Hi, We are seeing the same in our AD logs - "The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification)..." - and tried to mitigate this by changing from GSSAPI to GSS-SPNEGO in SSSD, but this makes no difference, AD keeps logging warnings.
The logs does not origin from starting/stopping sssd, but rather when this happens: Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1 Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1 Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1 Dec 16 15:25:57 adcli[116149]: GSSAPI client step 2 (from 'systemctl status sssd'). So even if sssd is configured to use GSS-SPNEGO it seems to trigger adcli which uses GSSAPI? regards, Adam ________________________________________ From: Sumit Bose [[email protected]] Sent: 11 December 2019 15:55 To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: How do new LDAP security recommendations from MS affect sssd clients? On Wed, Dec 11, 2019 at 08:14:25AM -0500, Chris P. wrote: > Just wondering if there is any more news regarding the patch for sssd to > work with the new MS requirements? > Curerrently I'm being notified that ALL linux servers are reporting this in > the AD logs: > > "...client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind > without requesting signing (integrity verification), or performed a simple > bind over a clear text (non-SSL/TLS-encrypted) LDAP connection..." Hi, I forgot to send the patch to use LDAPS for review, I will do it soon. In the meantime please check in the sssd-ldap man page if the option ldap_sasl_mech supports GSS-SPNEGO (recent version of SSSD should do). In this case you can set ldap_sasl_mech = GSS-SPNEGO in the [domain/...] section of sssd.conf and restart SSSD. Now the error logs in the AD side should at least be gone for this host. HTH bye, Sumit > > We are planning to test a sssd client with a patched AD server to see if > this will break AD auth on our sssd clients, but wanted to see if a patch > for sssd has been made available anywhere to use ldaps or ldap with sssd. > > Thanks, > Chris > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
