[Samba] Samba4 and sssd authentication not working due "Transport encryption required."

Michael A Weber mweber.subscriptions01 at gmail.com
Sat Sep 3 14:28:39 UTC 2016 

https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC <https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC>


> On Sep 3, 2016, at 7:59 AM, Fosiul Alam via samba <samba at lists.samba.org> wrote:
> 
> Hi Both
> Thanks
> 
> from Samba4 side i need this help, I can see that sshd has this option, can
> you just tell me by default when i installed samba4 , did it create any
> .crt file , if yes where? which i can use in sssd tls authenticaiton ?
> Thanks for the help
> 
> 
> # A native LDAP domain
> [domain/LDAP]
> enumerate = true
> cache_credentials = TRUE
> 
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> 
> ldap_uri = ldap://ldap.mydomain.org
> ldap_search_base = dc=mydomain,dc=org
> tls_reqcert = demand
> ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
> 
> 
> 
> On Fri, Sep 2, 2016 at 10:09 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
>> On Fri, 2 Sep 2016 12:33:34 -0700
>> John Yocum via samba <samba at lists.samba.org> wrote:
>> 
>>> On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote:
>>>> Hi Experts
>>>> I have setup samba4 version "samba-4.4.5" , Windows Authentication
>>>> working fine.
>>>> however sssd authentication not working, Same setup work with older
>>>> version of samba4  , so i guess bellow requirement has been added
>>>> new, but I dont understand what shall i do to make sssd work .
>>>> 
>>>> bellow log i am getting from sssd log
>>>> 
>>>> 
>>>> [simple_bind_done] (3): Bind result: Strong(er) authentication
>>>> required(8), BindSimple: Transport encryption required.
>>>> 
>>>> 
>>>> 
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send]
>>>> (4): Executing simple bind as: CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done]
>>>> (5): Server returned no controls.
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done]
>>>> (3): Bind result: Strong(er) authentication required(8),
>>>> BindSimple: Transport encryption required.
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [fo_set_port_status]
>>>> (4): Marking port 389 of server 'xxxxx' as 'not working'
>>>> ri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
>>>> [sdap_id_op_connect_done] (1): Failed to connect, going offline (5
>>>> [Input/output error]) (Fri Sep  2 18:22:13 2016)
>>>> [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline. Running
>>>> callbacks.
>>>> 
>>>> 
>>>> my sssd configuation is bellow
>>>> 
>>>> [sssd]
>>>> config_file_version = 2
>>>> domains = xxx.xxx
>>>> services = nss, pam
>>>> debug_level = 5
>>>> 
>>>> 
>>>> [nss]
>>>> 
>>>> 
>>>> [pam]
>>>> 
>>>> 
>>>> [domain/xxx.xx]
>>>> ldap_referrals = false
>>>> enumerate = true
>>>> 
>>>> id_provider = ldap
>>>> #access_provider = ldap
>>>> auth_provider = ldap
>>>> ldap_uri = ldap://xxx-DC-A.xxx.xxx:389
>>>> ldap_id_use_start_tls = False
>>>> ldap_auth_disable_tls_never_use_in_production = true
>>>> ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx
>>>> ldap_default_authtok_type = password
>>>> ldap_default_authtok = xxxxxxxx
>>>> 
>>>> ldap_schema = rfc2307bis
>>>> 
>>>> ldap_user_search_base = dc=xx,dc=xx
>>>> ldap_user_object_class = user
>>>> ldap_user_home_directory = unixHomeDirectory
>>>> ldap_user_principal = userPrincipalName
>>>> ldap_group_search_base = dc=xx,dc=xx
>>>> ldap_group_object_class = group
>>>> ldap_group_member = memberOf
>>>> access_provider = simple
>>>> 
>>>> 
>>>> 
>>>> simple_allow_groups = IT
>>>> 
>>>> 
>>>> ldap_access_order = expire
>>>> ldap_account_expire_policy = ad
>>>> ldap_force_upper_case_realm = true
>>>> [domain/default]
>>>> cache_credentials = False
>>>> 
>>> 
>>> The error message is pretty clear. Samba now requires SSL/TLS for LDAP
>>> binds. Once you have enabled TLS in sssd, everything should work.
>>> While you can turn off the requirement in Samba, it's a bad idea, as
>>> it'll result in unencrypted passwords being sent over the network.
>>> 
>> 
>> Yes, you are correct about the reason, but what about fixing the
>> problem ?
>> 
>> I will say it again: SSSD has nothing to do with Samba and as such, the
>> place to ask for help with SSSD is on the 'sssd users' mailing list.
>> 
>> Rowland
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
> 
> 
> 
> -- 
> Regards
> Fosiul Alam
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list