I can confirm that the warning messages in our AD logs are indeed gone after
setting
ad_maximum_machine_account_password_age = 0
I would really like SSSD to update the machine account password however, so I
look forward to the adcli fix.
Thanks!
//Adam
________________________________________
From: Winberg Adam [[email protected]]
Sent: 17 December 2019 07:33
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: How do new LDAP security recommendations from MS
affect sssd clients?
aha, adcli is used for the machine account password renewal, of course. I will
try to disable that and get back to you.
This is on RHEL 8.1, btw.
//Adam
________________________________________
From: Sumit Bose [[email protected]]
Sent: 17 December 2019 07:29
To: [email protected]
Subject: [SSSD-users] Re: How do new LDAP security recommendations from MS
affect sssd clients?
On Tue, Dec 17, 2019 at 06:18:21AM +0000, Winberg Adam wrote:
> Hi,
>
> We are seeing the same in our AD logs - "The following client performed a
> SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing
> (integrity verification)..." - and tried to mitigate this by changing from
> GSSAPI to GSS-SPNEGO in SSSD, but this makes no difference, AD keeps logging
> warnings.
>
> The logs does not origin from starting/stopping sssd, but rather when this
> happens:
>
> Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1
> Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1
> Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1
> Dec 16 15:25:57 adcli[116149]: GSSAPI client step 2
>
> (from 'systemctl status sssd').
>
> So even if sssd is configured to use GSS-SPNEGO it seems to trigger adcli
> which uses GSSAPI?
Hi,
yes, you are right. adcli does not inherit this option from SSSD but
sets up the connection on its own. I'm working on a fix for adcli as
well.
Do I understand correctly that if you disable the renewal of the machine
account password by setting
ad_maximum_machine_account_password_age = 0
and use GSS-SPNEGO for SSSD there are no messages in the AD logs?
bye,
Sumit
>
> regards,
> Adam
>
>
>
>
>
> ________________________________________
> From: Sumit Bose [[email protected]]
> Sent: 11 December 2019 15:55
> To: End-user discussions about the System Security Services Daemon
> Subject: [SSSD-users] Re: How do new LDAP security recommendations from MS
> affect sssd clients?
>
> On Wed, Dec 11, 2019 at 08:14:25AM -0500, Chris P. wrote:
> > Just wondering if there is any more news regarding the patch for sssd to
> > work with the new MS requirements?
> > Curerrently I'm being notified that ALL linux servers are reporting this in
> > the AD logs:
> >
> > "...client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind
> > without requesting signing (integrity verification), or performed a simple
> > bind over a clear text (non-SSL/TLS-encrypted) LDAP connection..."
>
> Hi,
>
> I forgot to send the patch to use LDAPS for review, I will do it soon.
>
> In the meantime please check in the sssd-ldap man page if the option
> ldap_sasl_mech supports GSS-SPNEGO (recent version of SSSD should do).
> In this case you can set
>
> ldap_sasl_mech = GSS-SPNEGO
>
> in the [domain/...] section of sssd.conf and restart SSSD. Now the error
> logs in the AD side should at least be gone for this host.
>
> HTH
>
> bye,
> Sumit
>
> >
> > We are planning to test a sssd client with a patched AD server to see if
> > this will break AD auth on our sssd clients, but wanted to see if a patch
> > for sssd has been made available anywhere to use ldaps or ldap with sssd.
> >
> > Thanks,
> > Chris
>
> > _______________________________________________
> > sssd-users mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedorahosted.org/archives/list/[email protected]
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
