On 17/11/2022 15:09, Rob Crittenden via FreeIPA-users wrote:
Rob Crittenden wrote:
Microsoft addressed a number of CVEs last week which introduced some
authentication issues. After installation of these patches, user
authentication on Linux systems integrated in Active Directory no longer
works and new systems are unable to join an AD domain that is managed by
domain controllers where these patches have been applied.
For more details see https://access.redhat.com/solutions/6985061 (open
to the public).
rob
More detailed information on the issue from Alexander,
https://www.redhat.com/en/blog/red-hat-enterprise-linux-and-microsoft-security-update-november-2022
Thanks team. A comment about the RHEL 9 encryption policies:
> Kerberos encryption types using SHA-1 algorithm to calculate a
checksum were also disabled by default [in RHEL 9].
> This change also means there are no common encryption types for
Active Directory interoperability [...]
Maybe I'm missing something, but I think this is only true when talking
about the FUTURE policy? The DEFAULT policy still has
aes*-cts-hmac-sha1-96 enabled:
# cat /usr/share/crypto-policies/DEFAULT/krb5.txt
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192
aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96
(I too have wondered why it's taken so long for MS to implement stronger
HMAC algorithms... and kill off RC4 once and for all...)
Regards,
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
