On Tue, Dec 17, 2019 at 12:48:58PM +0000, Winberg Adam wrote: > I can confirm that the warning messages in our AD logs are indeed gone after > setting > > ad_maximum_machine_account_password_age = 0 > > I would really like SSSD to update the machine account password however, so I > look forward to the adcli fix.
Hi, thanks for the feedback. The related ticket is https://bugzilla.redhat.com/show_bug.cgi?id=1762420, currently mostly private, I'll try to make important updates to the ticket public. bye, Sumit > > Thanks! > > //Adam > > > ________________________________________ > From: Winberg Adam [adam.winb...@smhi.se] > Sent: 17 December 2019 07:33 > To: End-user discussions about the System Security Services Daemon > Subject: [SSSD-users] Re: How do new LDAP security recommendations from MS > affect sssd clients? > > aha, adcli is used for the machine account password renewal, of course. I > will try to disable that and get back to you. > > This is on RHEL 8.1, btw. > > //Adam > > ________________________________________ > From: Sumit Bose [sb...@redhat.com] > Sent: 17 December 2019 07:29 > To: sssd-users@lists.fedorahosted.org > Subject: [SSSD-users] Re: How do new LDAP security recommendations from MS > affect sssd clients? > > On Tue, Dec 17, 2019 at 06:18:21AM +0000, Winberg Adam wrote: > > Hi, > > > > We are seeing the same in our AD logs - "The following client performed a > > SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing > > (integrity verification)..." - and tried to mitigate this by changing from > > GSSAPI to GSS-SPNEGO in SSSD, but this makes no difference, AD keeps > > logging warnings. > > > > The logs does not origin from starting/stopping sssd, but rather when this > > happens: > > > > Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1 > > Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1 > > Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1 > > Dec 16 15:25:57 adcli[116149]: GSSAPI client step 2 > > > > (from 'systemctl status sssd'). > > > > So even if sssd is configured to use GSS-SPNEGO it seems to trigger adcli > > which uses GSSAPI? > > Hi, > > yes, you are right. adcli does not inherit this option from SSSD but > sets up the connection on its own. I'm working on a fix for adcli as > well. > > Do I understand correctly that if you disable the renewal of the machine > account password by setting > > ad_maximum_machine_account_password_age = 0 > > and use GSS-SPNEGO for SSSD there are no messages in the AD logs? > > bye, > Sumit > > > > > regards, > > Adam > > > > > > > > > > > > ________________________________________ > > From: Sumit Bose [sb...@redhat.com] > > Sent: 11 December 2019 15:55 > > To: End-user discussions about the System Security Services Daemon > > Subject: [SSSD-users] Re: How do new LDAP security recommendations from MS > > affect sssd clients? > > > > On Wed, Dec 11, 2019 at 08:14:25AM -0500, Chris P. wrote: > > > Just wondering if there is any more news regarding the patch for sssd to > > > work with the new MS requirements? > > > Curerrently I'm being notified that ALL linux servers are reporting this > > > in > > > the AD logs: > > > > > > "...client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind > > > without requesting signing (integrity verification), or performed a simple > > > bind over a clear text (non-SSL/TLS-encrypted) LDAP connection..." > > > > Hi, > > > > I forgot to send the patch to use LDAPS for review, I will do it soon. > > > > In the meantime please check in the sssd-ldap man page if the option > > ldap_sasl_mech supports GSS-SPNEGO (recent version of SSSD should do). > > In this case you can set > > > > ldap_sasl_mech = GSS-SPNEGO > > > > in the [domain/...] section of sssd.conf and restart SSSD. Now the error > > logs in the AD side should at least be gone for this host. > > > > HTH > > > > bye, > > Sumit > > > > > > > > We are planning to test a sssd client with a patched AD server to see if > > > this will break AD auth on our sssd clients, but wanted to see if a patch > > > for sssd has been made available anywhere to use ldaps or ldap with sssd. > > > > > > Thanks, > > > Chris > > > > > _______________________________________________ > > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org