Hello,
i guess that you probably heard about ADV190023. Our AD admin told me that linux servers which are under my responsibility send an unsigned request to AD, what could be a problem related to this incomming Ad patch:
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4520412%2F2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows&data=02%7C01%7Condrej.valousek%40adestotech.com%7C02bc9c9da85b4234ad2408d7aaf511e4%7C2ccd8edaa14a4b4f825ce6ad71d71b81%7C0%7C1%7C637165841868286232&sdata=DrPbIHyfrnlKdMbgPDC7zhe9A356SR8mQuMpzY1qMiQ%3D&reserved=0.
I am using sssd in "sssd-ad mode." The communication between a linux servers and our AD is crypted by kerberos, so this should be ok.
I found only one kind of request which could result in potential failure. After mentioned patching implementation. See please below:
(Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_execute] (0x0400): Task [AD machine account password renewal]: executing task, timeout 60 seconds
(Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_done] (0x0400): Task [AD machine account password renewal]: finished successfully
(Wed Feb 5 16:57:21 2020) [sssd[be[AD]]] [be_ptask_schedule] (0x0400): Task [AD machine account password renewal]: scheduling task 86400 seconds from last
Everytime, this task is executed, our AD write into its log that an unsighned request came from my linux server. I tried to set ldap_tls_cert and ldap_tls_key into sssd.conf which point to the cert and key generated by our AD, but without success.
I tried to find a proper solution how to sign the request that AD stop complaining, but nothing usefull found.
My question is. Should I be affraid that after the patching, our AD will stop to communicate with my linux servers?
Really thanks in advance for your answer. I really appreciate your effort.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02%7C01%7Condrej.valousek%40adestotech.com%7C02bc9c9da85b4234ad2408d7aaf511e4%7C2ccd8edaa14a4b4f825ce6ad71d71b81%7C0%7C1%7C637165841868286232&sdata=4G5oMya27fWpvMipoCpj1f%2FPI5FHTHXxdp%2B0A7B91EI%3D&reserved=0
List Guidelines:
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Condrej.valousek%40adestotech.com%7C02bc9c9da85b4234ad2408d7aaf511e4%7C2ccd8edaa14a4b4f825ce6ad71d71b81%7C0%7C1%7C637165841868286232&sdata=aegzmOrDxa%2FI7bB9Cn5%2FfKN6ShhZeWmSyIm7X0x96sk%3D&reserved=0
List Archives:
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org&data=02%7C01%7Condrej.valousek%40adestotech.com%7C02bc9c9da85b4234ad2408d7aaf511e4%7C2ccd8edaa14a4b4f825ce6ad71d71b81%7C0%7C1%7C637165841868286232&sdata=JROmfoZbnte09nJysOIEWb2PDJiEmNZO9%2FO8XHN6Gyk%3D&reserved=0