On ti, 25 tammi 2022, lejeczek via FreeIPA-users wrote:
Hi guys.
If that can be a news for some - I'd like to share a finding: it's
possible to have ipa-integrated Samba serving non-enrolled clients,
both Linux & Windows, with passwords for authentication. (which has
been long & will continue to be a must-have for me)
Question for @devel - above I get with simply by switching to 'LEGACY'
- is it possible to do that but only for IPA-Samba(+ whatever required
bits) as oppose to system-widely?
It would be great to have IPA capable of that - perhaps an
"enhancement" to future releases.
FreeIPA is not a single application, so it is hard to apply that.
I wonder if DEFAULT:AD-SUPPORT would work for you too? Or something on
top of AD-SUPPORT one? The following is what I have on Fedora 35:
$ cat /usr/share/crypto-policies/policies/modules/AD-SUPPORT.pmod
# AD-SUPPORT subpolicy is intended to be used in Active Directory
# environments where either accounts or trusted domain objects were not yet
# migrated to AES or future encryption types. Active Directory implicitly
# requires RC4 and MD5 (arcfour-hmac-md5) in Kerberos by default.
cipher@kerberos = RC4-128+
hash@kerberos = MD5+
Samba uses GnuTLS, so may be expanding @gnutls scope in a similar way
would work?
E.g., add /etc/crypto-policies/policies/modules/MY-MODULE.pmod that
includes
cipher@kerberos = RC4-128+
hash@kerberos = MD5+
cipher@gnutls = RC4-128+
hash@gnutls = MD5+
and then set sytem-wide policy to use DEFAULT:MY-MODULE as a policy.
This doesn't define it per application but at least limits use of
insecure types to Kerberos and any application using GnuTLS.
I actually haven't tried this all.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure