On ke, 29 huhti 2020, lejeczek via FreeIPA-users wrote:
>
>
> On 16/01/2020 13:56, Alexander Bokovoy wrote:
>> On to, 16 tammi 2020, lejeczek via FreeIPA-users wrote:
>>> hi everybody.
>>>
>>> I see this subject might have been poked around many
>>> times, a couple
>>> times at least for sure. But, I thought I'll poke again
>>> and hopefully
>>> get some latest comments & thoughts on - how to make
>>> IPA's Samba allow
>>> password authentication to Win clients from outside of
>>> IPA/AD domains?
>>>
>>> Would there, by now, possibly be a semi-official (by IPA
>>> team) way of
>>> getting there, since the subject first came up a longer
>>> while ago?
>>
>> This particular use case (non-enrolled Windows machines)
>> is not
>> supported and not planned.
>>
>> There is no way right now and with FreeIPA 4.8 we are
>> closing down
>> ability to generate RC4 hashes for user passwords which
>> means
>> non-Kerberos authentication will not work.
>>
>> There will be some work in future around replacing NTLM
>> method at least
>> between open source projects. Both MIT Kerberos and
>> Heimdal have now
>> support for NegoEx extension which allows to tunnel
>> non-Kerberos
>> authentication method between a client and a server, in
>> case you have
>> other authentication source. There are no plugins that
>> utilize it yet
>> but Microsoft uses NegoEx to bind your Windows account to
>> your cloud
>> account (
live.com or some OIDC source) with PKU2U security
>> package.
>>
>> In short, there might be means to explore these options
>> but they aren't
>> there yet.
>>
>>
> some time later... :)
> It seems that smblient from a separate/disconnected IPA
> domain, from a master server of such domain, can connect
> with no kerberos, password auth works.
>
> $ smbclient -L //knives.priv.dom -Upriv.dom\\me
> Enter PRIV.DOM\me's password:
>
> Sharename Type Comment
> ...
> ...
>
> PRIV.DOM is ipa --version
> VERSION: 4.6.6, API_VERSION: 2.231
>
> That must make one wonder - if Linux Samba tools can do pass
> auth to IPA's Samba then Windows too must somehow persuaded
> to do the same?
No, it would not, at least in Windows UI. Windows
_clients_ expect
certain set of capabilities provided by the domain
controller which
FreeIPA is not providing yet.
> Could it be a question of some policies/registries tuning &
> tweaking in such a way that this would work?
It is not about policies and tweaks, sorry.
is that obsolete and should be ignored?
That would not fix IPA's Samba to server Win10 (non-AD mode)
clients?
many thanks, L.