Fosiul Alam
2016-Sep-02 15:36 UTC
[Samba] Samba4 and sssd authentication not working due "Transport encryption required."
Hi Experts I have setup samba4 version "samba-4.4.5" , Windows Authentication working fine. however sssd authentication not working, Same setup work with older version of samba4 , so i guess bellow requirement has been added new, but I dont understand what shall i do to make sssd work . bellow log i am getting from sssd log [simple_bind_done] (3): Bind result: Strong(er) authentication required(8), BindSimple: Transport encryption required. (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send] (4): Executing simple bind as: CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] (5): Server returned no controls. (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] (3): Bind result: Strong(er) authentication required(8), BindSimple: Transport encryption required. (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [fo_set_port_status] (4): Marking port 389 of server 'xxxxx' as 'not working' ri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [sdap_id_op_connect_done] (1): Failed to connect, going offline (5 [Input/output error]) (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline. Running callbacks. my sssd configuation is bellow [sssd] config_file_version = 2 domains = xxx.xxx services = nss, pam debug_level = 5 [nss] [pam] [domain/xxx.xx] ldap_referrals = false enumerate = true id_provider = ldap #access_provider = ldap auth_provider = ldap ldap_uri = ldap://xxx-DC-A.xxx.xxx:389 ldap_id_use_start_tls = False ldap_auth_disable_tls_never_use_in_production = true ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx ldap_default_authtok_type = password ldap_default_authtok = xxxxxxxx ldap_schema = rfc2307bis ldap_user_search_base = dc=xx,dc=xx ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_group_search_base = dc=xx,dc=xx ldap_group_object_class = group ldap_group_member = memberOf access_provider = simple simple_allow_groups = IT ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true [domain/default] cache_credentials = False
Rowland Penny
2016-Sep-02 16:05 UTC
[Samba] Samba4 and sssd authentication not working due "Transport encryption required."
On Fri, 2 Sep 2016 16:36:43 +0100 Fosiul Alam via samba <samba at lists.samba.org> wrote:> Hi Experts > I have setup samba4 version "samba-4.4.5" , Windows Authentication > working fine. > however sssd authentication not working, Same setup work with older > version of samba4 , so i guess bellow requirement has been added > new, but I dont understand what shall i do to make sssd work . > > bellow log i am getting from sssd log > > > [simple_bind_done] (3): Bind result: Strong(er) authentication > required(8), BindSimple: Transport encryption required. > > > > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send] (4): > Executing simple bind as: CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] (5): > Server returned no controls. > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] > (3): Bind result: Strong(er) authentication required(8), BindSimple: > Transport encryption required. > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [fo_set_port_status] > (4): Marking port 389 of server 'xxxxx' as 'not working' > ri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] > [sdap_id_op_connect_done] (1): Failed to connect, going offline (5 > [Input/output error]) (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] > [be_run_offline_cb] (3): Going offline. Running callbacks. > > > my sssd configuation is bellow > > [sssd] > config_file_version = 2 > domains = xxx.xxx > services = nss, pam > debug_level = 5 > > > [nss] > > > [pam] > > > [domain/xxx.xx] > ldap_referrals = false > enumerate = true > > id_provider = ldap > #access_provider = ldap > auth_provider = ldap > ldap_uri = ldap://xxx-DC-A.xxx.xxx:389 > ldap_id_use_start_tls = False > ldap_auth_disable_tls_never_use_in_production = true > ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx > ldap_default_authtok_type = password > ldap_default_authtok = xxxxxxxx > > ldap_schema = rfc2307bis > > ldap_user_search_base = dc=xx,dc=xx > ldap_user_object_class = user > ldap_user_home_directory = unixHomeDirectory > ldap_user_principal = userPrincipalName > ldap_group_search_base = dc=xx,dc=xx > ldap_group_object_class = group > ldap_group_member = memberOf > access_provider = simple > > > > simple_allow_groups = IT > > > ldap_access_order = expire > ldap_account_expire_policy = ad > ldap_force_upper_case_realm = true > [domain/default] > cache_credentials = FalseHello, sssd isn't a Samba product, you will probably get better support by asking on the sssd users mailing list. Rowland
John Yocum
2016-Sep-02 19:33 UTC
[Samba] Samba4 and sssd authentication not working due "Transport encryption required."
On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote:> Hi Experts > I have setup samba4 version "samba-4.4.5" , Windows Authentication working > fine. > however sssd authentication not working, Same setup work with older version > of samba4 , so i guess bellow requirement has been added new, but I dont > understand what shall i do to make sssd work . > > bellow log i am getting from sssd log > > > [simple_bind_done] (3): Bind result: Strong(er) authentication required(8), > BindSimple: Transport encryption required. > > > > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send] (4): > Executing simple bind as: CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] (5): > Server returned no controls. > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] (3): Bind > result: Strong(er) authentication required(8), BindSimple: Transport > encryption required. > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [fo_set_port_status] (4): > Marking port 389 of server 'xxxxx' as 'not working' > ri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [sdap_id_op_connect_done] (1): > Failed to connect, going offline (5 [Input/output error]) > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): > Going offline. Running callbacks. > > > my sssd configuation is bellow > > [sssd] > config_file_version = 2 > domains = xxx.xxx > services = nss, pam > debug_level = 5 > > > [nss] > > > [pam] > > > [domain/xxx.xx] > ldap_referrals = false > enumerate = true > > id_provider = ldap > #access_provider = ldap > auth_provider = ldap > ldap_uri = ldap://xxx-DC-A.xxx.xxx:389 > ldap_id_use_start_tls = False > ldap_auth_disable_tls_never_use_in_production = true > ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx > ldap_default_authtok_type = password > ldap_default_authtok = xxxxxxxx > > ldap_schema = rfc2307bis > > ldap_user_search_base = dc=xx,dc=xx > ldap_user_object_class = user > ldap_user_home_directory = unixHomeDirectory > ldap_user_principal = userPrincipalName > ldap_group_search_base = dc=xx,dc=xx > ldap_group_object_class = group > ldap_group_member = memberOf > access_provider = simple > > > > simple_allow_groups = IT > > > ldap_access_order = expire > ldap_account_expire_policy = ad > ldap_force_upper_case_realm = true > [domain/default] > cache_credentials = False >The error message is pretty clear. Samba now requires SSL/TLS for LDAP binds. Once you have enabled TLS in sssd, everything should work. While you can turn off the requirement in Samba, it's a bad idea, as it'll result in unencrypted passwords being sent over the network. -- John Yocum, Systems Administrator, DEOHS
Rowland Penny
2016-Sep-02 21:09 UTC
[Samba] Samba4 and sssd authentication not working due "Transport encryption required."
On Fri, 2 Sep 2016 12:33:34 -0700 John Yocum via samba <samba at lists.samba.org> wrote:> On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote: > > Hi Experts > > I have setup samba4 version "samba-4.4.5" , Windows Authentication > > working fine. > > however sssd authentication not working, Same setup work with older > > version of samba4 , so i guess bellow requirement has been added > > new, but I dont understand what shall i do to make sssd work . > > > > bellow log i am getting from sssd log > > > > > > [simple_bind_done] (3): Bind result: Strong(er) authentication > > required(8), BindSimple: Transport encryption required. > > > > > > > > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send] > > (4): Executing simple bind as: CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx > > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] > > (5): Server returned no controls. > > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] > > (3): Bind result: Strong(er) authentication required(8), > > BindSimple: Transport encryption required. > > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [fo_set_port_status] > > (4): Marking port 389 of server 'xxxxx' as 'not working' > > ri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] > > [sdap_id_op_connect_done] (1): Failed to connect, going offline (5 > > [Input/output error]) (Fri Sep 2 18:22:13 2016) > > [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline. Running > > callbacks. > > > > > > my sssd configuation is bellow > > > > [sssd] > > config_file_version = 2 > > domains = xxx.xxx > > services = nss, pam > > debug_level = 5 > > > > > > [nss] > > > > > > [pam] > > > > > > [domain/xxx.xx] > > ldap_referrals = false > > enumerate = true > > > > id_provider = ldap > > #access_provider = ldap > > auth_provider = ldap > > ldap_uri = ldap://xxx-DC-A.xxx.xxx:389 > > ldap_id_use_start_tls = False > > ldap_auth_disable_tls_never_use_in_production = true > > ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx > > ldap_default_authtok_type = password > > ldap_default_authtok = xxxxxxxx > > > > ldap_schema = rfc2307bis > > > > ldap_user_search_base = dc=xx,dc=xx > > ldap_user_object_class = user > > ldap_user_home_directory = unixHomeDirectory > > ldap_user_principal = userPrincipalName > > ldap_group_search_base = dc=xx,dc=xx > > ldap_group_object_class = group > > ldap_group_member = memberOf > > access_provider = simple > > > > > > > > simple_allow_groups = IT > > > > > > ldap_access_order = expire > > ldap_account_expire_policy = ad > > ldap_force_upper_case_realm = true > > [domain/default] > > cache_credentials = False > > > > The error message is pretty clear. Samba now requires SSL/TLS for LDAP > binds. Once you have enabled TLS in sssd, everything should work. > While you can turn off the requirement in Samba, it's a bad idea, as > it'll result in unencrypted passwords being sent over the network. >Yes, you are correct about the reason, but what about fixing the problem ? I will say it again: SSSD has nothing to do with Samba and as such, the place to ask for help with SSSD is on the 'sssd users' mailing list. Rowland
Reasonably Related Threads
- Samba4 and sssd authentication not working due "Transport encryption required."
- Samba4 and sssd authentication not working due "Transport encryption required."
- Samba4 and sssd authentication not working due "Transport encryption required."
- Samba4 and sssd authentication not working due "Transport encryption required."
- SSSD on CentOS 7 failing to start when connecting to 4.8.3 AD via LDAP