On Wed, 2021-08-25 at 21:00 -0700, Gordon uynt wrote: > We had similar symptoms on CentOS systems at my previous employer, > however, I'm mostly sure that they were resolved by an sssd update > sometime in the last year or two. Are all of your systems fully > patched?
At the risk of derailing the OPs search for a technical solution to his issue of ensuring Linux host's consistently refresh their machine account passwords and keytabs, I'd like to ask the community their thoughts on the necessity of doing so. According to Microsoft: Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts.[1] This is an example of an adcli generated machine password: 7I*1>71IFxo%H8OlP<.^#sWI7iMgUA6E[aL*tc9t7M4oWSw+18FcjJC- FJ#Z.#wm@%X6]AgW7*7v,@J3vMGLdGu^(tzqMV+O%Foe50//Gf.=Z9wA)Q+er*K> ...good luck with the brute force attempt. The MS policy also seems to contradict NIST best practice with their guidance to "eliminate periodic resets"[2] of passwords. While I recognize you _can_ create your own machine account passwords, in practice I suspect this is rare, and that most people use the tools MS or the opensource community provide. Assuming this is true, why bother with updating the machine account password? To mitigate the compromise of a stolen host keytab or is it to protect against admins who create machine account passwords that can be cracked? If these are the reasons for the policy I'm thinking you have bigger issues in your environment. Or is this a somewhat outdated policy that has historically benefited windows systems and for those of us trying to integrate with Active Directory, it's best to just go along? I am genuinely curious what the community thinks about this policy, and look forward to learning of the security implications I've failed to consider. Thank you, Mark [1]: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age [2]: https://pages.nist.gov/800-63-3/sp800-63-3.html _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
