On 1/17/22 11:08, lejeczek via FreeIPA-users wrote:
On 17/01/2022 16:06, Harry G. Coin via FreeIPA-users wrote:
On 1/17/22 05:30, lejeczek via FreeIPA-users wrote:
On 16/01/2022 20:25, lejeczek via FreeIPA-users wrote:
Hi guys.
I have an old - set up ~2 yrs ago - IPA domain which "survived"
updates/upgrades till this day in such a way that integrated Samba
serves up under different hostname/domain and serves non-enrolled
clients(win 10) too.
With new deployment, 4.9.6, just adding things to just DNS - which
worked in that "old" domain - does _not_ do the trick.
With only such "simple" DNS Samba does respond, clients connect and
get password prompt but Samba says: NT_STATUS_WRONG_PASSWORD
That - NT_STATUS_WRONG_PASSWORD - seems not an issue of my env but
rather it is, that non-enrolled clients, linux & windows will fail
even if trying a "legitimate" master's Samba.
Is that the default behavior in current version - as I mentioned my
"old" with up-dates/grades IPA allows non-enrolled - and if so can
it be managed into allowing non-enrolled clients?
Lately it seems so much of freeipa's developers time is spent chasing
Active Directory and related issues, when something 'breaks' 'a small
business with a handful of windows boxes (maybe a mix of 'home' and
'professional' versions, and a mix of windows 7 or 8 or 10) sharing
off of freeipa's samba instance with no domain capability, used very
basic 'map network dirve' and 'usernames and passwords' (entirely
sufficient for most businesses which are small and will never have
money enough for a full time IT staff member) I wonder if the
upgrades still test for that 'widely needed not too technically
exciting' setup.
I'm of that same mind and shared my thoughts on occasions such as this
in the past.
That setup I did long ago was such that system policies needed to be
'LEGACY' and non-enrolled Linux & win clients connected to IPA
deployed that way - off the LEGACY, worked beautifully with Samba -
so, not much hacking.
I understand there might be large customers with large ADs with IPA
only glued somewhere next to it but the rest of us I imagine must be
like that - small deployments which mixes everything and do _not_!
need AD, and securities... are taken of with all sorts of other means.
I saw during one upgrade 'CLASSIC IPA" - or something alike - migrated
to "IPA PRIMARY" or something like that. I'd imagine that was/when NEW
installation changed so non-enrolled do not work now.
If I can vote, my vote shall go to - IPA devel re/consider changes to
reintroduce (as an option) such a deployment mode where Samba would
"weaken" the setup/config so all those non-enrolled customers can
connect with _passwords_
many thanks, L.
I'm not even close to sure what it would look like exactly, but maybe
what we're seeing is the 'Large-Corp' 'MS-IBM-i-zation' of
redhat/freeipa fedora/centos and something like a 'rocky linux' version
of what freeipa does is called for. Most all the business in the world
is small business, while most of the money to pay developers does not
come from there. Large corporations want to own things and need
recurring revenue. Small business values tools that do the job and
prefer not to buy new tools until the old one breaks. Software does not
rust. So there's this disconnect. So very many businesses see nothing
in Windows 11 that helps them generate revenue that wasn't in Windows
7. I bet as more folks move to quickbooks 'on line' version the
justification for having windows systems at all in many small businesses
goes away now as linux based corporate workstations are completely
sufficient.
Bind is doing internally much of what freeipa's added dnssec aims for.
In small business, dns changes are infrequent so updating flat files and
the occasional 'rndc' command is enough for the bind interface
(bind-dns-ldap goes away) (An integrated dhcp server would be nice).
Samba has its own internal ldap server as I understand it. Maybe a
'roll of freeipa' where it's assumed samba will be the ad/dc (to the
extent one is needed anyhow, but it turns on ldap in samba and retires
the need for an external ns-slapd).
Something to think about.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
