[Freeipa-users] Re: Microsoft November 2022 updates breaks Active Directory integration

Fri, 18 Nov 2022 04:45:03 -0800 

On pe, 18 marras 2022, Sam Morris via FreeIPA-users wrote:

On 17/11/2022 15:09, Rob Crittenden via FreeIPA-users wrote:

Rob Crittenden wrote:

Microsoft addressed a number of CVEs last week which introduced some
authentication issues. After installation of these patches, user
authentication on Linux systems integrated in Active Directory no longer
works and new systems are unable to join an AD domain that is managed by
domain controllers where these patches have been applied.

For more details see https://access.redhat.com/solutions/6985061 (open
to the public).

rob



More detailed information on the issue from Alexander,
https://www.redhat.com/en/blog/red-hat-enterprise-linux-and-microsoft-security-update-november-2022


Thanks team. A comment about the RHEL 9 encryption policies:
Kerberos encryption types using SHA-1 algorithm to calculate a 
checksum were also disabled by default [in RHEL 9].
This change also means there are no common encryption types for 
Active Directory interoperability [...]
Maybe I'm missing something, but I think this is only true when talking about the FUTURE policy? The DEFAULT policy still has aes*-cts-hmac-sha1-96 enabled: 

# cat /usr/share/crypto-policies/DEFAULT/krb5.txt
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96 

Sorry, it should have said FIPS. The default allows those two enctypes,
FIPS does not allow them. FIPS:AD-SUPPORT would have allowed them.
(I too have wondered why it's taken so long for MS to implement stronger HMAC algorithms... and kill off RC4 once and for all...) 

I hope for an improvement too. ;)

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to