sssd-users October 2020

sssd-users@lists.fedorahosted.org

12 participants
12 discussions

Advantages of signed SASL bindings vs unsigned SASL bindings....
by Spike White 14 Oct '20

14 Oct '20

All, Still working with our AD team, trying to implement Microsoft's AD edict to only allow LDAP SASL bindings with a security strength factor of 2 or greater. https://bugzilla.redhat.com/show_bug.cgi?id=1793709 So I realize (now) that sssd's default GSSAPI SASL binding does not do signing. Whereas, the GSS-SPNEGO authentication mechanism does. Both authentication mechanisms claim a SSF of 256. So both are accepted by AD DCs enforcing MS' stricter policy. (We have verified this by hard-coding sssd clients to AD DCs thus configured). Even with the new hotfix that Microsoft released in July, the AD DCs still report event 2889 (insecure LDAP binding or unsigned LDAP binding) for GSSAPI SASL bindings. They do not report event 2889 for GSS-SPNEGO SASL bindings. I believe our older sssd clients (RHEL 6) cannot do gss-spnego auth mech. Only our newer RHEL7 and RHEL8 clients can do gss-spnego. So while we can satisfy MS' stricter requirement of SASL bindings with SSF >= 2, the AD admins will still see events 2889 in their DC logs. Certainly for our older clients. I don't fully understand this claim of SSF == 256 for GSSAPI. SSF == 0 is supposed to be no protection, SSF = 1 is supposed to be basic integrity checking only, >1 – Supports authentication, integrity and confidentiality. https://ldapwiki.com/wiki/Security%20Strength%20Factor I thought signing was what gave you integrity checking. To prevent man-in-the middle attacks. If so, how can GSSAPI claim SSF == 256, since it's not doing signing? Otherwise, if you can get integrity checking without signing and our GSSAPI bindings are strongly encrypted (they are), how could a man in the middle insert their own code into the packet? I..e, how important is signing really, if we're strongly encrypted? Just trying to gauge if it's worth the work effort to convert all our new'ish sssd client to gss-spnego, or leave them at (default) gssapi. Spike PS Best would be if MS had broken out insecure LDAP binding and unsigned SASL bindings into 2 different events. What the AD team *really* wants to eradicate is simple LDAP bindings (i.e., user name/password supplied in clear text). However, it's hard to distinguish between that and our (sssd-initiated) GSSAPI SASL bindings -- AD team is just looking for event 2889 in their logs.

4 7

Announcing SSSD 2.4.0
by Pavel Březina 12 Oct '20

12 Oct '20

# SSSD 2.4.0 The SSSD team is proud to announce the release of version 2.4.0 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/sssd-2_4_0 See the full release notes at: https://sssd.io/docs/users/relnotes/notes_2_4_0 RPM packages will be made available for Fedora shortly. ## Feedback Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users ## Highlights - `libnss` support was dropped, SSSD now supports only `openssl` cryptography ### New features - Session recording can now exclude specific users or groups when `scope` is set to `all` (see `exclude_users` and `exclude_groups` options) - Active Directory provider now sends CLDAP pings over UDP protocol to Domain Controllers in parallel to determine site and forest to speed up server discovery ### Packaging changes - python2 bindings are disable by default, use `--with-python2-bindings` to build it ### Documentation Changes - Default value of `client_idle_timeout` changed from 60 to 300 seconds for KCM, this allows more time for user interaction (e.g. during `kinit`) - Added `exclude_users` and `exclude_groups` option to `session_recording` section, this allows to exclude user or groups from session recording when `scope` is set to `all` - Added `ldap_library_debug_level` option to enable debug messages from `libldap` - Added `dyndns_auth_ptr` to set authentication mechanism for PTR DNS records update - Added `ad_allow_remote_domain_local_groups` to be compatible with other solutions

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users October 2020