Hmm.. will have to come up with something else for those hosts then... upgrade to 7+ I
guess since EOL is Nov... maybe MS will wait until Nov to push the patch that turns on
ldap signing? One can hope I guess.
Todd
-----Original Message-----
From: Sumit Bose <sbose(a)redhat.com>
Sent: Thursday, February 13, 2020 9:17 AM
To: End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>
Subject: [SSSD-users] Re: sssd 1.16.4. ADV190023.
On Thu, Feb 13, 2020 at 03:10:31PM +0000, Mote, Todd wrote:
Hi,
not not available in RHEL-6, iirc it was added in RHEL-7.2 or RHEL-7.3.
bye,
Sumit
Todd
-----Original Message-----
From: Sumit Bose <sbose(a)redhat.com>
Sent: Thursday, February 13, 2020 8:51 AM
To: End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>
Subject: [SSSD-users] Re: sssd 1.16.4. ADV190023.
On Thu, Feb 13, 2020 at 01:42:33PM +0000, Mote, Todd wrote:
> I'll work on getting that today. This is what I know so far.
>
>
>
> Test system updated through our Satellite, so nothing special or different. Yum
updated everything:
>
> RHEL 7.7
>
> sssd-1.16.4-21.el7_7.1.x86_64
>
> adcli-0.8.1-9.el7.x86_64
>
>
>
> Domain:
>
> Windows Server 2016
>
> regkey ldapserverintegrity=2
>
> regkey ldapenforcechannelbinding=1
>
>
>
> we splunk our domain logs and my coworker wrote a dashboard to display the entries
when either simple binds or unsigned sasl occur. Over the last 24 hours my test host
triggered the unsigned sasl entry 13 times. Each entry corresponds precisely to the adcli
check password attempt in the logs. It doesn't log an unsigned sasl event every hour,
and a couple of times not at all for several hours. I'm not sure what's behind
that. Times here are UTC -6. I’m in the 7:00 hour here. The most recent entry is below.
I’ll work to get a trace running by the next hour, in case it logs it again.
Hi,
can you try to run the following ldapsearch commands and check which one causes a message
in the event log?
ldapsearch -H
cldap://ad-server.ADTEST.domain.com -b '' -s base
'(&(DnsDomain=ADTEST.domain.com)(NtVer=\14\00\00\00))' netlogon
ldapsearch -H
ldap://ad-server.ADTEST.domain.com -x -b '' -s
base '(&(DnsDomain=ADTEST.domain.com)(NtVer=\14\00\00\00))' netlogon
ldapsearch -H
ldap://ad-server.ADTEST.domain.com -x -b '' -s
base
kinit 'ANTI-TEST$(a)ADTEST.DOMAIN.COM'
ldapsearch -H
ldap://ad-server.ADTEST.domain.com -Y GSSAPI -b ''
-s base
kinit 'ANTI-TEST$(a)ADTEST.DOMAIN.COM'
ldapsearch -H
ldap://ad-server.ADTEST.domain.com -Y GSS-SPNEGO -b
'' -s base
bye,
Sumit
>
>
>
> This behavior also happens with RHEL 8, sssd 2.2 and adcli 0.8.2. I see the same
entries logged in both the sssd log on the device and the domain.
>
>
>
Timestamp<https://splunk.security.utexas.edu/en-US/app/ut_itsy-ad-mo
> ni
> toring/search?earliest=-24h%40h&latest=now&q=search%20%60ADlogs%60%2
> 0s
> ource%3D%22WinEventLog%3ADirectory%20Service%22%20EventCode%3D2889%2
> 0%
> 7C%20rex%20field%3DMessage%20%22(%3Fs)%5E(%3F%3CeMessage%3E.*%5C.)%5
> Cs
> *Client%20IP%20address%3A%5Cs*(%3F%3CClientIPAddress%3E.*)%3A(%3F%3C
> Po
> rt%3E%5Cd%2B)%5Cs*Identity%20the%20client%20attempted%20to%20authent
> ic
> ate%20as%3A%5Cs*(%3F%3CUserName%3E%5CS*)%5Cs*Binding%20Type%3A%5Cs*(
> %3
> F%3CBindingType%3E%5Cd)%24%22%20%7C%20eval%20Timestamp%3Dstrftime(_t
> im
> e%2C%20%22%25m-%25d-%25Y%20%25H%3A%25M%3A%25S%22)%20%7C%20lookup%20d
> ns
> lookup%20clientip%20as%20ClientIPAddress%20OUTPUT%20clienthost%20as%
> 20
> FQDN%20%7C%20search%20BindingType%3D*%20ClientIPAddress%3D146.6.182.
> 22
> 6%20%7C%20%20eval%20BindingType%3Dcase(BindingType%3D%3D0%2C%22Unsig
> ne
> d%20SASL%22%2CBindingType%3D%3D1%2C%22Simple%22)%20%7C%20sort%20-Tim
> es
> tamp%20%7C%20rename%20ClientIPAddress%20as%20%22Client%20IP%20Addres
> s%
> 22%2CUserName%20as%20%22User%20Name%22%2CBindingType%20as%20%22Bindi
> ng
> %20Type%22%20%7C%20table%20Timestamp%2C%22Client%20IP%20Address%22%2
> CF
> QDN%2C%22User%20Name%22%2C%22Binding%20Type%22&display.page.search.m
> od
> e=smart&dispatch.sample_ratio=1&display.page.search.tab=statistics&d
> is
> play.general.type=statistics&display.statistics.sortColumn=Timestamp
> &d
> isplay.statistics.sortDirection=desc&sid=1581600147.468973_8220FB8F-
> 01
> FA-4F7E-929B-F56DE7E31D3B> User
>
Name<https://splunk.security.utexas.edu/en-US/app/ut_itsy-ad-monitor
> in
> g/search?earliest=-24h%40h&latest=now&q=search%20%60ADlogs%60%20sour
> ce
> %3D%22WinEventLog%3ADirectory%20Service%22%20EventCode%3D2889%20%7C%
> 20
> rex%20field%3DMessage%20%22(%3Fs)%5E(%3F%3CeMessage%3E.*%5C.)%5Cs*Cl
> ie
> nt%20IP%20address%3A%5Cs*(%3F%3CClientIPAddress%3E.*)%3A(%3F%3CPort%
> 3E
> %5Cd%2B)%5Cs*Identity%20the%20client%20attempted%20to%20authenticate
> %2
> 0as%3A%5Cs*(%3F%3CUserName%3E%5CS*)%5Cs*Binding%20Type%3A%5Cs*(%3F%3
> CB
> indingType%3E%5Cd)%24%22%20%7C%20eval%20Timestamp%3Dstrftime(_time%2
> C%
> 20%22%25m-%25d-%25Y%20%25H%3A%25M%3A%25S%22)%20%7C%20lookup%20dnsloo
> ku
> p%20clientip%20as%20ClientIPAddress%20OUTPUT%20clienthost%20as%20FQD
> N%
> 20%7C%20search%20BindingType%3D*%20ClientIPAddress%3D146.6.182.226%2
> 0%
> 7C%20%20eval%20BindingType%3Dcase(BindingType%3D%3D0%2C%22Unsigned%2
> 0S
> ASL%22%2CBindingType%3D%3D1%2C%22Simple%22)%20%7C%20sort%20-Timestam
> p%
> 20%7C%20rename%20ClientIPAddress%20as%20%22Client%20IP%20Address%22%
> 2C
> UserName%20as%20%22User%20Name%22%2CBindingType%20as%20%22Binding%20
> Ty
> pe%22%20%7C%20table%20Timestamp%2C%22Client%20IP%20Address%22%2CFQDN
> %2
> C%22User%20Name%22%2C%22Binding%20Type%22&display.page.search.mode=s
> ma
> rt&dispatch.sample_ratio=1&display.page.search.tab=statistics&display.
> general.type=statistics&display.statistics.sortColumn=Timestamp&disp
> la
> y.statistics.sortDirection=desc&sid=1581600147.468973_8220FB8F-01FA-
> 4F
> 7E-929B-F56DE7E31D3B> Binding
>
Type<https://splunk.security.utexas.edu/en-US/app/ut_itsy-ad-monitor
> in
> g/search?earliest=-24h%40h&latest=now&q=search%20%60ADlogs%60%20sour
> ce
> %3D%22WinEventLog%3ADirectory%20Service%22%20EventCode%3D2889%20%7C%
> 20
> rex%20field%3DMessage%20%22(%3Fs)%5E(%3F%3CeMessage%3E.*%5C.)%5Cs*Cl
> ie
> nt%20IP%20address%3A%5Cs*(%3F%3CClientIPAddress%3E.*)%3A(%3F%3CPort%
> 3E
> %5Cd%2B)%5Cs*Identity%20the%20client%20attempted%20to%20authenticate
> %2
> 0as%3A%5Cs*(%3F%3CUserName%3E%5CS*)%5Cs*Binding%20Type%3A%5Cs*(%3F%3
> CB
> indingType%3E%5Cd)%24%22%20%7C%20eval%20Timestamp%3Dstrftime(_time%2
> C%
> 20%22%25m-%25d-%25Y%20%25H%3A%25M%3A%25S%22)%20%7C%20lookup%20dnsloo
> ku
> p%20clientip%20as%20ClientIPAddress%20OUTPUT%20clienthost%20as%20FQD
> N%
> 20%7C%20search%20BindingType%3D*%20ClientIPAddress%3D146.6.182.226%2
> 0%
> 7C%20%20eval%20BindingType%3Dcase(BindingType%3D%3D0%2C%22Unsigned%2
> 0S
> ASL%22%2CBindingType%3D%3D1%2C%22Simple%22)%20%7C%20sort%20-Timestam
> p%
> 20%7C%20rename%20ClientIPAddress%20as%20%22Client%20IP%20Address%22%
> 2C
> UserName%20as%20%22User%20Name%22%2CBindingType%20as%20%22Binding%20
> Ty
> pe%22%20%7C%20table%20Timestamp%2C%22Client%20IP%20Address%22%2CFQDN
> %2
> C%22User%20Name%22%2C%22Binding%20Type%22&display.page.search.mode=s
> ma
> rt&dispatch.sample_ratio=1&display.page.search.tab=statistics&display.
> general.type=statistics&display.statistics.sortColumn=Timestamp&disp
> la
> y.statistics.sortDirection=desc&sid=1581600147.468973_8220FB8F-01FA-
> 4F
> 7E-929B-F56DE7E31D3B>
> 02-13-2020 07:12:33
> ADTEST\ANTI-TEST$
> Unsigned SASL
> 02-13-2020 05:12:34
> ADTEST\ANTI-TEST$
> Unsigned SASL
> 02-13-2020 03:12:34
> ADTEST\ANTI-TEST$
> Unsigned SASL
> 02-13-2020 02:12:35
> ADTEST\ANTI-TEST$
> Unsigned SASL
> 02-13-2020 01:12:34
> ADTEST\ANTI-TEST$
> Unsigned SASL
> 02-12-2020 23:12:34
> ADTEST\ANTI-TEST$
> Unsigned SASL
> 02-12-2020 22:12:34
> ADTEST\ANTI-TEST$
> Unsigned SASL
> 02-12-2020 19:12:34
> ADTEST\ANTI-TEST$
> Unsigned SASL
> 02-12-2020 17:12:34
> ADTEST\ANTI-TEST$
> Unsigned SASL
> 02-12-2020 14:12:34
> ADTEST\ANTI-TEST$
> Unsigned SASL
> 02-12-2020 13:12:34
> ADTEST\ANTI-TEST$
> Unsigned SASL
> 02-12-2020 09:12:35
> ADTEST\ANTI-TEST$
> Unsigned SASL
> 02-12-2020 08:12:34
> ADTEST\ANTI-TEST$
> Unsigned SASL
>
>
>
>
>
> (Thu Feb 13 07:12:33 2020) [sssd[be[adtest.domain.com]]]
> [ad_machine_account_password_renewal_done] (0x1000): --- adcli
> output
> start---
>
> * Found realm in keytab:
ADTEST.domain.com
>
> * Found computer name in keytab: ANTI-TEST
>
> * Found service principal in keytab: host/ANTI-TEST
>
> * Found service principal in keytab:
>
host/anti-test.adtest.domain.com
>
> * Found host qualified name in keytab:
anti-test.adtest.domain.com
>
> * Found service principal in keytab: RestrictedKrbHost/ANTI-TEST
>
> * Found service principal in keytab:
>
RestrictedKrbHost/anti-test.adtest.domain.com
>
> * Using fully qualified name:
anti-test.adtest.domain.com
>
> * Using domain name:
adtest.domain.com
>
> * Calculated computer account name from fqdn: ANTI-TEST
>
> * Using domain realm:
adtest.domain.com
>
> * Sending netlogon pings to domain controller: cldap://
> xxx.xxx.xxx.xxx
>
> * Received NetLogon info from:
dc01a.adtest.domain.com
>
> * Wrote out krb5.conf snippet to
> /tmp/adcli-krb5-RCmgmC/krb5.d/adcli-krb5-conf-vPdhBf
>
> * Authenticated as default/reset computer account: ANTI-TEST
>
> * Looked up short domain name: ADTEST
>
> * Looked up domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx
>
> * Using fully qualified name:
anti-test.adtest.domain.com
>
> * Using domain name:
adtest.domain.com
>
> * Using computer account name: ANTI-TEST
>
> * Using domain realm:
adtest.domain.com
>
> * Using fully qualified name:
anti-test.adtest.domain.com
>
> * Enrolling computer name: ANTI-TEST
>
> * Generated 120 character computer password
>
> * Using keytab: FILE:/etc/krb5.keytab
>
> * Found computer account for ANTI-TEST$ at:
> CN=ANTI-TEST,OU=Dev,OU=Linux,OU=moter,OU=ITSY-Staff,OU=ITSY,OU=Depar
> tm
> ents,DC=adtest,DC=domain,DC=com
>
> * Retrieved kvno '6' for computer account in directory:
> CN=ANTI-TEST,OU=Dev,OU=Linux,OU=moter,OU=ITSY-Staff,OU=ITSY,OU=Depar
> tm
> ents,DC=adtest,DC=domain,DC=com
>
> * Password not too old, no change needed
>
> * Sending netlogon pings to domain controller:
> cldap://xxx.xxx.xxx.xxx
>
> * Received NetLogon info from:
dc01a.adtest.domain.com
>
> * Checking
RestrictedKrbHost/anti-test.adtest.domain.com
>
> * Added
RestrictedKrbHost/anti-test.adtest.domain.com
>
> * Checking
host/anti-test.adtest.domain.com
>
> * Added
host/anti-test.adtest.domain.com
>
> * Checking RestrictedKrbHost/ANTI-TEST
>
> * Added RestrictedKrbHost/ANTI-TEST
>
> * Checking host/ANTI-TEST
>
> * Added host/ANTI-TEST
>
> ---adcli output end---
>
>
>
> Todd
>
>
>
> -----Original Message-----
> From: Sumit Bose <sbose(a)redhat.com>
> Sent: Thursday, February 13, 2020 1:36 AM
> To: sssd-users(a)lists.fedorahosted.org
> Subject: [SSSD-users] Re: sssd 1.16.4. ADV190023.
>
>
>
> On Wed, Feb 12, 2020 at 01:11:14PM +0000, Mote, Todd wrote:
>
> > Sumit
>
> >
>
> > Any idea on when your SASL/GSS-SPNEGO patch for adcli might make it downstream?
It seems that adcli is checking once an hour on the age of the password and is the only
thing left on my test hosts that is triggering the Unsigned SASL event on our domain
controllers. I have tinkered with the GSSAPI and other settings in ldap.conf, so none of
the connections are simple, just unsigned, which isn't terrible, but it'd be nice
to eliminate them altogether, ya know?
>
>
>
> Hi,
>
>
>
> they are planned for the next RHEL releases and I'm about to prepare Fedora
packages.
>
>
>
> I did some tests with older RHEL7 versions and didn't come across issues even
with only SASL/GSSAPI when I enforce channel binding and LDAP signing on AD. Would it be
possible to send a network trace which covers the connection attempt of adcli which causes
the issue?
>
>
>
> bye,
>
> Sumit
>
>
>
> >
>
> > Todd
>
> >
>
> > -----Original Message-----
>
> > From: Sumit Bose <sbose@redhat.com<mailto:sbose@redhat.com>>
>
> > Sent: Thursday, February 6, 2020 10:18 AM
>
> > To:
> > sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedoraho
> > st
> > ed.org>
>
> > Subject: [SSSD-users] Re: sssd 1.16.4. ADV190023.
>
> >
>
> > On Thu, Feb 06, 2020 at 03:05:13PM +0000, Ondrej Valousek wrote:
>
> > > did you try refreshing the machine password in AD?Looks like it's too
old.
>
> > > O.
>
> > > ________________________________
>
> > > From: David David
<modrik@seznam.cz<mailto:modrik@seznam.cz>>
>
> > > Sent: Thursday, February 6, 2020 12:09 PM
>
> > > To:
> > > sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedora
> > > ho
> > > sted.org>
>
> > > <sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedor
> > > ah
> > > osted.org>>
>
> > > Subject: [SSSD-users] sssd 1.16.4. ADV190023.
>
> > >
>
> > > Hello,
>
> > > i guess that you probably heard about ADV190023. Our AD admin told me that
linux servers which are under my responsibility send an unsigned request to AD, what could
be a problem related to this incomming Ad patch:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport....
>
> > >
>
> > > I am using sssd in "sssd-ad mode." The communication between a
linux servers and our AD is crypted by kerberos, so this should be ok.
>
> > >
>
> > > I found only one kind of request which could result in potential failure.
After mentioned patching implementation. See please below:
>
> > >
>
> > > (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_execute] (0x0400):
>
> > > Task [AD machine account password renewal]: executing task,
> > > timeout
>
> > > 60 seconds (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]]
> > > [be_ptask_done]
>
> > > (0x0400): Task [AD machine account password renewal]: finished
>
> > > successfully (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]]
>
> > > [be_ptask_schedule] (0x0400): Task [AD machine account password
>
> > > renewal]: scheduling task 86400 seconds from last
>
> >
>
> > Hi,
>
> >
>
> > Ondrej is right, those messages are related to adcli trying to
> > update
>
> > the machine account password if it is too old. To check when the
>
> > password was last updated adcli uses LDAP with SASL/GSSAPI. I've
> > added
>
> > a patch so that SASL/GSS-SPNEGO is used when it is available in
> > the AD
>
> > DC side
>
> >
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> > gi
> > tl
>
> > ab.freedesktop.org%2Frealmd%2Fadcli%2Fcommit%2Fa6f795ba3d6048b32d7
> > 86
> > 34
>
> > 68688bf7f42b2cafd&data=02%7C01%7Cmoter%40austin.utexas.edu%7C8
> > 77
> > 19
>
> > 229ad54467ff98808d7b0576033%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1
> > %7
> > C1
>
> > %7C637171761658405405&sdata=rPcG9mknHufVZUy6ege6n2vx%2B1Hy5XQh
> > Dn
> > 7H
>
> > 8ugqlzA%3D&reserved=0 With SASL/GSS-SPNEGO all requirements
> > are
>
> > negotiated automatically and signing should be switched on if required.
>
> >
>
> > With SASL/GSSAPI you might be able to tune this manually, see e.g. the SASL and
GSSAPI options in man ldap.conf for details.
>
> >
>
> > There is also a patch for adcli which tells adcli to use ldaps
>
> >
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> > gi
> > tl
>
> > ab.freedesktop.org%2Frealmd%2Fadcli%2Fcommit%2F85097245b57f1903372
> > 25
> > db
>
> > dbf6e33b58616c092&data=02%7C01%7Cmoter%40austin.utexas.edu%7C8
> > 77
> > 19
>
> > 229ad54467ff98808d7b0576033%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1
> > %7
> > C1
>
> > %7C637171761658405405&sdata=9dY6eOGTKimEYqydWbRFROldOTNRM16t1c
> > ae
> > Uh
>
> > bBTiY%3D&reserved=0 but this is currently not used by SSSD.
> > And in
>
> > general I think using GSS-SPNEGO is sufficient since there is no requirement to
switch to ldaps (if I read the advisory correctly) and AD does not enable ldaps by default
as well.
>
> >
>
> > bye,
>
> > Sumit
>
> >
>
> > >
>
> > > Everytime, this task is executed, our AD write into its log that an
unsighned request came from my linux server. I tried to set ldap_tls_cert and ldap_tls_key
into sssd.conf which point to the cert and key generated by our AD, but without success.
>
> > >
>
> > > I tried to find a proper solution how to sign the request that AD stop
complaining, but nothing usefull found.
>
> > >
>
> > > My question is. Should I be affraid that after the patching, our AD will
stop to communicate with my linux servers?
>
> > >
>
> > > Really thanks in advance for your answer. I really appreciate your
effort.
>
> > > _______________________________________________
>
> > > sssd-users mailing list --
> > > sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedora
> > > ho
> > > sted.org> To
>
> > > unsubscribe send an email to
> > > sssd-users-leave@lists.fedorahosted.org<mailto:sssd-users-leave@
> > > li
> > > sts.fedorahosted.org>
>
> > > Fedora Code of Conduct:
>
> > >
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%
> > > 2F
> > > do
>
> > > cs
>
> > > .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&da
> > > ta
> > > =0
>
> > > 2%
>
> > > 7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204
> > > bc
> > > 2%
>
> > > 7C
>
> > > 31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507304667&am
> > > p;
> > > sd
>
> > > at
>
> > > a=v3APmwlHF3i9zi1WE950DEAqCMJCirnyPC4YyF2xJPQ%3D&reserved=0
>
> > > List Guidelines:
>
> > >
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%
> > > 2F
> > > fe
>
> > > do
>
> > > raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%
> > > 7C
> > > mo
>
> > > te
>
> > > r%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204bc2%7C31d7e
> > > 2a
> > > 5b
>
> > > dd
>
> > > 8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507304667&sdata=QUg
> > > cp
> > > i8
>
> > > 2T
>
> > > TRy7qanAkjRey8ZpC2GDy7%2BJ7yXeOrtb8I%3D&reserved=0
>
> > > List Archives:
>
> > >
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%
> > > 2F
> > > li
>
> > > st
>
> > > s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedora
> > > ho
> > > st
>
> > > ed
>
> > > .org&data=02%7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d
> > > 42
> > > c2
>
> > > ae
>
> > > f608d7ab204bc2%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C6371
> > > 66
> > > 02
>
> > > 75
>
> > > 07314661&sdata=oDU3WxA3dStxFQ09%2Fc8qU7qGh1P5w3a9rSe9trG8%2B
> > > x4
> > > %3
>
> > > D&
>
> > > amp;reserved=0
>
> >
>
> > > _______________________________________________
>
> > > sssd-users mailing list --
> > > sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedora
> > > ho
> > > sted.org> To
>
> > > unsubscribe send an email to
> > > sssd-users-leave@lists.fedorahosted.org<mailto:sssd-users-leave@
> > > li
> > > sts.fedorahosted.org>
>
> > > Fedora Code of Conduct:
>
> > >
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%
> > > 2F
> > > do
>
> > > cs
>
> > > .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&da
> > > ta
> > > =0
>
> > > 2%
>
> > > 7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204
> > > bc
> > > 2%
>
> > > 7C
>
> > > 31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507314661&am
> > > p;
> > > sd
>
> > > at
>
> > > a=b%2Fu1IXQ%2F42XEq3c6DYwzTyYno4azJb3qvUtPiZmOdrc%3D&reserve
> > > d=
> > > 0
>
> > > List Guidelines:
>
> > >
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%
> > > 2F
> > > fe
>
> > > do
>
> > > raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%
> > > 7C
> > > mo
>
> > > te
>
> > > r%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204bc2%7C31d7e
> > > 2a
> > > 5b
>
> > > dd
>
> > > 8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507314661&sdata=CIJ
> > > al
> > > 5z
>
> > > 4E
>
> > > nNOIQFsuveKmlEK1wMzIx79ZaXavinrtsk%3D&reserved=0
>
> > > List Archives:
>
> > >
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%
> > > 2F
> > > li
>
> > > st
>
> > > s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedora
> > > ho
> > > st
>
> > > ed
>
> > > .org&data=02%7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d
> > > 42
> > > c2
>
> > > ae
>
> > > f608d7ab204bc2%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C6371
> > > 66
> > > 02
>
> > > 75
>
> > > 07314661&sdata=oDU3WxA3dStxFQ09%2Fc8qU7qGh1P5w3a9rSe9trG8%2B
> > > x4
> > > %3
>
> > > D&
>
> > > amp;reserved=0
>
> > _______________________________________________
>
> > sssd-users mailing list --
> > sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedoraho
> > st
> > ed.org> To
>
> > unsubscribe send an email to
> > sssd-users-leave@lists.fedorahosted.org<mailto:sssd-users-leave@li
> > st
> > s.fedorahosted.org>
>
> > Fedora Code of Conduct:
>
> >
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> > do
> > cs
>
> > .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data
> > =0
> > 2%
>
> > 7C01%7Cmoter%40austin.utexas.edu%7C87719229ad54467ff98808d7b057603
> > 3%
> > 7C
>
> > 31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C1%7C637171761658415397&
> > sd
> > at
>
> > a=CY5%2B8lrh6B9UIqXNYXSzpIyeRI93sHge9cuKB8KDBdk%3D&reserved=0
>
> > List Guidelines:
>
> >
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> > fe
> > do
>
> > raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7C
> > mo
> > te
>
> > r%40austin.utexas.edu%7C87719229ad54467ff98808d7b0576033%7C31d7e2a
> > 5b
> > dd
>
> > 8414e9e97bea998ebdfe1%7C1%7C1%7C637171761658415397&sdata=uFxkG
> > T3
> > GV
>
> > Y3moV7TxfDo%2BNHyz%2B8AUbVpApIxs3PTmzs%3D&reserved=0
>
> > List Archives:
>
> >
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> > li
> > st
>
> > s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedoraho
> > st
> > ed
>
> > .org&data=02%7C01%7Cmoter%40austin.utexas.edu%7C87719229ad5446
> > 7f
> > f9
>
> > 8808d7b0576033%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C1%7C637171
> > 76
> > 16
>
> > 58415397&sdata=qZHqxPWZzftm51GK%2F29gM3NM9f5QnsoRQE2kqWGs3Os%3
> > D&
> > am
>
> > p;reserved=0
>
> > >> This message is from an external sender. Learn more about why
> > >> this <<
>
> > >> matters at
https://links.utexas.edu/rtyclf.
<<
>
> > _______________________________________________
>
> > sssd-users mailing list --
> > sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedoraho
> > st
> > ed.org> To
>
> > unsubscribe send an email to
> > sssd-users-leave@lists.fedorahosted.org<mailto:sssd-users-leave@li
> > st
> > s.fedorahosted.org>
>
> > Fedora Code of Conduct:
>
> >
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> > do
> > cs
>
> > .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data
> > =0
> > 2%
>
> > 7C01%7Cmoter%40austin.utexas.edu%7C87719229ad54467ff98808d7b057603
> > 3%
> > 7C
>
> > 31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C1%7C637171761658415397&
> > sd
> > at
>
> > a=CY5%2B8lrh6B9UIqXNYXSzpIyeRI93sHge9cuKB8KDBdk%3D&reserved=0
>
> > List Guidelines:
>
> >
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> > fe
> > do
>
> > raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7C
> > mo
> > te
>
> > r%40austin.utexas.edu%7C87719229ad54467ff98808d7b0576033%7C31d7e2a
> > 5b
> > dd
>
> > 8414e9e97bea998ebdfe1%7C1%7C1%7C637171761658415397&sdata=uFxkG
> > T3
> > GV
>
> > Y3moV7TxfDo%2BNHyz%2B8AUbVpApIxs3PTmzs%3D&reserved=0
>
> > List Archives:
>
> >
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2F
> > li
> > st
>
> > s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedoraho
> > st
> > ed
>
> > .org&data=02%7C01%7Cmoter%40austin.utexas.edu%7C87719229ad5446
> > 7f
> > f9
>
> > 8808d7b0576033%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C1%7C637171
> > 76
> > 16
>
> > 58415397&sdata=qZHqxPWZzftm51GK%2F29gM3NM9f5QnsoRQE2kqWGs3Os%3
> > D&
> > am
>
> > p;reserved=0
>
> _______________________________________________
>
> sssd-users mailing list --
> sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahost
> ed .org> To unsubscribe send an email to
> sssd-users-leave@lists.fedorahosted.org<mailto:sssd-users-leave@lists.
> fedorahosted.org>
>
> Fedora Code of Conduct:
>
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdo
> cs
> .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=0
> 2%
> 7C01%7Cmoter%40austin.utexas.edu%7C282ee4414b1242200e5908d7b0944929%
> 7C
> 31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C637172023246950934&sd
> at
> a=vSoy%2BB6PumDUGbPgpbIip%2F4NVQSev5zeLn5q6czf7Iw%3D&reserved=0
>
> List Guidelines:
>
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffe
> do
> raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cmo
> te
> r%40austin.utexas.edu%7C282ee4414b1242200e5908d7b0944929%7C31d7e2a5b
> dd
> 8414e9e97bea998ebdfe1%7C1%7C1%7C637172023246960925&sdata=zH1dfRZ
> EX
> 1IkkAWUBORT62TbdyCptLfFTR0LXj6YKAo%3D&reserved=0
>
> List Archives:
>
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fli
> st
> s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahost
> ed
> .org&data=02%7C01%7Cmoter%40austin.utexas.edu%7C282ee4414b124220
> 0e
> 5908d7b0944929%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C1%7C63717202
> 32
> 46960925&sdata=9TGUHFXcI%2F%2B%2F8mbnbSrdiYYlghMPkddrwQ3jS%2FB%2
> BJ
> 1g%3D&reserved=0
>
> >> This message is from an external sender. Learn more about why
> >> this <<
>
> >> matters at
https://links.utexas.edu/rtyclf.
<<
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
> unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdo
> cs
> .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=0
> 2%
> 7C01%7Cmoter%40austin.utexas.edu%7C282ee4414b1242200e5908d7b0944929%
> 7C
> 31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C637172023246960925&sd
> at
> a=9uSFPFkpIr5qK0W13Hes8pno8hu3WC0E1jqGkcCLTrQ%3D&reserved=0
> List Guidelines:
>
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffe
> do
> raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cmo
> te
> r%40austin.utexas.edu%7C282ee4414b1242200e5908d7b0944929%7C31d7e2a5b
> dd
> 8414e9e97bea998ebdfe1%7C1%7C1%7C637172023246960925&sdata=zH1dfRZ
> EX
> 1IkkAWUBORT62TbdyCptLfFTR0LXj6YKAo%3D&reserved=0
> List Archives:
>
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fli
> st
> s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahost
> ed
> .org&data=02%7C01%7Cmoter%40austin.utexas.edu%7C282ee4414b124220
> 0e
> 5908d7b0944929%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C1%7C63717202
> 32
> 46960925&sdata=9TGUHFXcI%2F%2B%2F8mbnbSrdiYYlghMPkddrwQ3jS%2FB%2
> BJ
> 1g%3D&reserved=0
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%
7C01%7Cmoter%40austin.utexas.edu%7C1f2c72cd1e634f20436e08d7b097e7ed%7C
31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C637172038795857934&sdat
a=xsP01ReHvU%2Bb4iYB9RK9CUF%2FonjBnTHJVj8GWg04IcU%3D&reserved=0
List Guidelines:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo
raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cmote
r%40austin.utexas.edu%7C1f2c72cd1e634f20436e08d7b097e7ed%7C31d7e2a5bdd
8414e9e97bea998ebdfe1%7C1%7C1%7C637172038795857934&sdata=4z4neBp82
Pt0qXho9s8iV6z%2BHbor5Mk2YQKrKlLPI9s%3D&reserved=0
List Archives:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted
.org&data=02%7C01%7Cmoter%40austin.utexas.edu%7C1f2c72cd1e634f2043
6e08d7b097e7ed%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C1%7C6371720387
95857934&sdata=mRu15iYSrZKagsJs77178vKxa3A6aVq%2FIFzJIZo1jEE%3D&am
p;reserved=0
>> This message is from an external sender. Learn more about why this <<
>> matters at
https://links.utexas.edu/rtyclf. <<
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%
7C01%7Cmoter%40austin.utexas.edu%7C1f2c72cd1e634f20436e08d7b097e7ed%7C
31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C637172038795857934&sdat
a=xsP01ReHvU%2Bb4iYB9RK9CUF%2FonjBnTHJVj8GWg04IcU%3D&reserved=0
List Guidelines:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo
raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cmote
r%40austin.utexas.edu%7C1f2c72cd1e634f20436e08d7b097e7ed%7C31d7e2a5bdd
8414e9e97bea998ebdfe1%7C1%7C1%7C637172038795857934&sdata=4z4neBp82
Pt0qXho9s8iV6z%2BHbor5Mk2YQKrKlLPI9s%3D&reserved=0
List Archives:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted
.org&data=02%7C01%7Cmoter%40austin.utexas.edu%7C1f2c72cd1e634f2043
6e08d7b097e7ed%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C1%7C6371720387
95867924&sdata=kZP%2BErxE13OEJzn7KkUeH%2B4kPR5j3%2B8E9iquHNJ8nb4%3
D&reserved=0
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email
to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: