On Thu, Feb 06, 2020 at 03:05:13PM +0000, Ondrej Valousek wrote:
did you try refreshing the machine password in AD?Looks like it's too old. O. ________________________________ From: David David modrik@seznam.cz Sent: Thursday, February 6, 2020 12:09 PM To: sssd-users@lists.fedorahosted.org sssd-users@lists.fedorahosted.org Subject: [SSSD-users] sssd 1.16.4. ADV190023.
Hello, i guess that you probably heard about ADV190023. Our AD admin told me that linux servers which are under my responsibility send an unsigned request to AD, what could be a problem related to this incomming Ad patch: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.mi....
I am using sssd in "sssd-ad mode." The communication between a linux servers and our AD is crypted by kerberos, so this should be ok.
I found only one kind of request which could result in potential failure. After mentioned patching implementation. See please below:
(Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 86400 seconds from last
Hi,
Ondrej is right, those messages are related to adcli trying to update the machine account password if it is too old. To check when the password was last updated adcli uses LDAP with SASL/GSSAPI. I've added a patch so that SASL/GSS-SPNEGO is used when it is available in the AD DC side https://gitlab.freedesktop.org/realmd/adcli/commit/a6f795ba3d6048b32d7863468... With SASL/GSS-SPNEGO all requirements are negotiated automatically and signing should be switched on if required.
With SASL/GSSAPI you might be able to tune this manually, see e.g. the SASL and GSSAPI options in man ldap.conf for details.
There is also a patch for adcli which tells adcli to use ldaps https://gitlab.freedesktop.org/realmd/adcli/commit/85097245b57f190337225dbdb... but this is currently not used by SSSD. And in general I think using GSS-SPNEGO is sufficient since there is no requirement to switch to ldaps (if I read the advisory correctly) and AD does not enable ldaps by default as well.
bye, Sumit
Everytime, this task is executed, our AD write into its log that an unsighned request came from my linux server. I tried to set ldap_tls_cert and ldap_tls_key into sssd.conf which point to the cert and key generated by our AD, but without success.
I tried to find a proper solution how to sign the request that AD stop complaining, but nothing usefull found.
My question is. Should I be affraid that after the patching, our AD will stop to communicate with my linux servers?
Really thanks in advance for your answer. I really appreciate your effort. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor... List Guidelines: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj... List Archives: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Sumit
Any idea on when your SASL/GSS-SPNEGO patch for adcli might make it downstream? It seems that adcli is checking once an hour on the age of the password and is the only thing left on my test hosts that is triggering the Unsigned SASL event on our domain controllers. I have tinkered with the GSSAPI and other settings in ldap.conf, so none of the connections are simple, just unsigned, which isn't terrible, but it'd be nice to eliminate them altogether, ya know?
Todd
-----Original Message----- From: Sumit Bose sbose@redhat.com Sent: Thursday, February 6, 2020 10:18 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd 1.16.4. ADV190023.
On Thu, Feb 06, 2020 at 03:05:13PM +0000, Ondrej Valousek wrote:
did you try refreshing the machine password in AD?Looks like it's too old. O. ________________________________ From: David David modrik@seznam.cz Sent: Thursday, February 6, 2020 12:09 PM To: sssd-users@lists.fedorahosted.org sssd-users@lists.fedorahosted.org Subject: [SSSD-users] sssd 1.16.4. ADV190023.
Hello, i guess that you probably heard about ADV190023. Our AD admin told me that linux servers which are under my responsibility send an unsigned request to AD, what could be a problem related to this incomming Ad patch: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.mi....
I am using sssd in "sssd-ad mode." The communication between a linux servers and our AD is crypted by kerberos, so this should be ok.
I found only one kind of request which could result in potential failure. After mentioned patching implementation. See please below:
(Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully (Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 86400 seconds from last
Hi,
Ondrej is right, those messages are related to adcli trying to update the machine account password if it is too old. To check when the password was last updated adcli uses LDAP with SASL/GSSAPI. I've added a patch so that SASL/GSS-SPNEGO is used when it is available in the AD DC side https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.fre... With SASL/GSS-SPNEGO all requirements are negotiated automatically and signing should be switched on if required.
With SASL/GSSAPI you might be able to tune this manually, see e.g. the SASL and GSSAPI options in man ldap.conf for details.
There is also a patch for adcli which tells adcli to use ldaps https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.fre... but this is currently not used by SSSD. And in general I think using GSS-SPNEGO is sufficient since there is no requirement to switch to ldaps (if I read the advisory correctly) and AD does not enable ldaps by default as well.
bye, Sumit
Everytime, this task is executed, our AD write into its log that an unsighned request came from my linux server. I tried to set ldap_tls_cert and ldap_tls_key into sssd.conf which point to the cert and key generated by our AD, but without success.
I tried to find a proper solution how to sign the request that AD stop complaining, but nothing usefull found.
My question is. Should I be affraid that after the patching, our AD will stop to communicate with my linux servers?
Really thanks in advance for your answer. I really appreciate your effort. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204bc2%7C 31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507304667&sdat a=v3APmwlHF3i9zi1WE950DEAqCMJCirnyPC4YyF2xJPQ%3D&reserved=0 List Guidelines: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cmote r%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204bc2%7C31d7e2a5bdd 8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507304667&sdata=QUgcpi82T TRy7qanAkjRey8ZpC2GDy7%2BJ7yXeOrtb8I%3D&reserved=0 List Archives: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted .org&data=02%7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d42c2ae f608d7ab204bc2%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C6371660275 07314661&sdata=oDU3WxA3dStxFQ09%2Fc8qU7qGh1P5w3a9rSe9trG8%2Bx4%3D& amp;reserved=0
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204bc2%7C 31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507314661&sdat a=b%2Fu1IXQ%2F42XEq3c6DYwzTyYno4azJb3qvUtPiZmOdrc%3D&reserved=0 List Guidelines: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Cmote r%40austin.utexas.edu%7Cc0f76fa86d4d42c2aef608d7ab204bc2%7C31d7e2a5bdd 8414e9e97bea998ebdfe1%7C1%7C0%7C637166027507314661&sdata=CIJal5z4E nNOIQFsuveKmlEK1wMzIx79ZaXavinrtsk%3D&reserved=0 List Archives: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted .org&data=02%7C01%7Cmoter%40austin.utexas.edu%7Cc0f76fa86d4d42c2ae f608d7ab204bc2%7C31d7e2a5bdd8414e9e97bea998ebdfe1%7C1%7C0%7C6371660275 07314661&sdata=oDU3WxA3dStxFQ09%2Fc8qU7qGh1P5w3a9rSe9trG8%2Bx4%3D& amp;reserved=0
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor... List Guidelines: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj... List Archives: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...
This message is from an external sender. Learn more about why this << matters at https://links.utexas.edu/rtyclf. <<
sssd-users@lists.fedorahosted.org