[Samba] Samba4 and sssd authentication not working due "Transport encryption required."

Rowland Penny rpenny at samba.org
Fri Sep 2 21:09:32 UTC 2016


On Fri, 2 Sep 2016 12:33:34 -0700
John Yocum via samba <samba at lists.samba.org> wrote:

> On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote:
> > Hi Experts
> > I have setup samba4 version "samba-4.4.5" , Windows Authentication
> > working fine.
> > however sssd authentication not working, Same setup work with older
> > version of samba4  , so i guess bellow requirement has been added
> > new, but I dont understand what shall i do to make sssd work .
> > 
> > bellow log i am getting from sssd log
> > 
> > 
> > [simple_bind_done] (3): Bind result: Strong(er) authentication
> > required(8), BindSimple: Transport encryption required.
> > 
> > 
> > 
> > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send]
> > (4): Executing simple bind as: CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx
> > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done]
> > (5): Server returned no controls.
> > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done]
> > (3): Bind result: Strong(er) authentication required(8),
> > BindSimple: Transport encryption required.
> > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [fo_set_port_status]
> > (4): Marking port 389 of server 'xxxxx' as 'not working'
> > ri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
> > [sdap_id_op_connect_done] (1): Failed to connect, going offline (5
> > [Input/output error]) (Fri Sep  2 18:22:13 2016)
> > [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline. Running
> > callbacks.
> > 
> > 
> > my sssd configuation is bellow
> > 
> > [sssd]
> > config_file_version = 2
> > domains = xxx.xxx
> > services = nss, pam
> > debug_level = 5
> > 
> > 
> > [nss]
> > 
> > 
> > [pam]
> > 
> > 
> > [domain/xxx.xx]
> > ldap_referrals = false
> > enumerate = true
> > 
> > id_provider = ldap
> > #access_provider = ldap
> > auth_provider = ldap
> > ldap_uri = ldap://xxx-DC-A.xxx.xxx:389
> > ldap_id_use_start_tls = False
> > ldap_auth_disable_tls_never_use_in_production = true
> > ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx
> > ldap_default_authtok_type = password
> > ldap_default_authtok = xxxxxxxx
> > 
> > ldap_schema = rfc2307bis
> > 
> > ldap_user_search_base = dc=xx,dc=xx
> > ldap_user_object_class = user
> > ldap_user_home_directory = unixHomeDirectory
> > ldap_user_principal = userPrincipalName
> > ldap_group_search_base = dc=xx,dc=xx
> > ldap_group_object_class = group
> > ldap_group_member = memberOf
> > access_provider = simple
> > 
> > 
> > 
> > simple_allow_groups = IT
> > 
> > 
> > ldap_access_order = expire
> > ldap_account_expire_policy = ad
> > ldap_force_upper_case_realm = true
> > [domain/default]
> > cache_credentials = False
> > 
> 
> The error message is pretty clear. Samba now requires SSL/TLS for LDAP
> binds. Once you have enabled TLS in sssd, everything should work.
> While you can turn off the requirement in Samba, it's a bad idea, as
> it'll result in unencrypted passwords being sent over the network.
> 

Yes, you are correct about the reason, but what about fixing the
problem ?

I will say it again: SSSD has nothing to do with Samba and as such, the
place to ask for help with SSSD is on the 'sssd users' mailing list.

Rowland



More information about the samba mailing list