On Thu, Feb 06, 2020 at 03:05:13PM +0000, Ondrej Valousek wrote: > did you try refreshing the machine password in AD?Looks like it's too old. > O. > ________________________________ > From: David David <[email protected]> > Sent: Thursday, February 6, 2020 12:09 PM > To: [email protected] <[email protected]> > Subject: [SSSD-users] sssd 1.16.4. ADV190023. > > Hello, > i guess that you probably heard about ADV190023. Our AD admin told me that > linux servers which are under my responsibility send an unsigned request to > AD, what could be a problem related to this incomming Ad patch: > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4520412%2F2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows&data=02%7C01%7Condrej.valousek%40adestotech.com%7C02bc9c9da85b4234ad2408d7aaf511e4%7C2ccd8edaa14a4b4f825ce6ad71d71b81%7C0%7C1%7C637165841868286232&sdata=DrPbIHyfrnlKdMbgPDC7zhe9A356SR8mQuMpzY1qMiQ%3D&reserved=0. > > I am using sssd in "sssd-ad mode." The communication between a linux servers > and our AD is crypted by kerberos, so this should be ok. > > I found only one kind of request which could result in potential failure. > After mentioned patching implementation. See please below: > > (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_execute] (0x0400): Task > [AD machine account password renewal]: executing task, timeout 60 seconds > (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_done] (0x0400): Task [AD > machine account password renewal]: finished successfully > (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_schedule] (0x0400): Task > [AD machine account password renewal]: scheduling task 86400 seconds from last
Hi, Ondrej is right, those messages are related to adcli trying to update the machine account password if it is too old. To check when the password was last updated adcli uses LDAP with SASL/GSSAPI. I've added a patch so that SASL/GSS-SPNEGO is used when it is available in the AD DC side https://gitlab.freedesktop.org/realmd/adcli/commit/a6f795ba3d6048b32d7863468688bf7f42b2cafd With SASL/GSS-SPNEGO all requirements are negotiated automatically and signing should be switched on if required. With SASL/GSSAPI you might be able to tune this manually, see e.g. the SASL and GSSAPI options in man ldap.conf for details. There is also a patch for adcli which tells adcli to use ldaps https://gitlab.freedesktop.org/realmd/adcli/commit/85097245b57f190337225dbdbf6e33b58616c092 but this is currently not used by SSSD. And in general I think using GSS-SPNEGO is sufficient since there is no requirement to switch to ldaps (if I read the advisory correctly) and AD does not enable ldaps by default as well. bye, Sumit > > Everytime, this task is executed, our AD write into its log that an unsighned > request came from my linux server. I tried to set ldap_tls_cert and > ldap_tls_key into sssd.conf which point to the cert and key generated by our > AD, but without success. > > I tried to find a proper solution how to sign the request that AD stop > complaining, but nothing usefull found. > > My question is. Should I be affraid that after the patching, our AD will stop > to communicate with my linux servers? > > Really thanks in advance for your answer. I really appreciate your effort. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%7C01%7Condrej.valousek%40adestotech.com%7C02bc9c9da85b4234ad2408d7aaf511e4%7C2ccd8edaa14a4b4f825ce6ad71d71b81%7C0%7C1%7C637165841868286232&sdata=4G5oMya27fWpvMipoCpj1f%2FPI5FHTHXxdp%2B0A7B91EI%3D&reserved=0 > List Guidelines: > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Condrej.valousek%40adestotech.com%7C02bc9c9da85b4234ad2408d7aaf511e4%7C2ccd8edaa14a4b4f825ce6ad71d71b81%7C0%7C1%7C637165841868286232&sdata=aegzmOrDxa%2FI7bB9Cn5%2FfKN6ShhZeWmSyIm7X0x96sk%3D&reserved=0 > List Archives: > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org&data=02%7C01%7Condrej.valousek%40adestotech.com%7C02bc9c9da85b4234ad2408d7aaf511e4%7C2ccd8edaa14a4b4f825ce6ad71d71b81%7C0%7C1%7C637165841868286232&sdata=JROmfoZbnte09nJysOIEWb2PDJiEmNZO9%2FO8XHN6Gyk%3D&reserved=0 > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
