On Wed, Dec 11, 2019 at 08:14:25AM -0500, Chris P. wrote: > Just wondering if there is any more news regarding the patch for sssd to > work with the new MS requirements? > Curerrently I'm being notified that ALL linux servers are reporting this in > the AD logs: > > "...client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind > without requesting signing (integrity verification), or performed a simple > bind over a clear text (non-SSL/TLS-encrypted) LDAP connection..."
Hi, I forgot to send the patch to use LDAPS for review, I will do it soon. In the meantime please check in the sssd-ldap man page if the option ldap_sasl_mech supports GSS-SPNEGO (recent version of SSSD should do). In this case you can set ldap_sasl_mech = GSS-SPNEGO in the [domain/...] section of sssd.conf and restart SSSD. Now the error logs in the AD side should at least be gone for this host. HTH bye, Sumit > > We are planning to test a sssd client with a patched AD server to see if > this will break AD auth on our sssd clients, but wanted to see if a patch > for sssd has been made available anywhere to use ldaps or ldap with sssd. > > Thanks, > Chris > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org