All,

It appears that this Nov 2022 AD DC patch does not directly break our sssd-based AD integration. This was done in a test AD domain.

However, if the AD domain admin clicks the button to "use AES256 only" on this test account it does break login.

Which led to further discovery.

Our particular AD integration allows AES256, AES128 and arcfour-hmac encryption types. That is, our crypto policy is DEFAULT:AD-SUPPORT. (Originally, we turned off arcfour-hmac support, but for obscure reasons we had to turn it back on.)

If we changed our crypto policy to "DEFAULT" (i.e., no arcfour-hmac encryption support), then this Nov 2022 AD DC patch does seem to break our sssd-based AD integration.

Thus, it appears that companies that have implemented good security and disabled arcfour-hmac encryption will be bitten by this Nov 2022 AD DC patch.

Spike

On Tue, Nov 15, 2022 at 3:46 PM Spike White spikewhitetx@gmail.com wrote:

Really really appreciate the head's up on this Sumit!

We'd seen the notice yesterday, but from the brief description our guess was that sssd was unaffected. Then your message showed up. So timely!

We're coordinating with our AD team now.

Spike

Spike White

On Tue, Nov 15, 2022 at 12:07 AM Sumit Bose sbose@redhat.com wrote:

...

----- Weitergeleitete Nachricht von Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> -----

Date: Mon, 14 Nov 2022 10:19:15 -0500 From: Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Rob Crittenden rcritten@redhat.com Subject: [Freeipa-users] Microsoft November 2022 updates breaks Active Directory integration

Microsoft addressed a number of CVEs last week which introduced some authentication issues. After installation of these patches, user authentication on Linux systems integrated in Active Directory no longer works and new systems are unable to join an AD domain that is managed by domain controllers where these patches have been applied.

For more details see https://access.redhat.com/solutions/6985061 (open to the public).

rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

----- Ende weitergeleitete Nachricht ----- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue