On Tue, 2017-01-03 at 09:42 -0500, Stephen Gallagher wrote: > On 12/29/2016 09:03 AM, Jakub Hrozek wrote: > >> If I configure the server to enforce STARTTLS is SSSD "smart enough" to > >> work with that if I use sssd-ad or would I need to go the LDAP+Kerberos > >> route in order to configure some of the TLS-related settings? > >> > > > > The gssapi authentication is by default and cannot even be changed with > > sssd-ad. > > > > Just to clarify here: the GSSAPI used by SSSD also provides encrypted > communication. You do not need to enable TLS as well (and I think SSSD will > just > ignore that option in this case).
To add to that, although our libraries will allow it, Windows systems refuse to do GSSAPI encryption over a TLS channel, so do not try to use both. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
