[Freeipa-users] Re: crypto policies but for SAMBA only - ?

Tue, 25 Jan 2022 04:11:35 -0800 

On ti, 25 tammi 2022, lejeczek via FreeIPA-users wrote:

Hi guys.
If that can be a news for some - I'd like to share a finding: it's possible to have ipa-integrated Samba serving non-enrolled clients, both Linux & Windows, with passwords for authentication. (which has been long & will continue to be a must-have for me)
Question for @devel - above I get with simply by switching to 'LEGACY' - is it possible to do that but only for IPA-Samba(+ whatever required bits) as oppose to system-widely?
It would be great to have IPA capable of that - perhaps an "enhancement" to future releases. 

FreeIPA is not a single application, so it is hard to apply that.

I wonder if DEFAULT:AD-SUPPORT would work for you too? Or something on
top of AD-SUPPORT one? The following is what I have on Fedora 35:

$ cat /usr/share/crypto-policies/policies/modules/AD-SUPPORT.pmod
# AD-SUPPORT subpolicy is intended to be used in Active Directory
# environments where either accounts or trusted domain objects were not yet
# migrated to AES or future encryption types. Active Directory implicitly
# requires RC4 and MD5 (arcfour-hmac-md5) in Kerberos by default.

cipher@kerberos = RC4-128+
hash@kerberos = MD5+

Samba uses GnuTLS, so may be expanding @gnutls scope in a similar way
would work?

E.g., add /etc/crypto-policies/policies/modules/MY-MODULE.pmod that
includes

cipher@kerberos = RC4-128+
hash@kerberos = MD5+
cipher@gnutls = RC4-128+
hash@gnutls = MD5+

and then set sytem-wide policy to use DEFAULT:MY-MODULE as a policy.

This doesn't define it per application but at least limits use of
insecure types to Kerberos and any application using GnuTLS.

I actually haven't tried this all.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to