I wonder if Microsoft changed the behaviour since early this year? I've seen mailing list posts stating that a simple ldapsearch with gssapi would succeed, even with the server enforcing rules on signing enabled, but still log the 2889 event. But I don't see that now.
This works and does not produce the 2889 event on the server: $ ldapsearch -H ldap://server1.ad1.example.com -Y GSSAPI -b '' -s base > /dev/null SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 56 SASL data security layer installed. If I set maxssf to 0, then it fails and *does* produce the 2889 event on the server: $ ldapsearch -O maxssf=0 -H ldap://server1.ad1.example.com -Y GSSAPI -b '' -s base > /dev/null SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Strong(er) authentication required (8) additional info: 00002028: LdapErr: DSID-0C090266, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4563 Event: The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection. Client IP address: 10.51.0.1:49036 Identity the client attempted to authenticate as: AD1\john Binding Type: 0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868703 Title: Support new AD requirements (ADV190023) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1868703/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
