[Freeipa-users] Re: Microsoft November 2022 updates breaks Active Directory integration

[Alexander Bokovoy via FreeIPA-users]

On pe, 18 marras 2022, Sam Morris via FreeIPA-users wrote:

On 17/11/2022 15:09, Rob Crittenden via FreeIPA-users wrote:

Rob Crittenden wrote:

Microsoft addressed a number of CVEs last week which introduced some
authentication issues. After installation of these patches, user
authentication on Linux systems integrated in Active Directory no longer
works and new systems are unable to join an AD domain that is managed by
domain controllers where these patches have been applied.

For more details see https://access.redhat.com/solutions/6985061 (open
to the public).

rob



More detailed information on the issue from Alexander,
https://www.redhat.com/en/blog/red-hat-enterprise-linux-and-microsoft-security-update-november-2022


Thanks team. A comment about the RHEL 9 encryption policies:

Kerberos encryption types using SHA-1 algorithm to calculate a 

checksum were also disabled by default [in RHEL 9].

This change also means there are no common encryption types for 

Active Directory interoperability [...]

Maybe I'm missing something, but I think this is only true when 
talking about the FUTURE policy? The DEFAULT policy still has 
aes*-cts-hmac-sha1-96 enabled:


# cat /usr/share/crypto-policies/DEFAULT/krb5.txt
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 
aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 
aes128-cts-hmac-sha1-96


Sorry, it should have said FIPS. The default allows those two enctypes,
FIPS does not allow them. FIPS:AD-SUPPORT would have allowed them.



(I too have wondered why it's taken so long for MS to implement 
stronger HMAC algorithms... and kill off RC4 once and for all...)


I hope for an improvement too. ;)

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Microsoft November 2022 updates breaks Active Directory integration

[Sam Morris via FreeIPA-users]

On 17/11/2022 15:09, Rob Crittenden via FreeIPA-users wrote:

Rob Crittenden wrote:

Microsoft addressed a number of CVEs last week which introduced some
authentication issues. After installation of these patches, user
authentication on Linux systems integrated in Active Directory no longer
works and new systems are unable to join an AD domain that is managed by
domain controllers where these patches have been applied.

For more details see https://access.redhat.com/solutions/6985061 (open
to the public).

rob



More detailed information on the issue from Alexander,
https://www.redhat.com/en/blog/red-hat-enterprise-linux-and-microsoft-security-update-november-2022


Thanks team. A comment about the RHEL 9 encryption policies:

> Kerberos encryption types using SHA-1 algorithm to calculate a 
checksum were also disabled by default [in RHEL 9].


> This change also means there are no common encryption types for 
Active Directory interoperability [...]


Maybe I'm missing something, but I think this is only true when talking 
about the FUTURE policy? The DEFAULT policy still has 
aes*-cts-hmac-sha1-96 enabled:


# cat /usr/share/crypto-policies/DEFAULT/krb5.txt
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 
aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96


(I too have wondered why it's taken so long for MS to implement stronger 
HMAC algorithms... and kill off RC4 once and for all...)


Regards,

--
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Microsoft November 2022 updates breaks Active Directory integration

[Rob Crittenden via FreeIPA-users]

Rob Crittenden wrote:
> Microsoft addressed a number of CVEs last week which introduced some
> authentication issues. After installation of these patches, user
> authentication on Linux systems integrated in Active Directory no longer
> works and new systems are unable to join an AD domain that is managed by
> domain controllers where these patches have been applied.
> 
> For more details see https://access.redhat.com/solutions/6985061 (open
> to the public).
> 
> rob
> 

More detailed information on the issue from Alexander,
https://www.redhat.com/en/blog/red-hat-enterprise-linux-and-microsoft-security-update-november-2022

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Microsoft November 2022 updates breaks Active Directory integration

[Alexander Bokovoy via FreeIPA-users]

On ti, 15 marras 2022, Sam Morris via FreeIPA-users wrote:

On 14/11/2022 15:19, Rob Crittenden via FreeIPA-users wrote:

Microsoft addressed a number of CVEs last week which introduced some
authentication issues. After installation of these patches, user
authentication on Linux systems integrated in Active Directory no longer
works and new systems are unable to join an AD domain that is managed by
domain controllers where these patches have been applied.

For more details see https://access.redhat.com/solutions/6985061 (open
to the public).

rob


Thanks for the heads up! :)

I just tried a few tests against a patched domain controller (by 
overriding setting /etc/krb.conf -> [realms] -> DOMAIN.EXAMPLE.COM -> 
kdc). I'm able to use kinit to get a TGT and kvno to fetch some 
service tickets.


Is that a valid test and/or have you got steps to reproduce the error 
against a patched domain controller on your side?


Things to check are mostly about trusted domain object credentials and
accounts with no RC4-HMAC keys. For example, if your user has no
RC4-HMAC keys, e.g. only AES keys exist, they'd fail.

Sumit tested SSSD on a directly enrolled system which only has AES keys.

Trawling social networks, I've got that AES-only deployments are broken
as well with the November update.

The msDS-SupportedEncryptionType set to 0x18 failing is a clear bug from
Microsoft: https://twitter.com/SteveSyfuhs/status/1590417822030917632

Steve says: "We have another update to the KB pending, with official
guidance and cause of the issue. More to follow."

There are more issues reported in that thread:
https://twitter.com/jmpsecurity/status/1590696212604538881
"Multiple environments with CIS baselines applied also break after this
update has been applied. I suspect it is the "Network security:
Configure encryption types allowed for Kerberos" set to not allow
"RC4_HMAC_MD5" that causes the issue. PKI is broken for example."

Steve in another thread:
https://twitter.com/SteveSyfuhs/status/1591119024959913986
"The issue is the absence of RC4 in the list. If that bit is not set,
things fall back to a weird state. If only AES bits are set, that weird
state conflicts with "AES only"."

and

https://twitter.com/SteveSyfuhs/status/1591127617071353856
"It's complicated, but it basically boils down to the RC4 bit being used
as a signal of whether it should use a preferred cipher list or a legacy
interop list in a specific section of code."




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Microsoft November 2022 updates breaks Active Directory integration

[Sam Morris via FreeIPA-users]

On 14/11/2022 15:19, Rob Crittenden via FreeIPA-users wrote:

Microsoft addressed a number of CVEs last week which introduced some
authentication issues. After installation of these patches, user
authentication on Linux systems integrated in Active Directory no longer
works and new systems are unable to join an AD domain that is managed by
domain controllers where these patches have been applied.

For more details see https://access.redhat.com/solutions/6985061 (open
to the public).

rob


Thanks for the heads up! :)

I just tried a few tests against a patched domain controller (by 
overriding setting /etc/krb.conf -> [realms] -> DOMAIN.EXAMPLE.COM -> 
kdc). I'm able to use kinit to get a TGT and kvno to fetch some service 
tickets.


Is that a valid test and/or have you got steps to reproduce the error 
against a patched domain controller on your side?


Regards,

--
Sam Morris 
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: Microsoft November 2022 updates breaks Active Directory integration

[Ronald Wimmer via FreeIPA-users]

On 14.11.22 16:19, Rob Crittenden via FreeIPA-users wrote:

Microsoft addressed a number of CVEs last week which introduced some
authentication issues. After installation of these patches, user
authentication on Linux systems integrated in Active Directory no longer
works and new systems are unable to join an AD domain that is managed by
domain controllers where these patches have been applied.

For more details see https://access.redhat.com/solutions/6985061 (open
to the public).


Thanks a lot for the info!

Cheers,
Ronald
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue