James,
Really appreciate the explanation and helpful URL. Totally agree with your
statements below:
Absolutely, yes. Even if there is some risk to using GSSAPI instead
of GSS-SPNEGO (e.g., if GSSAPI is potentially vulnerable to replay
attacks), that is negligible compared to the risk of
On Mon, Oct 12, 2020 at 11:25 AM Spike White wrote:
> I believe our older sssd clients (RHEL 6) cannot do gss-spnego auth
> mech. Only our newer RHEL7 and RHEL8 clients can do gss-spnego.
Correct.
sssd relies on the Cyrus SASL library to perform the authentication,
and the RHEL6 version of
All,
Still working with our AD team, trying to implement Microsoft's AD edict to
only allow LDAP SASL bindings with a security strength factor of 2 or
greater.
https://bugzilla.redhat.com/show_bug.cgi?id=1793709
So I realize (now) that sssd's default GSSAPI SASL binding does not do
signing.
All,
This improved AD domain controller seems like an excellent solution to a
problem we face periodically in our company. In our DMZs, 90% of the DCs
are blocked; only a few are accessible. Previously, it seems like sssd
did a CLAP ping to about 5 DCs. If none of those 5 were accessible,
# SSSD 2.4.0
The SSSD team is proud to announce the release of version 2.4.0 of the
System Security Services Daemon. The tarball can be downloaded from:
https://github.com/SSSD/sssd/releases/tag/sssd-2_4_0
See the full release notes at:
https://sssd.io/docs/users/relnotes/notes_2_4_0