Ok, after a lot of messing around with windows, I was at least able to confirm that with sssd from groovy I can set ad_use_ldaps = True and, after exporting the AD CA cert and marking it as trusted on the client ubuntu box, I see the connection using port 646.
What I couldn't do was *reject* connections not using ssl/tls, even after applying the policy change described in https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel- binding-and-ldap-signing-requirements-for-windows I wonder if the gssapi SSF is enough to consider the connection encrypted and not require actual TLS/SSL? ubuntu@g-sssd:~$ kinit john Password for [email protected]: ubuntu@g-sssd:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 08/31/20 20:12:28 09/01/20 06:12:28 krbtgt/[email protected] renew until 09/01/20 20:12:26 ubuntu@g-sssd:~$ ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 256 SASL data security layer installed. u:AD1\john ubuntu@g-sssd:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Valid starting Expires Service principal 08/31/20 20:12:28 09/01/20 06:12:28 krbtgt/[email protected] renew until 09/01/20 20:12:26 08/31/20 20:12:35 09/01/20 06:12:28 ldap/server1.ad1.example.com@ renew until 09/01/20 20:12:26 08/31/20 20:12:35 09/01/20 06:12:28 ldap/[email protected] renew until 09/01/20 20:12:26 None of the above used port 636. When I use a simple bind, I'm forced to use -ZZ, and I can see in the network traffic that TLS 1.2 was selected. Furthermore, even after I applied the policy change regarding signing on the windows side, sssd without ad_use_ldaps still worked on port 389. I'll chalk that up to my windows knowledge gaps. In any case, checking that port 636 is being used by sssd seems enough for an SRU test case I guess? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Backport ad_use_ldaps because of ADV190023 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
