On Tue, 2017-01-03 at 09:42 -0500, Stephen Gallagher wrote:
On 12/29/2016 09:03 AM, Jakub Hrozek wrote:
If I configure the server to enforce STARTTLS is SSSD "smart enough" to work with that if I use sssd-ad or would I need to go the LDAP+Kerberos route in order to configure some of the TLS-related settings?
The gssapi authentication is by default and cannot even be changed with sssd-ad.
Just to clarify here: the GSSAPI used by SSSD also provides encrypted communication. You do not need to enable TLS as well (and I think SSSD will just ignore that option in this case).
To add to that, although our libraries will allow it, Windows systems refuse to do GSSAPI encryption over a TLS channel, so do not try to use both.
Simo.