did you try refreshing the machine password in AD?Looks like it's too old. O. ________________________________ From: David David <[email protected]> Sent: Thursday, February 6, 2020 12:09 PM To: [email protected] <[email protected]> Subject: [SSSD-users] sssd 1.16.4. ADV190023.
Hello, i guess that you probably heard about ADV190023. Our AD admin told me that linux servers which are under my responsibility send an unsigned request to AD, what could be a problem related to this incomming Ad patch: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4520412%2F2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows&data=02%7C01%7Condrej.valousek%40adestotech.com%7C02bc9c9da85b4234ad2408d7aaf511e4%7C2ccd8edaa14a4b4f825ce6ad71d71b81%7C0%7C1%7C637165841868286232&sdata=DrPbIHyfrnlKdMbgPDC7zhe9A356SR8mQuMpzY1qMiQ%3D&reserved=0. I am using sssd in "sssd-ad mode." The communication between a linux servers and our AD is crypted by kerberos, so this should be ok. I found only one kind of request which could result in potential failure. After mentioned patching implementation. See please below: (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 86400 seconds from last Everytime, this task is executed, our AD write into its log that an unsighned request came from my linux server. I tried to set ldap_tls_cert and ldap_tls_key into sssd.conf which point to the cert and key generated by our AD, but without success. I tried to find a proper solution how to sign the request that AD stop complaining, but nothing usefull found. My question is. Should I be affraid that after the patching, our AD will stop to communicate with my linux servers? Really thanks in advance for your answer. I really appreciate your effort. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%7C01%7Condrej.valousek%40adestotech.com%7C02bc9c9da85b4234ad2408d7aaf511e4%7C2ccd8edaa14a4b4f825ce6ad71d71b81%7C0%7C1%7C637165841868286232&sdata=4G5oMya27fWpvMipoCpj1f%2FPI5FHTHXxdp%2B0A7B91EI%3D&reserved=0 List Guidelines: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Condrej.valousek%40adestotech.com%7C02bc9c9da85b4234ad2408d7aaf511e4%7C2ccd8edaa14a4b4f825ce6ad71d71b81%7C0%7C1%7C637165841868286232&sdata=aegzmOrDxa%2FI7bB9Cn5%2FfKN6ShhZeWmSyIm7X0x96sk%3D&reserved=0 List Archives: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org&data=02%7C01%7Condrej.valousek%40adestotech.com%7C02bc9c9da85b4234ad2408d7aaf511e4%7C2ccd8edaa14a4b4f825ce6ad71d71b81%7C0%7C1%7C637165841868286232&sdata=JROmfoZbnte09nJysOIEWb2PDJiEmNZO9%2FO8XHN6Gyk%3D&reserved=0
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
