All, It appears that this Nov 2022 AD DC patch does not directly break our sssd-based AD integration. This was done in a test AD domain.
However, if the AD domain admin clicks the button to "use AES256 only" on this test account it does break login. Which led to further discovery. Our particular AD integration allows AES256, AES128 and arcfour-hmac encryption types. That is, our crypto policy is DEFAULT:AD-SUPPORT. (Originally, we turned off arcfour-hmac support, but for obscure reasons we had to turn it back on.) If we changed our crypto policy to "DEFAULT" (i.e., no arcfour-hmac encryption support), then this Nov 2022 AD DC patch does seem to break our sssd-based AD integration. Thus, it appears that companies that have implemented good security and disabled arcfour-hmac encryption will be bitten by this Nov 2022 AD DC patch. Spike On Tue, Nov 15, 2022 at 3:46 PM Spike White <[email protected]> wrote: > Really really appreciate the head's up on this Sumit! > > We'd seen the notice yesterday, but from the brief description our > guess was that sssd was unaffected. Then your message showed up. So > timely! > > We're coordinating with our AD team now. > > Spike > > Spike White > > > On Tue, Nov 15, 2022 at 12:07 AM Sumit Bose <[email protected]> wrote: > >> ----- Weitergeleitete Nachricht von Rob Crittenden via FreeIPA-users < >> [email protected]> ----- >> >> Date: Mon, 14 Nov 2022 10:19:15 -0500 >> From: Rob Crittenden via FreeIPA-users < >> [email protected]> >> To: FreeIPA users list <[email protected]> >> Cc: Rob Crittenden <[email protected]> >> Subject: [Freeipa-users] Microsoft November 2022 updates breaks Active >> Directory integration >> >> Microsoft addressed a number of CVEs last week which introduced some >> authentication issues. After installation of these patches, user >> authentication on Linux systems integrated in Active Directory no longer >> works and new systems are unable to join an AD domain that is managed by >> domain controllers where these patches have been applied. >> >> For more details see https://access.redhat.com/solutions/6985061 (open >> to the public). >> >> rob >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >> ----- Ende weitergeleitete Nachricht ----- >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
