Hi,
We are seeing the same in our AD logs - "The following client performed a SASL
(Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity
verification)..." - and tried to mitigate this by changing from GSSAPI to GSS-SPNEGO
in SSSD, but this makes no difference, AD keeps logging warnings.
The logs does not origin from starting/stopping sssd, but rather when this happens:
Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1
Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1
Dec 16 15:25:57 adcli[116149]: GSSAPI client step 1
Dec 16 15:25:57 adcli[116149]: GSSAPI client step 2
(from 'systemctl status sssd').
So even if sssd is configured to use GSS-SPNEGO it seems to trigger adcli which uses
GSSAPI?
regards,
Adam
________________________________________
From: Sumit Bose [sbose(a)redhat.com]
Sent: 11 December 2019 15:55
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: How do new LDAP security recommendations from MS affect sssd
clients?
On Wed, Dec 11, 2019 at 08:14:25AM -0500, Chris P. wrote:
Just wondering if there is any more news regarding the patch for sssd
to
work with the new MS requirements?
Curerrently I'm being notified that ALL linux servers are reporting this in
the AD logs:
"...client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind
without requesting signing (integrity verification), or performed a simple
bind over a clear text (non-SSL/TLS-encrypted) LDAP connection..."
Hi,
I forgot to send the patch to use LDAPS for review, I will do it soon.
In the meantime please check in the sssd-ldap man page if the option
ldap_sasl_mech supports GSS-SPNEGO (recent version of SSSD should do).
In this case you can set
ldap_sasl_mech = GSS-SPNEGO
in the [domain/...] section of sssd.conf and restart SSSD. Now the error
logs in the AD side should at least be gone for this host.
HTH
bye,
Sumit
We are planning to test a sssd client with a patched AD server to see if
this will break AD auth on our sssd clients, but wanted to see if a patch
for sssd has been made available anywhere to use ldaps or ldap with sssd.
Thanks,
Chris
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...