On la, 02 loka 2021, James Szinger wrote:
On Sat, 2 Oct 2021 08:42:02 -0400
Demi Marie Obenour <demioben...@gmail.com> wrote:
How many of these can be solved by tunneling everything in a WireGuard
mesh network, and using nftables rules to prevent spoofing?
Sounds harder than setting up NIS+, which was supposed to solve many
of these issues 30 years ago, but still has not displaced NIS. Even
if one can secure NIS on the network, that still leaves the issue of
`ypcat passwd`.
These days, I think FreeIPA or Active Directory are the best choices,
but both are complicated and possibly too much for a SO/HO, workgroup,
or departmental sysadmin. AD has the advantage of supporting Windows,
MacOS, and Samba; the last time I looked FreeIPA was not good at this.
FreeIPA has integration with Samba (to run Samba file server on IPA
clients) for quite some time, around two years now. You need to run
'ipa-client-samba' tool on IPA client to set it up, that's all. This
will make Kerberos authentication work against smbd and partially
password authentication too.
See man page for ipa-client-samba(1) for more details and
https://freeipa.readthedocs.io/en/latest/designs/adtrust/samba-domain-member.html
for even more technical details.
Samba upstream is planning to eventually remove support for a standalone
domain controller without Kerberos (e.g. not Samba AD or IPA DC). Given
that NTLM authentication will eventually be disabled everywhere, until
we get something better for a standalone use case, Kerberos is there to
handle such cases. Both Samba AD and FreeIPA in Fedora are good to cover
them.
Critique of complexity of a general 'domain controller' setup is
warrant, of course. It is something that FreeIPA really tries to
address and for simple use cases we are almost there if you are using an
integrated approach where FreeIPA runs and configures all the pieces it
needs (DNS, CA, ...). At least a basic understanding of DNS and Kerberos
is still preferrable, of course. We need to improve in this area in
Fedora Server documentation...
NIS+ as a tooling for such configurations is even less secure than
relying on NTLM in SMB protocol.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
