All,

It appears that this Nov 2022 AD DC patch does not directly break our sssd-based AD integration.  This was done in a test AD domain.

However, if the AD domain admin clicks the button to "use AES256 only" on this test account it does break login.  

Which led to further discovery.   

Our particular AD integration allows AES256, AES128 and arcfour-hmac encryption types.  That is, our crypto policy is DEFAULT:AD-SUPPORT.  (Originally, we turned off arcfour-hmac support, but for obscure reasons we had to turn it back on.)

If we changed our crypto policy to "DEFAULT"  (i.e., no arcfour-hmac encryption support), then this Nov 2022 AD DC patch does seem to break our sssd-based AD integration.

Thus, it appears that companies that have implemented good security and disabled arcfour-hmac encryption will be bitten by this Nov 2022 AD DC patch.

Spike

On Tue, Nov 15, 2022 at 3:46 PM Spike White <spikewhitetx@gmail.com> wrote:
Really really appreciate the head's up on this Sumit!

We'd seen the notice yesterday, but from the brief description our guess was that sssd was unaffected.  Then your message showed up.  So timely!

We're coordinating with our AD team now.

Spike

Spike White


On Tue, Nov 15, 2022 at 12:07 AM Sumit Bose <sbose@redhat.com> wrote:
----- Weitergeleitete Nachricht von Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> -----

Date: Mon, 14 Nov 2022 10:19:15 -0500
From: Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Rob Crittenden <rcritten@redhat.com>
Subject: [Freeipa-users] Microsoft November 2022 updates breaks Active
        Directory integration

Microsoft addressed a number of CVEs last week which introduced some
authentication issues. After installation of these patches, user
authentication on Linux systems integrated in Active Directory no longer
works and new systems are unable to join an AD domain that is managed by
domain controllers where these patches have been applied.

For more details see https://access.redhat.com/solutions/6985061 (open
to the public).

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

----- Ende weitergeleitete Nachricht -----
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue