[MacTUG] Urgent: Re: An interesting read....
Don Duff-McCracken
dsmccrac at uwaterloo.ca
Thu Feb 13 11:47:11 EST 2020
Thanks for bringing this up!
Boy it sounds like there are quotation marks around the word 'Interesting' , Stephen! Bernie Rutter mentioned this to me as it came up in WNAG. I am presuming it we do not solve this by March that all Macs that have been bound in the traditional manner will have a huge problem with authenticating to any AD domain which has had the updates applied (ie not just nexus).
There has not been any response to Stephen's email, so I will ask. Is anyone currently doing what seems to be the suggested option or trying it out?
I think this is a Code Red.
------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151
https://uwaterloo.ca/environment-computing/about/people<https://connect.uwaterloo.ca/owa/14.3.266.1/scripts/premium/redir.aspx?SURL=Ip67Wkr8xENuv0Tp1ZNpOE8gkdDlCkkl2xoE8QopkiVZuIwlNjLTCGgAdAB0AHAAcwA6AC8ALwB1AHcAYQB0AGUAcgBsAG8AbwAuAGMAYQAvAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAtAGMAbwBtAHAAdQB0AGkAbgBnAC8AYQBiAG8AdQB0AC8AcABlAG8AcABsAGUA&URL=https%3a%2f%2fuwaterloo.ca%2fenvironment-computing%2fabout%2fpeople>
------------------------------------
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited. If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.
________________________________
From: mactug-bounces at lists.uwaterloo.ca <mactug-bounces at lists.uwaterloo.ca> on behalf of Stephen Markan <smarkan at uwaterloo.ca>
Sent: Friday, February 7, 2020 4:07:56 PM
To: Mactug
Subject: [MacTUG] An interesting read....
Belows is a snipper from a conversation on Windows-HIED mailing list:
According to Microsoft Security Advisory ADV190023<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023> the March 2020 security update will enable LDAP channel binding and LDAP signing on Active Directory servers by default. It is unclear from the documentation if this can be undone or postponed. Following guidance in Identifying Clear Text LDAP binds to your DC's<https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs> we have found that all of our domain-joined Macs are encrypting but not signing their connections to AD LDAP. Testing so far has found that the only way to resolve this is to enforce SSL using the dsconfigad -packetencrypt ssl command along with importing the trusted root CA for our domain controllers.
Has anyone else looked at this and found alternative solutions? According the Apple support article Configure domain access in Directory Utility on Mac<https://support.apple.com/guide/directory-utility/configure-domain-access-diru11f4f748/mac> it should not be necessary to enforce SSL, but we have not found any alternative settings that work.
FYI we also have found and are investigating remediation for issues with various NetApp NAS devices and Linux machines which are behaving similarly.
Interested in how other organizations are approaching this or if this even on your radar (it wasn’t on ours until last week).
Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.uwaterloo.ca/mailman/private/mactug/attachments/20200213/0b6104ce/attachment-0001.html>
More information about the MacTUG
mailing list