[Samba] Samba4 and sssd authentication not working due "Transport encryption required."

Rowland Penny rpenny at samba.org
Sat Sep 3 14:42:56 UTC 2016 

On Sat, 3 Sep 2016 09:28:39 -0500
Michael A Weber <mweber.subscriptions01 at gmail.com> wrote:

> https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
> <https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC>
> 
> 
> > On Sep 3, 2016, at 7:59 AM, Fosiul Alam via samba
> > <samba at lists.samba.org> wrote:
> > 
> > Hi Both
> > Thanks
> > 
> > from Samba4 side i need this help, I can see that sshd has this
> > option, can you just tell me by default when i installed samba4 ,
> > did it create any .crt file , if yes where? which i can use in sssd
> > tls authenticaiton ? Thanks for the help
> > 
> > 
> > # A native LDAP domain
> > [domain/LDAP]
> > enumerate = true
> > cache_credentials = TRUE
> > 
> > id_provider = ldap
> > auth_provider = ldap
> > chpass_provider = ldap
> > 
> > ldap_uri = ldap://ldap.mydomain.org
> > ldap_search_base = dc=mydomain,dc=org
> > tls_reqcert = demand
> > ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
> > 
> > 
> > 
> > On Fri, Sep 2, 2016 at 10:09 PM, Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> > 
> >> On Fri, 2 Sep 2016 12:33:34 -0700
> >> John Yocum via samba <samba at lists.samba.org> wrote:
> >> 
> >>> On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote:
> >>>> Hi Experts
> >>>> I have setup samba4 version "samba-4.4.5" , Windows
> >>>> Authentication working fine.
> >>>> however sssd authentication not working, Same setup work with
> >>>> older version of samba4  , so i guess bellow requirement has
> >>>> been added new, but I dont understand what shall i do to make
> >>>> sssd work .
> >>>> 
> >>>> bellow log i am getting from sssd log
> >>>> 
> >>>> 
> >>>> [simple_bind_done] (3): Bind result: Strong(er) authentication
> >>>> required(8), BindSimple: Transport encryption required.
> >>>> 
> >>>> 
> >>>> 
> >>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send]
> >>>> (4): Executing simple bind as:
> >>>> CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx (Fri Sep  2 18:22:13 2016)
> >>>> [sssd[be[xxx.xxx]]] [simple_bind_done] (5): Server returned no
> >>>> controls. (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
> >>>> [simple_bind_done] (3): Bind result: Strong(er) authentication
> >>>> required(8), BindSimple: Transport encryption required.
> >>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
> >>>> [fo_set_port_status] (4): Marking port 389 of server 'xxxxx' as
> >>>> 'not working' ri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
> >>>> [sdap_id_op_connect_done] (1): Failed to connect, going offline
> >>>> (5 [Input/output error]) (Fri Sep  2 18:22:13 2016)
> >>>> [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline.
> >>>> Running callbacks.
> >>>> 
> >>>> 
> >>>> my sssd configuation is bellow
> >>>> 
> >>>> [sssd]
> >>>> config_file_version = 2
> >>>> domains = xxx.xxx
> >>>> services = nss, pam
> >>>> debug_level = 5
> >>>> 
> >>>> 
> >>>> [nss]
> >>>> 
> >>>> 
> >>>> [pam]
> >>>> 
> >>>> 
> >>>> [domain/xxx.xx]
> >>>> ldap_referrals = false
> >>>> enumerate = true
> >>>> 
> >>>> id_provider = ldap
> >>>> #access_provider = ldap
> >>>> auth_provider = ldap
> >>>> ldap_uri = ldap://xxx-DC-A.xxx.xxx:389
> >>>> ldap_id_use_start_tls = False
> >>>> ldap_auth_disable_tls_never_use_in_production = true
> >>>> ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx
> >>>> ldap_default_authtok_type = password
> >>>> ldap_default_authtok = xxxxxxxx
> >>>> 
> >>>> ldap_schema = rfc2307bis
> >>>> 
> >>>> ldap_user_search_base = dc=xx,dc=xx
> >>>> ldap_user_object_class = user
> >>>> ldap_user_home_directory = unixHomeDirectory
> >>>> ldap_user_principal = userPrincipalName
> >>>> ldap_group_search_base = dc=xx,dc=xx
> >>>> ldap_group_object_class = group
> >>>> ldap_group_member = memberOf
> >>>> access_provider = simple
> >>>> 
> >>>> 
> >>>> 
> >>>> simple_allow_groups = IT
> >>>> 
> >>>> 
> >>>> ldap_access_order = expire
> >>>> ldap_account_expire_policy = ad
> >>>> ldap_force_upper_case_realm = true
> >>>> [domain/default]
> >>>> cache_credentials = False
> >>>> 
> >>> 
> >>> The error message is pretty clear. Samba now requires SSL/TLS for
> >>> LDAP binds. Once you have enabled TLS in sssd, everything should
> >>> work. While you can turn off the requirement in Samba, it's a bad
> >>> idea, as it'll result in unencrypted passwords being sent over
> >>> the network.
> >>> 
> >> 
> >> Yes, you are correct about the reason, but what about fixing the
> >> problem ?
> >> 
> >> I will say it again: SSSD has nothing to do with Samba and as
> >> such, the place to ask for help with SSSD is on the 'sssd users'
> >> mailing list.
> >> 
> >> Rowland
> >> 
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >> 
> > 
> > 
> > 
> > -- 
> > Regards
> > Fosiul Alam
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 

The problem is that we do do not know how Samba is set up, but, from the
fact he mentioned windows, I think we can guess that he is using AD
authentication, if this is the case (from what I know about sssd), he
is setting up sssd incorrectly, see here:

https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server

Samba DOES NOT develop sssd, so he would be better off asking on the
'sssd-users' mailing list. He will get better advice there, after all,
they develop sssd.

If he decides to use winbind instead, then we can help him with the
transition.

Otherwise, go here:

https://lists.fedorahosted.org/admin/lists/sssd-users.lists.fedorahosted.org/

and join the sssd-users mailing list.


Rowland

More information about the samba mailing list