[Samba] Samba4 and sssd authentication not working due "Transport encryption required."
rpenny at samba.org
Sat Sep 3 21:10:27 UTC 2016
On Sat, 3 Sep 2016 21:24:07 +0100
Fosiul Alam <fosiul at gmail.com> wrote:
> Hi Thanks to All.
> so i understand that i will have to use ca.pem from Clinet to
> authenticaiotn vis tls , is that right ?
> also, if i use default tls file which was created by samba4
> installation, do i need to add them into smb.conf ?
> I can see the wiki say, if i create selfsigned then i will need add,
> but I am not sure if this is true for defautl .pem file ?
> bellow is smb.conf
> Thanks for the help
> # Global parameters
> bind interfaces only = Yes
> interfaces = lo eth0 eth1
> netbios name = xxxx
> realm = xx.xx
> workgroup = xxx
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> comment =
> path = /usr/local/samba/var/locks/sysvol/upc.acc/scripts
> read only = No
> path = /usr/local/samba/var/locks/sysvol
> read only = No
> On Sat, Sep 3, 2016 at 2:18 PM, Marc Muehlfeld <mmuehlfeld at samba.org>
> > Hi Fosiul,
> > Am 03.09.2016 um 14:59 schrieb Fosiul Alam via samba:
> > > from Samba4 side i need this help, I can see that sshd has this
> > > option,
> > can
> > > you just tell me by default when i installed samba4 , did it
> > > create any .crt file , if yes where? which i can use in sssd tls
> > > authenticaiton ? Thanks for the help
> > # ls -1 /usr/local/samba/private/tls/*.pem
> > /usr/local/samba/private/tls/ca.pem
> > /usr/local/samba/private/tls/cert.pem
> > /usr/local/samba/private/tls/key.pem
> > Regards,
> > Marc
Look Fosiul, I am trying to help you but you are not listening to me.
You shouldn't be using ldap with sssd against active directory, it
therefore follows you shouldn't be using tls either.
Go and read this:
Try to use it and if you are still having problems, ask on the
sssd-users mailing list.
You will only get information and help from people who use sssd here,
you will get information and help from the people who write sssd on the
sssd-users mailing list
I will say it once again, your way of using ldap with sssd is outdated
and has been replaced by the 'ad' providers.
If all you require is to authenticate users and groups on the DC, then
use winbind, this is a Samba package and is fully supported here.
More information about the samba