On Wed, Feb 12, 2020 at 01:11:14PM +0000, Mote, Todd wrote:
Sumit
Any idea on when your SASL/GSS-SPNEGO patch for adcli might make it downstream? It seems that adcli is checking once an hour on the age of the password and is the only thing left on my test hosts that is triggering the Unsigned SASL event on our domain controllers. I have tinkered with the GSSAPI and other settings in ldap.conf, so none of the connections are simple, just unsigned, which isn't terrible, but it'd be nice to eliminate them altogether, ya know?
Hi,
they are planned for the next RHEL releases and I'm about to prepare Fedora packages.
I did some tests with older RHEL7 versions and didn't come across issues even with only SASL/GSSAPI when I enforce channel binding and LDAP signing on AD. Would it be possible to send a network trace which covers the connection attempt of adcli which causes the issue?
bye, Sumit
Todd
-----Original Message----- From: Sumit Bose sbose@redhat.com Sent: Thursday, February 6, 2020 10:18 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd 1.16.4. ADV190023.
On Thu, Feb 06, 2020 at 03:05:13PM +0000, Ondrej Valousek wrote:
did you try refreshing the machine password in AD?Looks like it's too old. O. ________________________________ From: David David modrik@seznam.cz Sent: Thursday, February 6, 2020 12:09 PM To: sssd-users@lists.fedorahosted.org sssd-users@lists.fedorahosted.org Subject: [SSSD-users] sssd 1.16.4. ADV190023.
Hello, i guess that you probably heard about ADV190023. Our AD admin told me that linux servers which are under my responsibility send an unsigned request to AD, what could be a problem related to this incomming Ad patch: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.mi....
I am using sssd in "sssd-ad mode." The communication between a linux servers and our AD is crypted by kerberos, so this should be ok.
I found only one kind of request which could result in potential failure. After mentioned patching implementation. See please below:
(Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 86400 seconds from last
Hi,
Ondrej is right, those messages are related to adcli trying to update the machine account password if it is too old. To check when the password was last updated adcli uses LDAP with SASL/GSSAPI. I've added a patch so that SASL/GSS-SPNEGO is used when it is available in the AD DC side https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.fre... With SASL/GSS-SPNEGO all requirements are negotiated automatically and signing should be switched on if required.
With SASL/GSSAPI you might be able to tune this manually, see e.g. the SASL and GSSAPI options in man ldap.conf for details.
There is also a patch for adcli which tells adcli to use ldaps https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.fre... but this is currently not used by SSSD. And in general I think using GSS-SPNEGO is sufficient since there is no requirement to switch to ldaps (if I read the advisory correctly) and AD does not enable ldaps by default as well.
bye, Sumit
Everytime, this task is executed, our AD write into its log that an unsighned request came from my linux server. I tried to set ldap_tls_cert and ldap_tls_key into sssd.conf which point to the cert and key generated by our AD, but without success.
I tried to find a proper solution how to sign the request that AD stop complaining, but nothing usefull found.
My question is. Should I be affraid that after the patching, our AD will stop to communicate with my linux servers?
Really thanks in advance for your answer. I really appreciate your effort. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204bc2%7C 31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507304667&sdat a=v3APmwlHF3i9zi1WE950DEAqCMJCirnyPC4YyF2xJPQ%3D&reserved=0 List Guidelines: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cmote r%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204bc2%7C31d7e2a5bdd 8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507304667&sdata=QUgcpi82T TRy7qanAkjRey8ZpC2GDy7%2BJ7yXeOrtb8I%3D&reserved=0 List Archives: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted .org&data=02%7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d42c2ae f608d7ab204bc2%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C6371660275 07314661&sdata=oDU3WxA3dStxFQ09%2Fc8qU7qGh1P5w3a9rSe9trG8%2Bx4%3D& amp;reserved=0
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204bc2%7C 31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507314661&sdat a=b%2Fu1IXQ%2F42XEq3c6DYwzTyYno4azJb3qvUtPiZmOdrc%3D&reserved=0 List Guidelines: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cmote r%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204bc2%7C31d7e2a5bdd 8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507314661&sdata=CIJal5z4E nNOIQFsuveKmlEK1wMzIx79ZaXavinrtsk%3D&reserved=0 List Archives: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted .org&data=02%7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d42c2ae f608d7ab204bc2%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C6371660275 07314661&sdata=oDU3WxA3dStxFQ09%2Fc8qU7qGh1P5w3a9rSe9trG8%2Bx4%3D& amp;reserved=0
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor... List Guidelines: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj... List Archives: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...
This message is from an external sender. Learn more about why this << matters at https://links.utexas.edu/rtyclf. <<
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
I'll work on getting that today. This is what I know so far.
Test system updated through our Satellite, so nothing special or different. Yum updated everything:
RHEL 7.7
sssd-1.16.4-21.el7_7.1.x86_64
adcli-0.8.1-9.el7.x86_64
Domain:
Windows Server 2016
regkey ldapserverintegrity=2
regkey ldapenforcechannelbinding=1
we splunk our domain logs and my coworker wrote a dashboard to display the entries when either simple binds or unsigned sasl occur. Over the last 24 hours my test host triggered the unsigned sasl entry 13 times. Each entry corresponds precisely to the adcli check password attempt in the logs. It doesn't log an unsigned sasl event every hour, and a couple of times not at all for several hours. I'm not sure what's behind that. Times here are UTC -6. I’m in the 7:00 hour here. The most recent entry is below. I’ll work to get a trace running by the next hour, in case it logs it again.
This behavior also happens with RHEL 8, sssd 2.2 and adcli 0.8.2. I see the same entries logged in both the sssd log on the device and the domain.
Timestamphttps://splunk.security.utexas.edu/en-US/app/ut_itsy-ad-monitoring/search?earliest=-24h%40h&latest=now&q=search%20%60ADlogs%60%20source%3D%22WinEventLog%3ADirectory%20Service%22%20EventCode%3D2889%20%7C%20rex%20field%3DMessage%20%22(%3Fs)%5E(%3F%3CeMessage%3E.*%5C.)%5Cs*Client%20IP%20address%3A%5Cs*(%3F%3CClientIPAddress%3E.*)%3A(%3F%3CPort%3E%5Cd%2B)%5Cs*Identity%20the%20client%20attempted%20to%20authenticate%20as%3A%5Cs*(%3F%3CUserName%3E%5CS*)%5Cs*Binding%20Type%3A%5Cs*(%3F%3CBindingType%3E%5Cd)%24%22%20%7C%20eval%20Timestamp%3Dstrftime(_time%2C%20%22%25m-%25d-%25Y%20%25H%3A%25M%3A%25S%22)%20%7C%20lookup%20dnslookup%20clientip%20as%20ClientIPAddress%20OUTPUT%20clienthost%20as%20FQDN%20%7C%20search%20BindingType%3D*%20ClientIPAddress%3D146.6.182.226%20%7C%20%20eval%20BindingType%3Dcase(BindingType%3D%3D0%2C%22Unsigned%20SASL%22%2CBindingType%3D%3D1%2C%22Simple%22)%20%7C%20sort%20-Timestamp%20%7C%20rename%20ClientIPAddress%20as%20%22Client%20IP%20Address%22%2CUserName%20as%20%22User%20Name%22%2CBindingType%20as%20%22Binding%20Type%22%20%7C%20table%20Timestamp%2C%22Client%20IP%20Address%22%2CFQDN%2C%22User%20Name%22%2C%22Binding%20Type%22&display.page.search.mode=smart&dispatch.sample_ratio=1&display.page.search.tab=statistics&display.general.type=statistics&display.statistics.sortColumn=Timestamp&display.statistics.sortDirection=desc&sid=1581600147.468973_8220FB8F-01FA-4F7E-929B-F56DE7E31D3B User Namehttps://splunk.security.utexas.edu/en-US/app/ut_itsy-ad-monitoring/search?earliest=-24h%40h&latest=now&q=search%20%60ADlogs%60%20source%3D%22WinEventLog%3ADirectory%20Service%22%20EventCode%3D2889%20%7C%20rex%20field%3DMessage%20%22(%3Fs)%5E(%3F%3CeMessage%3E.*%5C.)%5Cs*Client%20IP%20address%3A%5Cs*(%3F%3CClientIPAddress%3E.*)%3A(%3F%3CPort%3E%5Cd%2B)%5Cs*Identity%20the%20client%20attempted%20to%20authenticate%20as%3A%5Cs*(%3F%3CUserName%3E%5CS*)%5Cs*Binding%20Type%3A%5Cs*(%3F%3CBindingType%3E%5Cd)%24%22%20%7C%20eval%20Timestamp%3Dstrftime(_time%2C%20%22%25m-%25d-%25Y%20%25H%3A%25M%3A%25S%22)%20%7C%20lookup%20dnslookup%20clientip%20as%20ClientIPAddress%20OUTPUT%20clienthost%20as%20FQDN%20%7C%20search%20BindingType%3D*%20ClientIPAddress%3D146.6.182.226%20%7C%20%20eval%20BindingType%3Dcase(BindingType%3D%3D0%2C%22Unsigned%20SASL%22%2CBindingType%3D%3D1%2C%22Simple%22)%20%7C%20sort%20-Timestamp%20%7C%20rename%20ClientIPAddress%20as%20%22Client%20IP%20Address%22%2CUserName%20as%20%22User%20Name%22%2CBindingType%20as%20%22Binding%20Type%22%20%7C%20table%20Timestamp%2C%22Client%20IP%20Address%22%2CFQDN%2C%22User%20Name%22%2C%22Binding%20Type%22&display.page.search.mode=smart&dispatch.sample_ratio=1&display.page.search.tab=statistics&display.general.type=statistics&display.statistics.sortColumn=Timestamp&display.statistics.sortDirection=desc&sid=1581600147.468973_8220FB8F-01FA-4F7E-929B-F56DE7E31D3B Binding Typehttps://splunk.security.utexas.edu/en-US/app/ut_itsy-ad-monitoring/search?earliest=-24h%40h&latest=now&q=search%20%60ADlogs%60%20source%3D%22WinEventLog%3ADirectory%20Service%22%20EventCode%3D2889%20%7C%20rex%20field%3DMessage%20%22(%3Fs)%5E(%3F%3CeMessage%3E.*%5C.)%5Cs*Client%20IP%20address%3A%5Cs*(%3F%3CClientIPAddress%3E.*)%3A(%3F%3CPort%3E%5Cd%2B)%5Cs*Identity%20the%20client%20attempted%20to%20authenticate%20as%3A%5Cs*(%3F%3CUserName%3E%5CS*)%5Cs*Binding%20Type%3A%5Cs*(%3F%3CBindingType%3E%5Cd)%24%22%20%7C%20eval%20Timestamp%3Dstrftime(_time%2C%20%22%25m-%25d-%25Y%20%25H%3A%25M%3A%25S%22)%20%7C%20lookup%20dnslookup%20clientip%20as%20ClientIPAddress%20OUTPUT%20clienthost%20as%20FQDN%20%7C%20search%20BindingType%3D*%20ClientIPAddress%3D146.6.182.226%20%7C%20%20eval%20BindingType%3Dcase(BindingType%3D%3D0%2C%22Unsigned%20SASL%22%2CBindingType%3D%3D1%2C%22Simple%22)%20%7C%20sort%20-Timestamp%20%7C%20rename%20ClientIPAddress%20as%20%22Client%20IP%20Address%22%2CUserName%20as%20%22User%20Name%22%2CBindingType%20as%20%22Binding%20Type%22%20%7C%20table%20Timestamp%2C%22Client%20IP%20Address%22%2CFQDN%2C%22User%20Name%22%2C%22Binding%20Type%22&display.page.search.mode=smart&dispatch.sample_ratio=1&display.page.search.tab=statistics&display.general.type=statistics&display.statistics.sortColumn=Timestamp&display.statistics.sortDirection=desc&sid=1581600147.468973_8220FB8F-01FA-4F7E-929B-F56DE7E31D3B 02-13-2020 07:12:33 ADTEST\ANTI-TEST$ Unsigned SASL 02-13-2020 05:12:34 ADTEST\ANTI-TEST$ Unsigned SASL 02-13-2020 03:12:34 ADTEST\ANTI-TEST$ Unsigned SASL 02-13-2020 02:12:35 ADTEST\ANTI-TEST$ Unsigned SASL 02-13-2020 01:12:34 ADTEST\ANTI-TEST$ Unsigned SASL 02-12-2020 23:12:34 ADTEST\ANTI-TEST$ Unsigned SASL 02-12-2020 22:12:34 ADTEST\ANTI-TEST$ Unsigned SASL 02-12-2020 19:12:34 ADTEST\ANTI-TEST$ Unsigned SASL 02-12-2020 17:12:34 ADTEST\ANTI-TEST$ Unsigned SASL 02-12-2020 14:12:34 ADTEST\ANTI-TEST$ Unsigned SASL 02-12-2020 13:12:34 ADTEST\ANTI-TEST$ Unsigned SASL 02-12-2020 09:12:35 ADTEST\ANTI-TEST$ Unsigned SASL 02-12-2020 08:12:34 ADTEST\ANTI-TEST$ Unsigned SASL
(Thu Feb 13 07:12:33 2020) [sssd[be[adtest.domain.com]]] [ad_machine_account_password_renewal_done] (0x1000): --- adcli output start---
* Found realm in keytab: ADTEST.domain.com
* Found computer name in keytab: ANTI-TEST
* Found service principal in keytab: host/ANTI-TEST
* Found service principal in keytab: host/anti-test.adtest.domain.com
* Found host qualified name in keytab: anti-test.adtest.domain.com
* Found service principal in keytab: RestrictedKrbHost/ANTI-TEST
* Found service principal in keytab: RestrictedKrbHost/anti-test.adtest.domain.com
* Using fully qualified name: anti-test.adtest.domain.com
* Using domain name: adtest.domain.com
* Calculated computer account name from fqdn: ANTI-TEST
* Using domain realm: adtest.domain.com
* Sending netlogon pings to domain controller: cldap:// xxx.xxx.xxx.xxx
* Received NetLogon info from: dc01a.adtest.domain.com
* Wrote out krb5.conf snippet to /tmp/adcli-krb5-RCmgmC/krb5.d/adcli-krb5-conf-vPdhBf
* Authenticated as default/reset computer account: ANTI-TEST
* Looked up short domain name: ADTEST
* Looked up domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx
* Using fully qualified name: anti-test.adtest.domain.com
* Using domain name: adtest.domain.com
* Using computer account name: ANTI-TEST
* Using domain realm: adtest.domain.com
* Using fully qualified name: anti-test.adtest.domain.com
* Enrolling computer name: ANTI-TEST
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Found computer account for ANTI-TEST$ at: CN=ANTI-TEST,OU=Dev,OU=Linux,OU=moter,OU=ITSY-Staff,OU=ITSY,OU=Departments,DC=adtest,DC=domain,DC=com
* Retrieved kvno '6' for computer account in directory: CN=ANTI-TEST,OU=Dev,OU=Linux,OU=moter,OU=ITSY-Staff,OU=ITSY,OU=Departments,DC=adtest,DC=domain,DC=com
* Password not too old, no change needed
* Sending netlogon pings to domain controller: cldap://xxx.xxx.xxx.xxx
* Received NetLogon info from: dc01a.adtest.domain.com
* Checking RestrictedKrbHost/anti-test.adtest.domain.com
* Added RestrictedKrbHost/anti-test.adtest.domain.com
* Checking host/anti-test.adtest.domain.com
* Added host/anti-test.adtest.domain.com
* Checking RestrictedKrbHost/ANTI-TEST
* Added RestrictedKrbHost/ANTI-TEST
* Checking host/ANTI-TEST
* Added host/ANTI-TEST
---adcli output end---
Todd
-----Original Message----- From: Sumit Bose sbose@redhat.com Sent: Thursday, February 13, 2020 1:36 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd 1.16.4. ADV190023.
On Wed, Feb 12, 2020 at 01:11:14PM +0000, Mote, Todd wrote:
Sumit
Any idea on when your SASL/GSS-SPNEGO patch for adcli might make it downstream? It seems that adcli is checking once an hour on the age of the password and is the only thing left on my test hosts that is triggering the Unsigned SASL event on our domain controllers. I have tinkered with the GSSAPI and other settings in ldap.conf, so none of the connections are simple, just unsigned, which isn't terrible, but it'd be nice to eliminate them altogether, ya know?
Hi,
they are planned for the next RHEL releases and I'm about to prepare Fedora packages.
I did some tests with older RHEL7 versions and didn't come across issues even with only SASL/GSSAPI when I enforce channel binding and LDAP signing on AD. Would it be possible to send a network trace which covers the connection attempt of adcli which causes the issue?
bye,
Sumit
Todd
-----Original Message-----
From: Sumit Bose <sbose@redhat.commailto:sbose@redhat.com>
Sent: Thursday, February 6, 2020 10:18 AM
To: sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: sssd 1.16.4. ADV190023.
On Thu, Feb 06, 2020 at 03:05:13PM +0000, Ondrej Valousek wrote:
did you try refreshing the machine password in AD?Looks like it's too old.
O.
From: David David <modrik@seznam.czmailto:modrik@seznam.cz>
Sent: Thursday, February 6, 2020 12:09 PM
To: sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
<sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org>
Subject: [SSSD-users] sssd 1.16.4. ADV190023.
Hello,
i guess that you probably heard about ADV190023. Our AD admin told me that linux servers which are under my responsibility send an unsigned request to AD, what could be a problem related to this incomming Ad patch: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.mi....
I am using sssd in "sssd-ad mode." The communication between a linux servers and our AD is crypted by kerberos, so this should be ok.
I found only one kind of request which could result in potential failure. After mentioned patching implementation. See please below:
(Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_execute] (0x0400):
Task [AD machine account password renewal]: executing task, timeout
60 seconds (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_done]
(0x0400): Task [AD machine account password renewal]: finished
successfully (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]]
[be_ptask_schedule] (0x0400): Task [AD machine account password
renewal]: scheduling task 86400 seconds from last
Hi,
Ondrej is right, those messages are related to adcli trying to update
the machine account password if it is too old. To check when the
password was last updated adcli uses LDAP with SASL/GSSAPI. I've added
a patch so that SASL/GSS-SPNEGO is used when it is available in the AD
DC side
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitl
ab.freedesktop.org%2Frealmd%2Fadcli%2Fcommit%2Fa6f795ba3d6048b32d78634
68688bf7f42b2cafd&data=02%7C01%7Cmoter%40austin.utexas.edu%7C87719
229ad54467ff98808d7b0576033%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C1
%7C637171761658405405&sdata=rPcG9mknHufVZUy6ege6n2vx%2B1Hy5XQhDn7H
8ugqlzA%3D&reserved=0 With SASL/GSS-SPNEGO all requirements are
negotiated automatically and signing should be switched on if required.
With SASL/GSSAPI you might be able to tune this manually, see e.g. the SASL and GSSAPI options in man ldap.conf for details.
There is also a patch for adcli which tells adcli to use ldaps
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitl
ab.freedesktop.org%2Frealmd%2Fadcli%2Fcommit%2F85097245b57f190337225db
dbf6e33b58616c092&data=02%7C01%7Cmoter%40austin.utexas.edu%7C87719
229ad54467ff98808d7b0576033%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C1
%7C637171761658405405&sdata=9dY6eOGTKimEYqydWbRFROldOTNRM16t1caeUh
bBTiY%3D&reserved=0 but this is currently not used by SSSD. And in
general I think using GSS-SPNEGO is sufficient since there is no requirement to switch to ldaps (if I read the advisory correctly) and AD does not enable ldaps by default as well.
bye,
Sumit
Everytime, this task is executed, our AD write into its log that an unsighned request came from my linux server. I tried to set ldap_tls_cert and ldap_tls_key into sssd.conf which point to the cert and key generated by our AD, but without success.
I tried to find a proper solution how to sign the request that AD stop complaining, but nothing usefull found.
My question is. Should I be affraid that after the patching, our AD will stop to communicate with my linux servers?
Really thanks in advance for your answer. I really appreciate your effort.
sssd-users mailing list -- sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org To
unsubscribe send an email to sssd-users-leave@lists.fedorahosted.orgmailto:sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdo
cs
.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=0
2%
7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204bc2%
7C
31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507304667&sd
at
a=v3APmwlHF3i9zi1WE950DEAqCMJCirnyPC4YyF2xJPQ%3D&reserved=0
List Guidelines:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffe
do
raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cmo
te
r%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204bc2%7C31d7e2a5b
dd
8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507304667&sdata=QUgcpi8
2T
TRy7qanAkjRey8ZpC2GDy7%2BJ7yXeOrtb8I%3D&reserved=0
List Archives:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fli
st
s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahost
ed
.org&data=02%7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d42c2
ae
f608d7ab204bc2%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C63716602
75
07314661&sdata=oDU3WxA3dStxFQ09%2Fc8qU7qGh1P5w3a9rSe9trG8%2Bx4%3
D&
amp;reserved=0
sssd-users mailing list -- sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org To
unsubscribe send an email to sssd-users-leave@lists.fedorahosted.orgmailto:sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdo
cs
.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=0
2%
7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204bc2%
7C
31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507314661&sd
at
a=b%2Fu1IXQ%2F42XEq3c6DYwzTyYno4azJb3qvUtPiZmOdrc%3D&reserved=0
List Guidelines:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffe
do
raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cmo
te
r%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204bc2%7C31d7e2a5b
dd
8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507314661&sdata=CIJal5z
4E
nNOIQFsuveKmlEK1wMzIx79ZaXavinrtsk%3D&reserved=0
List Archives:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fli
st
s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahost
ed
.org&data=02%7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d42c2
ae
f608d7ab204bc2%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C63716602
75
07314661&sdata=oDU3WxA3dStxFQ09%2Fc8qU7qGh1P5w3a9rSe9trG8%2Bx4%3
D&
amp;reserved=0
sssd-users mailing list -- sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org To
unsubscribe send an email to sssd-users-leave@lists.fedorahosted.orgmailto:sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%
7C01%7Cmoter%40austin.utexas.edu%7C87719229ad54467ff98808d7b0576033%7C
31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C1%7C637171761658415397&sdat
a=CY5%2B8lrh6B9UIqXNYXSzpIyeRI93sHge9cuKB8KDBdk%3D&reserved=0
List Guidelines:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo
raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cmote
r%40austin.utexas.edu%7C87719229ad54467ff98808d7b0576033%7C31d7e2a5bdd
8414e9e97bea998ebdfe1%7C1%7C1%7C637171761658415397&sdata=uFxkGT3GV
Y3moV7TxfDo%2BNHyz%2B8AUbVpApIxs3PTmzs%3D&reserved=0
List Archives:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted
.org&data=02%7C01%7Cmoter%40austin.utexas.edu%7C87719229ad54467ff9
8808d7b0576033%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C1%7C6371717616
58415397&sdata=qZHqxPWZzftm51GK%2F29gM3NM9f5QnsoRQE2kqWGs3Os%3D&am
p;reserved=0
This message is from an external sender. Learn more about why this <<
matters at https://links.utexas.edu/rtyclf. <<
sssd-users mailing list -- sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org To
unsubscribe send an email to sssd-users-leave@lists.fedorahosted.orgmailto:sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%
7C01%7Cmoter%40austin.utexas.edu%7C87719229ad54467ff98808d7b0576033%7C
31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C1%7C637171761658415397&sdat
a=CY5%2B8lrh6B9UIqXNYXSzpIyeRI93sHge9cuKB8KDBdk%3D&reserved=0
List Guidelines:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo
raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cmote
r%40austin.utexas.edu%7C87719229ad54467ff98808d7b0576033%7C31d7e2a5bdd
8414e9e97bea998ebdfe1%7C1%7C1%7C637171761658415397&sdata=uFxkGT3GV
Y3moV7TxfDo%2BNHyz%2B8AUbVpApIxs3PTmzs%3D&reserved=0
List Archives:
https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist
s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted
.org&data=02%7C01%7Cmoter%40austin.utexas.edu%7C87719229ad54467ff9
8808d7b0576033%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C1%7C6371717616
58415397&sdata=qZHqxPWZzftm51GK%2F29gM3NM9f5QnsoRQE2kqWGs3Os%3D&am
p;reserved=0
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.orgmailto:sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor...
List Guidelines: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj...
List Archives: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...
This message is from an external sender. Learn more about why this <<
matters at https://links.utexas.edu/rtyclf. <<
sssd-users@lists.fedorahosted.org