[Samba] Samba4 and sssd authentication not working due "Transport encryption required."

John Yocum jtyocum at uw.edu
Fri Sep 2 19:33:34 UTC 2016 

On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote:
> Hi Experts
> I have setup samba4 version "samba-4.4.5" , Windows Authentication working
> fine.
> however sssd authentication not working, Same setup work with older version
> of samba4  , so i guess bellow requirement has been added new, but I dont
> understand what shall i do to make sssd work .
> 
> bellow log i am getting from sssd log
> 
> 
> [simple_bind_done] (3): Bind result: Strong(er) authentication required(8),
> BindSimple: Transport encryption required.
> 
> 
> 
> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send] (4):
> Executing simple bind as: CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx
> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] (5):
> Server returned no controls.
> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] (3): Bind
> result: Strong(er) authentication required(8), BindSimple: Transport
> encryption required.
> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [fo_set_port_status] (4):
> Marking port 389 of server 'xxxxx' as 'not working'
> ri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [sdap_id_op_connect_done] (1):
> Failed to connect, going offline (5 [Input/output error])
> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3):
> Going offline. Running callbacks.
> 
> 
> my sssd configuation is bellow
> 
> [sssd]
> config_file_version = 2
> domains = xxx.xxx
> services = nss, pam
> debug_level = 5
> 
> 
> [nss]
> 
> 
> [pam]
> 
> 
> [domain/xxx.xx]
> ldap_referrals = false
> enumerate = true
> 
> id_provider = ldap
> #access_provider = ldap
> auth_provider = ldap
> ldap_uri = ldap://xxx-DC-A.xxx.xxx:389
> ldap_id_use_start_tls = False
> ldap_auth_disable_tls_never_use_in_production = true
> ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx
> ldap_default_authtok_type = password
> ldap_default_authtok = xxxxxxxx
> 
> ldap_schema = rfc2307bis
> 
> ldap_user_search_base = dc=xx,dc=xx
> ldap_user_object_class = user
> ldap_user_home_directory = unixHomeDirectory
> ldap_user_principal = userPrincipalName
> ldap_group_search_base = dc=xx,dc=xx
> ldap_group_object_class = group
> ldap_group_member = memberOf
> access_provider = simple
> 
> 
> 
> simple_allow_groups = IT
> 
> 
> ldap_access_order = expire
> ldap_account_expire_policy = ad
> ldap_force_upper_case_realm = true
> [domain/default]
> cache_credentials = False
> 

The error message is pretty clear. Samba now requires SSL/TLS for LDAP
binds. Once you have enabled TLS in sssd, everything should work. While
you can turn off the requirement in Samba, it's a bad idea, as it'll
result in unencrypted passwords being sent over the network.

-- 
John Yocum, Systems Administrator, DEOHS

More information about the samba mailing list