On Wed, Dec 11, 2019 at 08:14:25AM -0500, Chris P. wrote:
> Just wondering if there is any more news regarding the patch for sssd to
> work with the new MS requirements?
> Curerrently I'm being notified that ALL linux servers are reporting this in
> the AD logs:
>
> "...client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind
> without requesting signing (integrity verification), or performed a simple
> bind over a clear text (non-SSL/TLS-encrypted) LDAP connection..."
Hi,
I forgot to send the patch to use LDAPS for review, I will do it soon.
In the meantime please check in the sssd-ldap man page if the option
ldap_sasl_mech supports GSS-SPNEGO (recent version of SSSD should do).
In this case you can set
ldap_sasl_mech = GSS-SPNEGO
in the [domain/...] section of sssd.conf and restart SSSD. Now the error
logs in the AD side should at least be gone for this host.
HTH
bye,
Sumit
>
> We are planning to test a sssd client with a patched AD server to see if
> this will break AD auth on our sssd clients, but wanted to see if a patch
> for sssd has been made available anywhere to use ldaps or ldap with sssd.
>
> Thanks,
> Chris
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
