Ahoj Ondro, well my knowledge about sssd is limited, but I would say that the daemon did it instead me. See the middle message: Task [AD machine account password renewal]: finished successfully
This task is by default scheduled after restart of sssd service always.
However, I probably found another way how to stay safe after AD patching - I have switched from id_provider = ad, to id_provider = ldap, that allowed me to specify ldap_uri = ldaps://our_ad_machine.domain. After restart sssd AD has stopped complaing about unsighned request, because all communication is handled over TSL 1.2.
But I am still curious if there is another solution in case that I would like to keep the setting in mode id_provider = ad. Is there any way to sighn this kind of request? We were affraid that AD will refuse all unsigned communication after the AD patch is applied.
Thanks a lot for your knowledge sharing :)
Hmm, The solution with ldap_uri=ldaps://.... is bit ugly and personally I wonder that it works (unless you used public CA to sign AD connections which is, I'd say, quite rare to see) because normally to do that you need to import AD certs. I guess sssd developers could shed some light into it as I'm not sure either.
Ondra ________________________________ From: David David modrik@seznam.cz Sent: Thursday, February 6, 2020 5:20 PM To: sssd-users@lists.fedorahosted.org sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd 1.16.4. ADV190023.
Ahoj Ondro, well my knowledge about sssd is limited, but I would say that the daemon did it instead me. See the middle message: Task [AD machine account password renewal]: finished successfully
This task is by default scheduled after restart of sssd service always.
However, I probably found another way how to stay safe after AD patching - I have switched from id_provider = ad, to id_provider = ldap, that allowed me to specify ldap_uri = ldaps://our_ad_machine.domain. After restart sssd AD has stopped complaing about unsighned request, because all communication is handled over TSL 1.2.
But I am still curious if there is another solution in case that I would like to keep the setting in mode id_provider = ad. Is there any way to sighn this kind of request? We were affraid that AD will refuse all unsigned communication after the AD patch is applied.
Thanks a lot for your knowledge sharing :)
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor... List Guidelines: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj... List Archives: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...
sssd-users@lists.fedorahosted.org