aha, adcli is used for the machine account password renewal, of course. I will try to disable that and get back to you.
This is on RHEL 8.1, btw. //Adam ________________________________________ From: Sumit Bose [[email protected]] Sent: 17 December 2019 07:29 To: [email protected] Subject: [SSSD-users] Re: How do new LDAP security recommendations from MS affect sssd clients? On Tue, Dec 17, 2019 at 06:18:21AM +0000, Winberg Adam wrote: > Hi, > > We are seeing the same in our AD logs - "The following client performed a > SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing > (integrity verification)..." - and tried to mitigate this by changing from > GSSAPI to GSS-SPNEGO in SSSD, but this makes no difference, AD keeps logging > warnings. > > The logs does not origin from starting/stopping sssd, but rather when this > happens: > > Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1 > Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1 > Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1 > Dec 16 15:25:57 adcli[116149]: GSSAPI client step 2 > > (from 'systemctl status sssd'). > > So even if sssd is configured to use GSS-SPNEGO it seems to trigger adcli > which uses GSSAPI? Hi, yes, you are right. adcli does not inherit this option from SSSD but sets up the connection on its own. I'm working on a fix for adcli as well. Do I understand correctly that if you disable the renewal of the machine account password by setting ad_maximum_machine_account_password_age = 0 and use GSS-SPNEGO for SSSD there are no messages in the AD logs? bye, Sumit > > regards, > Adam > > > > > > ________________________________________ > From: Sumit Bose [[email protected]] > Sent: 11 December 2019 15:55 > To: End-user discussions about the System Security Services Daemon > Subject: [SSSD-users] Re: How do new LDAP security recommendations from MS > affect sssd clients? > > On Wed, Dec 11, 2019 at 08:14:25AM -0500, Chris P. wrote: > > Just wondering if there is any more news regarding the patch for sssd to > > work with the new MS requirements? > > Curerrently I'm being notified that ALL linux servers are reporting this in > > the AD logs: > > > > "...client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind > > without requesting signing (integrity verification), or performed a simple > > bind over a clear text (non-SSL/TLS-encrypted) LDAP connection..." > > Hi, > > I forgot to send the patch to use LDAPS for review, I will do it soon. > > In the meantime please check in the sssd-ldap man page if the option > ldap_sasl_mech supports GSS-SPNEGO (recent version of SSSD should do). > In this case you can set > > ldap_sasl_mech = GSS-SPNEGO > > in the [domain/...] section of sssd.conf and restart SSSD. Now the error > logs in the AD side should at least be gone for this host. > > HTH > > bye, > Sumit > > > > > We are planning to test a sssd client with a patched AD server to see if > > this will break AD auth on our sssd clients, but wanted to see if a patch > > for sssd has been made available anywhere to use ldaps or ldap with sssd. > > > > Thanks, > > Chris > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
