All,
It appears that this Nov 2022 AD DC patch does not directly break our
sssd-based AD integration. This was done in a test AD domain.
However, if the AD domain admin clicks the button to "use AES256 only" on
this test account it does break login.
Which led to further discovery.
Our particular AD integration allows AES256, AES128 and arcfour-hmac
encryption types. That is, our crypto policy is DEFAULT:AD-SUPPORT.
(Originally, we turned off arcfour-hmac support, but for obscure reasons we
had to turn it back on.)
If we changed our crypto policy to "DEFAULT" (i.e., no arcfour-hmac
encryption support), then this Nov 2022 AD DC patch does seem to break our
sssd-based AD integration.
Thus, it appears that companies that have implemented good security and
disabled arcfour-hmac encryption will be bitten by this Nov 2022 AD DC
patch.
Spike
On Tue, Nov 15, 2022 at 3:46 PM Spike White <spikewhitetx(a)gmail.com> wrote:
Really really appreciate the head's up on this Sumit!
We'd seen the notice yesterday, but from the brief description our
guess was that sssd was unaffected. Then your message showed up. So
timely!
We're coordinating with our AD team now.
Spike
Spike White
On Tue, Nov 15, 2022 at 12:07 AM Sumit Bose <sbose(a)redhat.com> wrote:
> ----- Weitergeleitete Nachricht von Rob Crittenden via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> -----
>
> Date: Mon, 14 Nov 2022 10:19:15 -0500
> From: Rob Crittenden via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org>
> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Cc: Rob Crittenden <rcritten(a)redhat.com>
> Subject: [Freeipa-users] Microsoft November 2022 updates breaks Active
> Directory integration
>
> Microsoft addressed a number of CVEs last week which introduced some
> authentication issues. After installation of these patches, user
> authentication on Linux systems integrated in Active Directory no longer
> works and new systems are unable to join an AD domain that is managed by
> domain controllers where these patches have been applied.
>
> For more details see
https://access.redhat.com/solutions/6985061 (open
> to the public).
>
> rob
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it:
>
https://pagure.io/fedora-infrastructure/new_issue
>
> ----- Ende weitergeleitete Nachricht -----
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Do not reply to spam, report it:
>
https://pagure.io/fedora-infrastructure/new_issue
>