On ma, 21 joulu 2020, lejeczek via FreeIPA-users wrote:
On 21/12/2020 21:07, Alexander Bokovoy wrote:
> On ma, 21 joulu 2020, lejeczek via FreeIPA-users wrote:
> > hi gents
> >
> > Longish time ago, I think more than a year, I asked and gotten a
> > succinct reply about ways to access IPA's integrated Samba from
> > non-member Win clients.
> > If I remember correctly it was possible - answer was by I think one
> > of you IPA devels - for one version of IPA (with rhel/centos 7) and
> > still is, to have such Win clients to access Samba, but on newer IPA
> > it was not and at that time it was undecided - I was told - whether
> > it was going to be "fixed" in future IPA releases.
> >
> > Is there more to shed light on now? Is or will there be a way in
> > which IPA+Samba latest/future releases allow non-members?
>
> If by non-members Windows systems you understand Windows systems not
> enrolled into any Active Directory deployment, then nothing did change
> here. SMB protocol has two ways of authenticating users:
>
> Â - with NTLM-based authentication, using a password-based
> Â Â challenge-response system as described in [MS-NLMP] specification
>
> Â - with Kerberos tickets, the whole scheme is described in [MS-KILE]
> Â Â specification
>
> Non-enrolled Windows clients cannot authenticate with Kerberos against
> FreeIPA as they have no real way to obtain user's Kerberos ticket
> granting ticket (against what? what user?).
>
> NTLM-based authentication does not support any recent cryptographic
> methods and uses message digest algorithms for integrity and RC4 cipher
> for encryption. It is generally not advised for use due to known
> security issues.
>
> In Fedora 31+ and RHEL 8 system-wide crypto policy denies the usage of
> RC4 cipher in system crypto libraries unless system-wide crypto policy
> is downgraded or a special AD-SUPPORT subpolicy is activated.
>
> In order to authenticate a user with NTLM-based approach, Samba file
> server needs to know a hash of the user's credentials in RC4 format.
> FreeIPA uses MIT Kerberos library facilities to generate RC4 hashes
> stored in ipaNTHash attribute in user's entry. If MIT Kerberos library
> does not allow generation of the hash due to system-wide policy, no RC4
> hash will be available for the user stored in FreeIPA and no NTLM-based
> authentication will be possible for the user in question.
Would it be as simple as toggling in a "weak" crypto-policiy and
re/generating RC4 ipaNTHash?
Or even easier would be to switch to RC4 crypto policy prior to IPA
deployment?
Or none of above would work/help in IPA VERSION: 4.8.7, API_VERSION: 2.239
(centos 8.3) as those patches you talked of are not sewn in.
You can try and report. I would though suggest you to deploy a separate
test setup for that and then share findings in a ticket/bug open. I'd
liek to see Samba logs of 'log level = 10' and 389-ds access log to see
whether ipasam module would try to retrieve ipaNTHash value.
as a thought - I'm sure many of us regular users will be looking and hoping
for a practical and ideally supported(to execute in orderly manner) way to
make this work in our small isolated setups, even if that meant weaker
cryptos.
I need help with clear step by step scenarios, network traces and debug
logs to be able to see where the issue could be and how it could be
fixed. Even though non-enrolled client is low in my priority list,
without these additional details it would be harder to scope amount of
work to fix (if any).
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
