[Samba] Samba4 and sssd authentication not working due "Transport encryption required."

Achim Gottinger achim at ag-web.biz
Sat Sep 3 13:17:49 UTC 2016


Am 03.09.2016 um 14:59 schrieb Fosiul Alam via samba:
> Hi Both
> Thanks
>
> from Samba4 side i need this help, I can see that sshd has this option, can
> you just tell me by default when i installed samba4 , did it create any
> .crt file , if yes where? which i can use in sssd tls authenticaiton ?
> Thanks for the help
>
>
> # A native LDAP domain
> [domain/LDAP]
> enumerate = true
> cache_credentials = TRUE
>
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
>
> ldap_uri = ldap://ldap.mydomain.org
> ldap_search_base = dc=mydomain,dc=org
> tls_reqcert = demand
> ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
>
>
>
> On Fri, Sep 2, 2016 at 10:09 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Fri, 2 Sep 2016 12:33:34 -0700
>> John Yocum via samba <samba at lists.samba.org> wrote:
>>
>>> On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote:
>>>> Hi Experts
>>>> I have setup samba4 version "samba-4.4.5" , Windows Authentication
>>>> working fine.
>>>> however sssd authentication not working, Same setup work with older
>>>> version of samba4  , so i guess bellow requirement has been added
>>>> new, but I dont understand what shall i do to make sssd work .
>>>>
>>>> bellow log i am getting from sssd log
>>>>
>>>>
>>>> [simple_bind_done] (3): Bind result: Strong(er) authentication
>>>> required(8), BindSimple: Transport encryption required.
>>>>
>>>>
>>>>
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send]
>>>> (4): Executing simple bind as: CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done]
>>>> (5): Server returned no controls.
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done]
>>>> (3): Bind result: Strong(er) authentication required(8),
>>>> BindSimple: Transport encryption required.
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [fo_set_port_status]
>>>> (4): Marking port 389 of server 'xxxxx' as 'not working'
>>>> ri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
>>>> [sdap_id_op_connect_done] (1): Failed to connect, going offline (5
>>>> [Input/output error]) (Fri Sep  2 18:22:13 2016)
>>>> [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline. Running
>>>> callbacks.
>>>>
>>>>
>>>> my sssd configuation is bellow
>>>>
>>>> [sssd]
>>>> config_file_version = 2
>>>> domains = xxx.xxx
>>>> services = nss, pam
>>>> debug_level = 5
>>>>
>>>>
>>>> [nss]
>>>>
>>>>
>>>> [pam]
>>>>
>>>>
>>>> [domain/xxx.xx]
>>>> ldap_referrals = false
>>>> enumerate = true
>>>>
>>>> id_provider = ldap
>>>> #access_provider = ldap
>>>> auth_provider = ldap
>>>> ldap_uri = ldap://xxx-DC-A.xxx.xxx:389
>>>> ldap_id_use_start_tls = False
>>>> ldap_auth_disable_tls_never_use_in_production = true
>>>> ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx
>>>> ldap_default_authtok_type = password
>>>> ldap_default_authtok = xxxxxxxx
>>>>
>>>> ldap_schema = rfc2307bis
>>>>
>>>> ldap_user_search_base = dc=xx,dc=xx
>>>> ldap_user_object_class = user
>>>> ldap_user_home_directory = unixHomeDirectory
>>>> ldap_user_principal = userPrincipalName
>>>> ldap_group_search_base = dc=xx,dc=xx
>>>> ldap_group_object_class = group
>>>> ldap_group_member = memberOf
>>>> access_provider = simple
>>>>
>>>>
>>>>
>>>> simple_allow_groups = IT
>>>>
>>>>
>>>> ldap_access_order = expire
>>>> ldap_account_expire_policy = ad
>>>> ldap_force_upper_case_realm = true
>>>> [domain/default]
>>>> cache_credentials = False
>>>>
>>> The error message is pretty clear. Samba now requires SSL/TLS for LDAP
>>> binds. Once you have enabled TLS in sssd, everything should work.
>>> While you can turn off the requirement in Samba, it's a bad idea, as
>>> it'll result in unencrypted passwords being sent over the network.
>>>
>> Yes, you are correct about the reason, but what about fixing the
>> problem ?
>>
>> I will say it again: SSSD has nothing to do with Samba and as such, the
>> place to ask for help with SSSD is on the 'sssd users' mailing list.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
Hi,

On debian this is

/var/lib/samba/private/tls/ca.pem

achim~



More information about the samba mailing list