On Tue, 2017-01-03 at 09:42 -0500, Stephen Gallagher wrote:
> On 12/29/2016 09:03 AM, Jakub Hrozek wrote:
> >> If I configure the server to enforce STARTTLS is SSSD "smart enough" to
> >> work with that if I use sssd-ad or would I need to go the LDAP+Kerberos
> >> route in order to configure some of the TLS-related settings?
> >>
> >
> > The gssapi authentication is by default and cannot even be changed with
> > sssd-ad.
> >
>
> Just to clarify here: the GSSAPI used by SSSD also provides encrypted
> communication. You do not need to enable TLS as well (and I think SSSD will
> just
> ignore that option in this case).
To add to that, although our libraries will allow it, Windows systems
refuse to do GSSAPI encryption over a TLS channel, so do not try to use
both.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org