RedHat 7: Is there a way to remove AD support from sssd?
We are a RedHat only shop. No Windows machines. All of our hosts authenticate with ldaps (636).
Recently, there was a CVE about a Samba issue with Active Directory. CVE 2020-1472
We have absolutely no need at all for Active Directory connectivity. When we install the sssd package, it has a dependency of sssd-ad (for active directory support).
Is there a way to remove the dependency on active directory support from sssd? I don't want to install anything that I don't need.
Our vulnerability scanned is showing this as a finding. The STIG clearly states that no action is required if there is no AD controller on our system. Unfortunatley, our Security 'Manager' majored in Bikini's and Frisbee's, doesn't understand that we really don't have a problem, and is insisting that we patch or remove the package. Some of our systems are still running RH 7.6 (even RH 7.3!). The upgrades have been delayed because of higher priority stuff. Upgrading the samba packages have several dependencies and I am not sure what adverse impacts the upgrade may have.
Red Hat's sssd package exists only to require all the sub packages. So, don't install the meta package. Remove samba packages with yum, which will remove sssd-ad. Ensure specific packages necessary are installed, possibly sssd-common sssd-clients sssd-ldap. Test your auth works.
However, you cannot be compliant without fundamentals like security updates. Basic system administration, but certainly staying up to date is on STIG checklists as well. I suspect someone is parsing a list of CVEs as an inflexible checklist. Working those findings and lots of other tasks is leading your team to ignore the tedious but important task of maintaining software.
RHEL 7.5 Extended Update Support has ended, assuming you subscribed to it in the first place. Your RHEL 7.3 boxes are definitely behind on updates. More than three years behind at this point, which is a decent amount of technical debt to defer.