On 27 Dec 2016, at 20:29, Lesley Kimmel
Hi, all. Thanks in advance for you help.
I am working to integrate some RHEL7 servers to AD. In doing so it seems clear that SSSD
is the way to go. However, it looks like there are basically (2) options:
1) use sssd-ad (id_provider=ad, access_provider=ad)
2) Use explicit LDAP and Kerberos providers
I would prefer to use the sssd-ad method because it is obviously simpler. However, I am
unclear what security is provided therein. Obviously, Kerberos is pretty secure for
authentication. However, when groups, etc., are retrieved from LDAP is that done over
SSSD also authenticates using the machine credentials (=the keytab) to AD. Normally, AD
doesn’t even allow anonymous binds.
It is implied that using the sssd-ad method is essentially a
shorthand for other LDAP/Kerberos settings and I can't find a complete listing of what
those settings are.
Yeah, this is not trivial to deduce (we’re working on enhancing sssctl with a
‘config-show’ action, but we’re not there yet). Maybe it would help to check the sssd
debug messages when you start sssd,..
If I configure the server to enforce STARTTLS is SSSD "smart
enough" to work with that if I use sssd-ad or would I need to go the LDAP+Kerberos
route in order to configure some of the TLS-related settings?
The gssapi authentication is by default and cannot even be changed with sssd-ad.