On ti, 14 maalis 2023, Gianluca Amato via FreeIPA-users wrote:
At the end, I opted for the opposite solution. I just enabled support
for SID with the command
ipa config-mod --enable-sid --add-sids
and now all servers seems to work fine again.
Correct. There is no way to disable that due to a need to protect
against a number of Kerberos-based attacks which were developed over
past several years based on the Active Directory environments and
targeting Linux systems. FreeIPA, SSSD, Samba Team, and both MIT
Kerberos and Heimdal Kerberos projects have been working together with
Microsoft folks to address these issues in industry-wide manner. We are
still not entirely there (new PAC signatures, for example, will be fully
enforced by Microsoft in autumn 2023 and we need to be ready for that)
but for the directory services there is no a way back.
I have a blog post in works that tries to summarize the changes that
have been done over past few years in this area. It is not complete yet,
I'll reference it here once it is published.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland