On 17/01/2022 16:06, Harry G. Coin via FreeIPA-users wrote:
On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:
On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:
Hi guys.
I have an old - set up ~2 yrs ago - IPA domain which "survived"
updates/upgrades till this day in such a way that integrated Samba
serves up under different hostname/domain and serves non-enrolled
clients(win 10) too.
With new deployment, 4.9.6, just adding things to just DNS - which
worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients connect and
get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD
That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but
rather it is, that non-enrolled clients, linux & windows will fail
even if trying a "legitimate" master's Samba.
Is that the default behavior in current version - as I mentioned my
"old" with up-dates/grades IPA allows non-enrolled - and if so can it
be managed into allowing non-enrolled clients?
Lately it seems so much of freeipa's developers time is spent chasing
Active Directory and related issues, when something 'breaks' 'a small
business with a handful of windows boxes (maybe a mix of 'home' and
'professional' versions, and a mix of windows 7 or 8 or 10) sharing
off of freeipa's samba instance with no domain capability, used very
basic 'map network dirve' and 'usernames and passwords' (entirely
sufficient for most businesses which are small and will never have
money enough for a full time IT staff member) I wonder if the upgrades
still test for that 'widely needed not too technically exciting' setup.
I'm of that same mind and shared my thoughts on occasions such as this
in the past.
That setup I did long ago was such that system policies needed to be
'LEGACY' and non-enrolled Linux & win clients connected to IPA deployed
that way - off the LEGACY, worked beautifully with Samba - so, not much
hacking.
I understand there might be large customers with large ADs with IPA only
glued somewhere next to it but the rest of us I imagine must be like
that - small deployments which mixes everything and do _not_! need AD,
and securities... are taken of with all sorts of other means.
I saw during one upgrade 'CLASSIC IPA" - or something alike - migrated
to "IPA PRIMARY" or something like that. I'd imagine that was/when NEW
installation changed so non-enrolled do not work now.
If I can vote, my vote shall go to - IPA devel re/consider changes to
reintroduce (as an option) such a deployment mode where Samba would
"weaken" the setup/config so all those non-enrolled customers can
connect with _passwords_
many thanks, L.
Log snippet off a master's Samba when non-enrolled Linux connects:
...
[2022/01/17 11:14:09.090933, 2, pid=35744]
ipa_sam.c:3645(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: me254
[2022/01/17 11:14:09.099720, 1, pid=35744]
../../source3/auth/check_samsec.c:454(check_sam_security)
Failed to modify entry: NT_STATUS_NOT_IMPLEMENTED
[2022/01/17 11:14:09.099758, 2, pid=35744]
../../source3/auth/auth.c:348(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [me254] -> [me254]
FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1
[2022/01/17 11:14:09.099793, 2, pid=35744]
../../auth/auth_log.c:653(log_authentication_event_human_readable)
Auth: [SMB2,(null)] user [CCN]\[me254] at [Mon, 17 Jan 2022
11:14:09.099772 GMT] with [NTLMv2] status [NT_STATUS_WRONG_PASSWORD]
workstation [DRUNK] remote host [ipv4:10.0.0.6:55170] mapped to
[CCN]\[me254]. local host [ipv4:10.0.0.16:445]
{"timestamp": "2022-01-17T11:14:09.099858+0000", "type":
"Authentication", "Authentication": {"version": {"major": 1, "minor":
2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status":
"NT_STATUS_WRONG_PASSWORD", "localAddress": "ipv4:10.0.0.16:445",
"remoteAddress": "ipv4:10.0.0.6:55170", "serviceDescription": "SMB2",
"authDescription": null, "clientDomain": "CCN", "clientAccount":
"me254", "workstation": "DRUNK", "becameAccount": null,
"becameDomain": null, "becameSid": null, "mappedAccount": "me254",
"mappedDomain": "CCN", "netlogonComputer": null,
"netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000",
"netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
"passwordType": "NTLMv2", "duration": 12172}}
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
