[Samba] Samba4 and sssd authentication not working due "Transport encryption required."

Fosiul Alam fosiul at gmail.com
Sat Sep 3 12:59:59 UTC 2016 

Hi Both
Thanks

from Samba4 side i need this help, I can see that sshd has this option, can
you just tell me by default when i installed samba4 , did it create any
.crt file , if yes where? which i can use in sssd tls authenticaiton ?
Thanks for the help


# A native LDAP domain
[domain/LDAP]
enumerate = true
cache_credentials = TRUE

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://ldap.mydomain.org
ldap_search_base = dc=mydomain,dc=org
tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt



On Fri, Sep 2, 2016 at 10:09 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Fri, 2 Sep 2016 12:33:34 -0700
> John Yocum via samba <samba at lists.samba.org> wrote:
>
> > On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote:
> > > Hi Experts
> > > I have setup samba4 version "samba-4.4.5" , Windows Authentication
> > > working fine.
> > > however sssd authentication not working, Same setup work with older
> > > version of samba4  , so i guess bellow requirement has been added
> > > new, but I dont understand what shall i do to make sssd work .
> > >
> > > bellow log i am getting from sssd log
> > >
> > >
> > > [simple_bind_done] (3): Bind result: Strong(er) authentication
> > > required(8), BindSimple: Transport encryption required.
> > >
> > >
> > >
> > > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send]
> > > (4): Executing simple bind as: CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx
> > > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done]
> > > (5): Server returned no controls.
> > > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done]
> > > (3): Bind result: Strong(er) authentication required(8),
> > > BindSimple: Transport encryption required.
> > > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [fo_set_port_status]
> > > (4): Marking port 389 of server 'xxxxx' as 'not working'
> > > ri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
> > > [sdap_id_op_connect_done] (1): Failed to connect, going offline (5
> > > [Input/output error]) (Fri Sep  2 18:22:13 2016)
> > > [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline. Running
> > > callbacks.
> > >
> > >
> > > my sssd configuation is bellow
> > >
> > > [sssd]
> > > config_file_version = 2
> > > domains = xxx.xxx
> > > services = nss, pam
> > > debug_level = 5
> > >
> > >
> > > [nss]
> > >
> > >
> > > [pam]
> > >
> > >
> > > [domain/xxx.xx]
> > > ldap_referrals = false
> > > enumerate = true
> > >
> > > id_provider = ldap
> > > #access_provider = ldap
> > > auth_provider = ldap
> > > ldap_uri = ldap://xxx-DC-A.xxx.xxx:389
> > > ldap_id_use_start_tls = False
> > > ldap_auth_disable_tls_never_use_in_production = true
> > > ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx
> > > ldap_default_authtok_type = password
> > > ldap_default_authtok = xxxxxxxx
> > >
> > > ldap_schema = rfc2307bis
> > >
> > > ldap_user_search_base = dc=xx,dc=xx
> > > ldap_user_object_class = user
> > > ldap_user_home_directory = unixHomeDirectory
> > > ldap_user_principal = userPrincipalName
> > > ldap_group_search_base = dc=xx,dc=xx
> > > ldap_group_object_class = group
> > > ldap_group_member = memberOf
> > > access_provider = simple
> > >
> > >
> > >
> > > simple_allow_groups = IT
> > >
> > >
> > > ldap_access_order = expire
> > > ldap_account_expire_policy = ad
> > > ldap_force_upper_case_realm = true
> > > [domain/default]
> > > cache_credentials = False
> > >
> >
> > The error message is pretty clear. Samba now requires SSL/TLS for LDAP
> > binds. Once you have enabled TLS in sssd, everything should work.
> > While you can turn off the requirement in Samba, it's a bad idea, as
> > it'll result in unencrypted passwords being sent over the network.
> >
>
> Yes, you are correct about the reason, but what about fixing the
> problem ?
>
> I will say it again: SSSD has nothing to do with Samba and as such, the
> place to ask for help with SSSD is on the 'sssd users' mailing list.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Regards
Fosiul Alam

More information about the samba mailing list