[MacTUG] Urgent: Re: An interesting read....

Don Duff-McCracken dsmccrac at uwaterloo.ca
Thu Feb 13 12:48:17 EST 2020 

Apple saying that is of little comfort ;-) where did u get this Apple info from? Thanks for digging into this BTW!

Do we have any ideas yet of what ‘not March’ is or is that TBA?


------------------------------------
Donald Duff-McCracken
Interim Director
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151<tel:(519)%20888-4567;32151>
------------------------------------
I acknowledge that I work and teach on the traditional territory of the Attawandaron (Neutral), Anishnaabeg, and Haudenosaunee peoples. The University of Waterloo is situated on the Haldimand Tract, land promised and given to Six Nations, which includes six miles on each side of the Grand River.

The information in this message, including any attachments, may contain confidential information intended only for the person(s) named above. Any other distribution, copying or disclosure which is not necessary and proper in the discharge of the University's functions is strictly prohibited. If you are not the intended recipient or have received this message in error, please notify us immediately by reply e-mail and permanently delete the original transmission from us, including any attachments, without making a copy.

On Feb 13, 2020, at 12:28 PM, Stephen Markan <smarkan at uwaterloo.ca> wrote:



Apparently Microsoft has now deferred the mandatory implementation of this so March is not the deadline.


However some testing is required as well. Apple says this is not a concern of things are done in the Apple recommended way. I for one am not certain what that may mean for us!

________________________________
From: Don Duff-McCracken
Sent: February 13, 2020 11:47:11 AM
To: Stephen Markan; Mactug
Subject: Urgent: Re: An interesting read....


Thanks for bringing this up!


Boy it sounds like there are quotation marks around the word 'Interesting' , Stephen! Bernie Rutter mentioned this to me as it came up in WNAG. I am presuming it we do not solve this by March that all Macs that have been bound in the traditional manner will have a huge problem with authenticating to any AD domain which has had the updates applied (ie not just nexus).


There has not been any response to Stephen's email, so I will ask. Is anyone currently doing what seems to be the suggested option or trying it out?


I think this is a Code Red.


------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151
https://uwaterloo.ca/environment-computing/about/people<https://connect.uwaterloo.ca/owa/14.3.266.1/scripts/premium/redir.aspx?SURL=Ip67Wkr8xENuv0Tp1ZNpOE8gkdDlCkkl2xoE8QopkiVZuIwlNjLTCGgAdAB0AHAAcwA6AC8ALwB1AHcAYQB0AGUAcgBsAG8AbwAuAGMAYQAvAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAtAGMAbwBtAHAAdQB0AGkAbgBnAC8AYQBiAG8AdQB0AC8AcABlAG8AcABsAGUA&URL=https%3a%2f%2fuwaterloo.ca%2fenvironment-computing%2fabout%2fpeople>
------------------------------------
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.
________________________________
From: mactug-bounces at lists.uwaterloo.ca <mactug-bounces at lists.uwaterloo.ca> on behalf of Stephen Markan <smarkan at uwaterloo.ca>
Sent: Friday, February 7, 2020 4:07:56 PM
To: Mactug
Subject: [MacTUG] An interesting read....


Belows is a snipper from a conversation on Windows-HIED mailing list:



According to Microsoft Security Advisory ADV190023<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023> the March 2020 security update will enable LDAP channel binding and LDAP signing on Active Directory servers by default.  It is unclear from the documentation if this can be undone or postponed.  Following guidance in Identifying Clear Text LDAP binds to your DC's<https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs> we have found that all of our domain-joined Macs are encrypting but not signing their connections to AD LDAP.  Testing so far has found that the only way to resolve this is to enforce SSL using the dsconfigad -packetencrypt ssl command along with importing the trusted root CA for our domain controllers.



Has anyone else looked at this and found alternative solutions?  According the Apple support article Configure domain access in Directory Utility on Mac<https://support.apple.com/guide/directory-utility/configure-domain-access-diru11f4f748/mac> it should not be necessary to enforce SSL, but we have not found any alternative settings that work.



FYI we also have found and are investigating remediation for issues with various NetApp NAS devices and Linux machines which are behaving similarly.



Interested in how other organizations are approaching this or if this even on your radar (it wasn’t on ours until last week).



Regards,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.uwaterloo.ca/mailman/private/mactug/attachments/20200213/a4a6da57/attachment-0001.html>

More information about the MacTUG mailing list