On ti, 15 marras 2022, Sam Morris via FreeIPA-users wrote:
On 14/11/2022 15:19, Rob Crittenden via FreeIPA-users wrote:
Microsoft addressed a number of CVEs last week which introduced some
authentication issues. After installation of these patches, user
authentication on Linux systems integrated in Active Directory no longer
works and new systems are unable to join an AD domain that is managed by
domain controllers where these patches have been applied.
For more details see https://access.redhat.com/solutions/6985061 (open
to the public).
rob
Thanks for the heads up! :)
I just tried a few tests against a patched domain controller (by
overriding setting /etc/krb.conf -> [realms] -> DOMAIN.EXAMPLE.COM ->
kdc). I'm able to use kinit to get a TGT and kvno to fetch some
service tickets.
Is that a valid test and/or have you got steps to reproduce the error
against a patched domain controller on your side?
Things to check are mostly about trusted domain object credentials and
accounts with no RC4-HMAC keys. For example, if your user has no
RC4-HMAC keys, e.g. only AES keys exist, they'd fail.
Sumit tested SSSD on a directly enrolled system which only has AES keys.
Trawling social networks, I've got that AES-only deployments are broken
as well with the November update.
The msDS-SupportedEncryptionType set to 0x18 failing is a clear bug from
Microsoft: https://twitter.com/SteveSyfuhs/status/1590417822030917632
Steve says: "We have another update to the KB pending, with official
guidance and cause of the issue. More to follow."
There are more issues reported in that thread:
https://twitter.com/jmpsecurity/status/1590696212604538881
"Multiple environments with CIS baselines applied also break after this
update has been applied. I suspect it is the "Network security:
Configure encryption types allowed for Kerberos" set to not allow
"RC4_HMAC_MD5" that causes the issue. PKI is broken for example."
Steve in another thread:
https://twitter.com/SteveSyfuhs/status/1591119024959913986
"The issue is the absence of RC4 in the list. If that bit is not set,
things fall back to a weird state. If only AES bits are set, that weird
state conflicts with "AES only"."
and
https://twitter.com/SteveSyfuhs/status/1591127617071353856
"It's complicated, but it basically boils down to the RC4 bit being used
as a signal of whether it should use a preferred cipher list or a legacy
interop list in a specific section of code."
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
