehow persuaded to do the same?
No, it would not, at least in Windows UI. Windows _clients_ expect certain set of capabilities provided by the domain controller which FreeIPA is not providing yet.
Could it be a question of some policies/registries tuning & tweaking in such a way that this would work?
It is not about policies and tweaks, sorry.
And this: https://www.freeipa.org/page/Windows_authentication_against_FreeIPA is that obsolete and should be ignored? That would not fix IPA's Samba to server Win10 (non-AD mode) clients?
Correct. Even if sometimes people claim it is working, it is definitely not something we would be willing to support. As I said, with FreeIPA 4.8 the whole NTLM story is gone for users already, so only Kerberos authentication is going to be present until we'll create new secure mechanism.
freeipa-users@lists.fedorahosted.org