samba - Sep 2016 - Samba4 and sssd authentication not working due "Transport encryption required."

On Fri, 2 Sep 2016 12:33:34 -0700
John Yocum via samba <samba at lists.samba.org> wrote:
> On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote:
> > Hi Experts
> > I have setup samba4 version "samba-4.4.5" , Windows
Authentication
> > working fine.
> > however sssd authentication not working, Same setup work with older
> > version of samba4  , so i guess bellow requirement has been added
> > new, but I dont understand what shall i do to make sssd work .
> > 
> > bellow log i am getting from sssd log
> > 
> > 
> > [simple_bind_done] (3): Bind result: Strong(er) authentication
> > required(8), BindSimple: Transport encryption required.
> > 
> > 
> > 
> > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send]
> > (4): Executing simple bind as: CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx
> > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done]
> > (5): Server returned no controls.
> > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done]
> > (3): Bind result: Strong(er) authentication required(8),
> > BindSimple: Transport encryption required.
> > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [fo_set_port_status]
> > (4): Marking port 389 of server 'xxxxx' as 'not
working'
> > ri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
> > [sdap_id_op_connect_done] (1): Failed to connect, going offline (5
> > [Input/output error]) (Fri Sep  2 18:22:13 2016)
> > [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline. Running
> > callbacks.
> > 
> > 
> > my sssd configuation is bellow
> > 
> > [sssd]
> > config_file_version = 2
> > domains = xxx.xxx
> > services = nss, pam
> > debug_level = 5
> > 
> > 
> > [nss]
> > 
> > 
> > [pam]
> > 
> > 
> > [domain/xxx.xx]
> > ldap_referrals = false
> > enumerate = true
> > 
> > id_provider = ldap
> > #access_provider = ldap
> > auth_provider = ldap
> > ldap_uri = ldap://xxx-DC-A.xxx.xxx:389
> > ldap_id_use_start_tls = False
> > ldap_auth_disable_tls_never_use_in_production = true
> > ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx
> > ldap_default_authtok_type = password
> > ldap_default_authtok = xxxxxxxx
> > 
> > ldap_schema = rfc2307bis
> > 
> > ldap_user_search_base = dc=xx,dc=xx
> > ldap_user_object_class = user
> > ldap_user_home_directory = unixHomeDirectory
> > ldap_user_principal = userPrincipalName
> > ldap_group_search_base = dc=xx,dc=xx
> > ldap_group_object_class = group
> > ldap_group_member = memberOf
> > access_provider = simple
> > 
> > 
> > 
> > simple_allow_groups = IT
> > 
> > 
> > ldap_access_order = expire
> > ldap_account_expire_policy = ad
> > ldap_force_upper_case_realm = true
> > [domain/default]
> > cache_credentials = False
> > 
> 
> The error message is pretty clear. Samba now requires SSL/TLS for LDAP
> binds. Once you have enabled TLS in sssd, everything should work.
> While you can turn off the requirement in Samba, it's a bad idea, as
> it'll result in unencrypted passwords being sent over the network.
> 
Yes, you are correct about the reason, but what about fixing the
problem ?

I will say it again: SSSD has nothing to do with Samba and as such, the
place to ask for help with SSSD is on the 'sssd users' mailing list.

Rowland

Hi Both
Thanks

from Samba4 side i need this help, I can see that sshd has this option, can
you just tell me by default when i installed samba4 , did it create any
.crt file , if yes where? which i can use in sssd tls authenticaiton ?
Thanks for the help


# A native LDAP domain
[domain/LDAP]
enumerate = true
cache_credentials = TRUE

id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://ldap.mydomain.org
ldap_search_base = dc=mydomain,dc=org
tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt



On Fri, Sep 2, 2016 at 10:09 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 2 Sep 2016 12:33:34 -0700
> John Yocum via samba <samba at lists.samba.org> wrote:
>
> > On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote:
> > > Hi Experts
> > > I have setup samba4 version "samba-4.4.5" , Windows
Authentication
> > > working fine.
> > > however sssd authentication not working, Same setup work with
older
> > > version of samba4  , so i guess bellow requirement has been added
> > > new, but I dont understand what shall i do to make sssd work .
> > >
> > > bellow log i am getting from sssd log
> > >
> > >
> > > [simple_bind_done] (3): Bind result: Strong(er) authentication
> > > required(8), BindSimple: Transport encryption required.
> > >
> > >
> > >
> > > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send]
> > > (4): Executing simple bind as:
CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx
> > > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done]
> > > (5): Server returned no controls.
> > > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done]
> > > (3): Bind result: Strong(er) authentication required(8),
> > > BindSimple: Transport encryption required.
> > > (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
[fo_set_port_status]
> > > (4): Marking port 389 of server 'xxxxx' as 'not
working'
> > > ri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
> > > [sdap_id_op_connect_done] (1): Failed to connect, going offline
(5
> > > [Input/output error]) (Fri Sep  2 18:22:13 2016)
> > > [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline.
Running
> > > callbacks.
> > >
> > >
> > > my sssd configuation is bellow
> > >
> > > [sssd]
> > > config_file_version = 2
> > > domains = xxx.xxx
> > > services = nss, pam
> > > debug_level = 5
> > >
> > >
> > > [nss]
> > >
> > >
> > > [pam]
> > >
> > >
> > > [domain/xxx.xx]
> > > ldap_referrals = false
> > > enumerate = true
> > >
> > > id_provider = ldap
> > > #access_provider = ldap
> > > auth_provider = ldap
> > > ldap_uri = ldap://xxx-DC-A.xxx.xxx:389
> > > ldap_id_use_start_tls = False
> > > ldap_auth_disable_tls_never_use_in_production = true
> > > ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx
> > > ldap_default_authtok_type = password
> > > ldap_default_authtok = xxxxxxxx
> > >
> > > ldap_schema = rfc2307bis
> > >
> > > ldap_user_search_base = dc=xx,dc=xx
> > > ldap_user_object_class = user
> > > ldap_user_home_directory = unixHomeDirectory
> > > ldap_user_principal = userPrincipalName
> > > ldap_group_search_base = dc=xx,dc=xx
> > > ldap_group_object_class = group
> > > ldap_group_member = memberOf
> > > access_provider = simple
> > >
> > >
> > >
> > > simple_allow_groups = IT
> > >
> > >
> > > ldap_access_order = expire
> > > ldap_account_expire_policy = ad
> > > ldap_force_upper_case_realm = true
> > > [domain/default]
> > > cache_credentials = False
> > >
> >
> > The error message is pretty clear. Samba now requires SSL/TLS for LDAP
> > binds. Once you have enabled TLS in sssd, everything should work.
> > While you can turn off the requirement in Samba, it's a bad idea,
as
> > it'll result in unencrypted passwords being sent over the network.
> >
>
> Yes, you are correct about the reason, but what about fixing the
> problem ?
>
> I will say it again: SSSD has nothing to do with Samba and as such, the
> place to ask for help with SSSD is on the 'sssd users' mailing
list.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Regards
Fosiul Alam

Am 03.09.2016 um 14:59 schrieb Fosiul Alam via samba:
> Hi Both
> Thanks
>
> from Samba4 side i need this help, I can see that sshd has this option, can
> you just tell me by default when i installed samba4 , did it create any
> .crt file , if yes where? which i can use in sssd tls authenticaiton ?
> Thanks for the help
>
>
> # A native LDAP domain
> [domain/LDAP]
> enumerate = true
> cache_credentials = TRUE
>
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
>
> ldap_uri = ldap://ldap.mydomain.org
> ldap_search_base = dc=mydomain,dc=org
> tls_reqcert = demand
> ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
>
>
>
> On Fri, Sep 2, 2016 at 10:09 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Fri, 2 Sep 2016 12:33:34 -0700
>> John Yocum via samba <samba at lists.samba.org> wrote:
>>
>>> On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote:
>>>> Hi Experts
>>>> I have setup samba4 version "samba-4.4.5" , Windows
Authentication
>>>> working fine.
>>>> however sssd authentication not working, Same setup work with
older
>>>> version of samba4  , so i guess bellow requirement has been
added
>>>> new, but I dont understand what shall i do to make sssd work .
>>>>
>>>> bellow log i am getting from sssd log
>>>>
>>>>
>>>> [simple_bind_done] (3): Bind result: Strong(er) authentication
>>>> required(8), BindSimple: Transport encryption required.
>>>>
>>>>
>>>>
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
[simple_bind_send]
>>>> (4): Executing simple bind as:
CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
[simple_bind_done]
>>>> (5): Server returned no controls.
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
[simple_bind_done]
>>>> (3): Bind result: Strong(er) authentication required(8),
>>>> BindSimple: Transport encryption required.
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
[fo_set_port_status]
>>>> (4): Marking port 389 of server 'xxxxx' as 'not
working'
>>>> ri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
>>>> [sdap_id_op_connect_done] (1): Failed to connect, going offline
(5
>>>> [Input/output error]) (Fri Sep  2 18:22:13 2016)
>>>> [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline.
Running
>>>> callbacks.
>>>>
>>>>
>>>> my sssd configuation is bellow
>>>>
>>>> [sssd]
>>>> config_file_version = 2
>>>> domains = xxx.xxx
>>>> services = nss, pam
>>>> debug_level = 5
>>>>
>>>>
>>>> [nss]
>>>>
>>>>
>>>> [pam]
>>>>
>>>>
>>>> [domain/xxx.xx]
>>>> ldap_referrals = false
>>>> enumerate = true
>>>>
>>>> id_provider = ldap
>>>> #access_provider = ldap
>>>> auth_provider = ldap
>>>> ldap_uri = ldap://xxx-DC-A.xxx.xxx:389
>>>> ldap_id_use_start_tls = False
>>>> ldap_auth_disable_tls_never_use_in_production = true
>>>> ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx
>>>> ldap_default_authtok_type = password
>>>> ldap_default_authtok = xxxxxxxx
>>>>
>>>> ldap_schema = rfc2307bis
>>>>
>>>> ldap_user_search_base = dc=xx,dc=xx
>>>> ldap_user_object_class = user
>>>> ldap_user_home_directory = unixHomeDirectory
>>>> ldap_user_principal = userPrincipalName
>>>> ldap_group_search_base = dc=xx,dc=xx
>>>> ldap_group_object_class = group
>>>> ldap_group_member = memberOf
>>>> access_provider = simple
>>>>
>>>>
>>>>
>>>> simple_allow_groups = IT
>>>>
>>>>
>>>> ldap_access_order = expire
>>>> ldap_account_expire_policy = ad
>>>> ldap_force_upper_case_realm = true
>>>> [domain/default]
>>>> cache_credentials = False
>>>>
>>> The error message is pretty clear. Samba now requires SSL/TLS for
LDAP
>>> binds. Once you have enabled TLS in sssd, everything should work.
>>> While you can turn off the requirement in Samba, it's a bad
idea, as
>>> it'll result in unencrypted passwords being sent over the
network.
>>>
>> Yes, you are correct about the reason, but what about fixing the
>> problem ?
>>
>> I will say it again: SSSD has nothing to do with Samba and as such, the
>> place to ask for help with SSSD is on the 'sssd users' mailing
list.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
Hi,

On debian this is

/var/lib/samba/private/tls/ca.pem

achim~

Hi Fosiul,

Am 03.09.2016 um 14:59 schrieb Fosiul Alam via samba:
> from Samba4 side i need this help, I can see that sshd has this option, can
> you just tell me by default when i installed samba4 , did it create any
> .crt file , if yes where? which i can use in sssd tls authenticaiton ?
> Thanks for the help
# ls -1 /usr/local/samba/private/tls/*.pem
/usr/local/samba/private/tls/ca.pem
/usr/local/samba/private/tls/cert.pem
/usr/local/samba/private/tls/key.pem



Regards,
Marc

https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
<https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC>

> On Sep 3, 2016, at 7:59 AM, Fosiul Alam via samba <samba at
lists.samba.org> wrote:
> 
> Hi Both
> Thanks
> 
> from Samba4 side i need this help, I can see that sshd has this option, can
> you just tell me by default when i installed samba4 , did it create any
> .crt file , if yes where? which i can use in sssd tls authenticaiton ?
> Thanks for the help
> 
> 
> # A native LDAP domain
> [domain/LDAP]
> enumerate = true
> cache_credentials = TRUE
> 
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> 
> ldap_uri = ldap://ldap.mydomain.org
> ldap_search_base = dc=mydomain,dc=org
> tls_reqcert = demand
> ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
> 
> 
> 
> On Fri, Sep 2, 2016 at 10:09 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
>> On Fri, 2 Sep 2016 12:33:34 -0700
>> John Yocum via samba <samba at lists.samba.org> wrote:
>> 
>>> On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote:
>>>> Hi Experts
>>>> I have setup samba4 version "samba-4.4.5" , Windows
Authentication
>>>> working fine.
>>>> however sssd authentication not working, Same setup work with
older
>>>> version of samba4  , so i guess bellow requirement has been
added
>>>> new, but I dont understand what shall i do to make sssd work .
>>>> 
>>>> bellow log i am getting from sssd log
>>>> 
>>>> 
>>>> [simple_bind_done] (3): Bind result: Strong(er) authentication
>>>> required(8), BindSimple: Transport encryption required.
>>>> 
>>>> 
>>>> 
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
[simple_bind_send]
>>>> (4): Executing simple bind as:
CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
[simple_bind_done]
>>>> (5): Server returned no controls.
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
[simple_bind_done]
>>>> (3): Bind result: Strong(er) authentication required(8),
>>>> BindSimple: Transport encryption required.
>>>> (Fri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
[fo_set_port_status]
>>>> (4): Marking port 389 of server 'xxxxx' as 'not
working'
>>>> ri Sep  2 18:22:13 2016) [sssd[be[xxx.xxx]]]
>>>> [sdap_id_op_connect_done] (1): Failed to connect, going offline
(5
>>>> [Input/output error]) (Fri Sep  2 18:22:13 2016)
>>>> [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline.
Running
>>>> callbacks.
>>>> 
>>>> 
>>>> my sssd configuation is bellow
>>>> 
>>>> [sssd]
>>>> config_file_version = 2
>>>> domains = xxx.xxx
>>>> services = nss, pam
>>>> debug_level = 5
>>>> 
>>>> 
>>>> [nss]
>>>> 
>>>> 
>>>> [pam]
>>>> 
>>>> 
>>>> [domain/xxx.xx]
>>>> ldap_referrals = false
>>>> enumerate = true
>>>> 
>>>> id_provider = ldap
>>>> #access_provider = ldap
>>>> auth_provider = ldap
>>>> ldap_uri = ldap://xxx-DC-A.xxx.xxx:389
>>>> ldap_id_use_start_tls = False
>>>> ldap_auth_disable_tls_never_use_in_production = true
>>>> ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx
>>>> ldap_default_authtok_type = password
>>>> ldap_default_authtok = xxxxxxxx
>>>> 
>>>> ldap_schema = rfc2307bis
>>>> 
>>>> ldap_user_search_base = dc=xx,dc=xx
>>>> ldap_user_object_class = user
>>>> ldap_user_home_directory = unixHomeDirectory
>>>> ldap_user_principal = userPrincipalName
>>>> ldap_group_search_base = dc=xx,dc=xx
>>>> ldap_group_object_class = group
>>>> ldap_group_member = memberOf
>>>> access_provider = simple
>>>> 
>>>> 
>>>> 
>>>> simple_allow_groups = IT
>>>> 
>>>> 
>>>> ldap_access_order = expire
>>>> ldap_account_expire_policy = ad
>>>> ldap_force_upper_case_realm = true
>>>> [domain/default]
>>>> cache_credentials = False
>>>> 
>>> 
>>> The error message is pretty clear. Samba now requires SSL/TLS for
LDAP
>>> binds. Once you have enabled TLS in sssd, everything should work.
>>> While you can turn off the requirement in Samba, it's a bad
idea, as
>>> it'll result in unencrypted passwords being sent over the
network.
>>> 
>> 
>> Yes, you are correct about the reason, but what about fixing the
>> problem ?
>> 
>> I will say it again: SSSD has nothing to do with Samba and as such, the
>> place to ask for help with SSSD is on the 'sssd users' mailing
list.
>> 
>> Rowland
>> 
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
> 
> 
> 
> -- 
> Regards
> Fosiul Alam
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba