Rowland Penny
2016-Sep-02 21:09 UTC
[Samba] Samba4 and sssd authentication not working due "Transport encryption required."
On Fri, 2 Sep 2016 12:33:34 -0700 John Yocum via samba <samba at lists.samba.org> wrote:> On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote: > > Hi Experts > > I have setup samba4 version "samba-4.4.5" , Windows Authentication > > working fine. > > however sssd authentication not working, Same setup work with older > > version of samba4 , so i guess bellow requirement has been added > > new, but I dont understand what shall i do to make sssd work . > > > > bellow log i am getting from sssd log > > > > > > [simple_bind_done] (3): Bind result: Strong(er) authentication > > required(8), BindSimple: Transport encryption required. > > > > > > > > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send] > > (4): Executing simple bind as: CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx > > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] > > (5): Server returned no controls. > > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] > > (3): Bind result: Strong(er) authentication required(8), > > BindSimple: Transport encryption required. > > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [fo_set_port_status] > > (4): Marking port 389 of server 'xxxxx' as 'not working' > > ri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] > > [sdap_id_op_connect_done] (1): Failed to connect, going offline (5 > > [Input/output error]) (Fri Sep 2 18:22:13 2016) > > [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline. Running > > callbacks. > > > > > > my sssd configuation is bellow > > > > [sssd] > > config_file_version = 2 > > domains = xxx.xxx > > services = nss, pam > > debug_level = 5 > > > > > > [nss] > > > > > > [pam] > > > > > > [domain/xxx.xx] > > ldap_referrals = false > > enumerate = true > > > > id_provider = ldap > > #access_provider = ldap > > auth_provider = ldap > > ldap_uri = ldap://xxx-DC-A.xxx.xxx:389 > > ldap_id_use_start_tls = False > > ldap_auth_disable_tls_never_use_in_production = true > > ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx > > ldap_default_authtok_type = password > > ldap_default_authtok = xxxxxxxx > > > > ldap_schema = rfc2307bis > > > > ldap_user_search_base = dc=xx,dc=xx > > ldap_user_object_class = user > > ldap_user_home_directory = unixHomeDirectory > > ldap_user_principal = userPrincipalName > > ldap_group_search_base = dc=xx,dc=xx > > ldap_group_object_class = group > > ldap_group_member = memberOf > > access_provider = simple > > > > > > > > simple_allow_groups = IT > > > > > > ldap_access_order = expire > > ldap_account_expire_policy = ad > > ldap_force_upper_case_realm = true > > [domain/default] > > cache_credentials = False > > > > The error message is pretty clear. Samba now requires SSL/TLS for LDAP > binds. Once you have enabled TLS in sssd, everything should work. > While you can turn off the requirement in Samba, it's a bad idea, as > it'll result in unencrypted passwords being sent over the network. >Yes, you are correct about the reason, but what about fixing the problem ? I will say it again: SSSD has nothing to do with Samba and as such, the place to ask for help with SSSD is on the 'sssd users' mailing list. Rowland
Fosiul Alam
2016-Sep-03 12:59 UTC
[Samba] Samba4 and sssd authentication not working due "Transport encryption required."
Hi Both Thanks from Samba4 side i need this help, I can see that sshd has this option, can you just tell me by default when i installed samba4 , did it create any .crt file , if yes where? which i can use in sssd tls authenticaiton ? Thanks for the help # A native LDAP domain [domain/LDAP] enumerate = true cache_credentials = TRUE id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.mydomain.org ldap_search_base = dc=mydomain,dc=org tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt On Fri, Sep 2, 2016 at 10:09 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 2 Sep 2016 12:33:34 -0700 > John Yocum via samba <samba at lists.samba.org> wrote: > > > On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote: > > > Hi Experts > > > I have setup samba4 version "samba-4.4.5" , Windows Authentication > > > working fine. > > > however sssd authentication not working, Same setup work with older > > > version of samba4 , so i guess bellow requirement has been added > > > new, but I dont understand what shall i do to make sssd work . > > > > > > bellow log i am getting from sssd log > > > > > > > > > [simple_bind_done] (3): Bind result: Strong(er) authentication > > > required(8), BindSimple: Transport encryption required. > > > > > > > > > > > > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send] > > > (4): Executing simple bind as: CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx > > > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] > > > (5): Server returned no controls. > > > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] > > > (3): Bind result: Strong(er) authentication required(8), > > > BindSimple: Transport encryption required. > > > (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [fo_set_port_status] > > > (4): Marking port 389 of server 'xxxxx' as 'not working' > > > ri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] > > > [sdap_id_op_connect_done] (1): Failed to connect, going offline (5 > > > [Input/output error]) (Fri Sep 2 18:22:13 2016) > > > [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline. Running > > > callbacks. > > > > > > > > > my sssd configuation is bellow > > > > > > [sssd] > > > config_file_version = 2 > > > domains = xxx.xxx > > > services = nss, pam > > > debug_level = 5 > > > > > > > > > [nss] > > > > > > > > > [pam] > > > > > > > > > [domain/xxx.xx] > > > ldap_referrals = false > > > enumerate = true > > > > > > id_provider = ldap > > > #access_provider = ldap > > > auth_provider = ldap > > > ldap_uri = ldap://xxx-DC-A.xxx.xxx:389 > > > ldap_id_use_start_tls = False > > > ldap_auth_disable_tls_never_use_in_production = true > > > ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx > > > ldap_default_authtok_type = password > > > ldap_default_authtok = xxxxxxxx > > > > > > ldap_schema = rfc2307bis > > > > > > ldap_user_search_base = dc=xx,dc=xx > > > ldap_user_object_class = user > > > ldap_user_home_directory = unixHomeDirectory > > > ldap_user_principal = userPrincipalName > > > ldap_group_search_base = dc=xx,dc=xx > > > ldap_group_object_class = group > > > ldap_group_member = memberOf > > > access_provider = simple > > > > > > > > > > > > simple_allow_groups = IT > > > > > > > > > ldap_access_order = expire > > > ldap_account_expire_policy = ad > > > ldap_force_upper_case_realm = true > > > [domain/default] > > > cache_credentials = False > > > > > > > The error message is pretty clear. Samba now requires SSL/TLS for LDAP > > binds. Once you have enabled TLS in sssd, everything should work. > > While you can turn off the requirement in Samba, it's a bad idea, as > > it'll result in unencrypted passwords being sent over the network. > > > > Yes, you are correct about the reason, but what about fixing the > problem ? > > I will say it again: SSSD has nothing to do with Samba and as such, the > place to ask for help with SSSD is on the 'sssd users' mailing list. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Regards Fosiul Alam
Achim Gottinger
2016-Sep-03 13:17 UTC
[Samba] Samba4 and sssd authentication not working due "Transport encryption required."
Am 03.09.2016 um 14:59 schrieb Fosiul Alam via samba:> Hi Both > Thanks > > from Samba4 side i need this help, I can see that sshd has this option, can > you just tell me by default when i installed samba4 , did it create any > .crt file , if yes where? which i can use in sssd tls authenticaiton ? > Thanks for the help > > > # A native LDAP domain > [domain/LDAP] > enumerate = true > cache_credentials = TRUE > > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > > ldap_uri = ldap://ldap.mydomain.org > ldap_search_base = dc=mydomain,dc=org > tls_reqcert = demand > ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt > > > > On Fri, Sep 2, 2016 at 10:09 PM, Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Fri, 2 Sep 2016 12:33:34 -0700 >> John Yocum via samba <samba at lists.samba.org> wrote: >> >>> On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote: >>>> Hi Experts >>>> I have setup samba4 version "samba-4.4.5" , Windows Authentication >>>> working fine. >>>> however sssd authentication not working, Same setup work with older >>>> version of samba4 , so i guess bellow requirement has been added >>>> new, but I dont understand what shall i do to make sssd work . >>>> >>>> bellow log i am getting from sssd log >>>> >>>> >>>> [simple_bind_done] (3): Bind result: Strong(er) authentication >>>> required(8), BindSimple: Transport encryption required. >>>> >>>> >>>> >>>> (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send] >>>> (4): Executing simple bind as: CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx >>>> (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] >>>> (5): Server returned no controls. >>>> (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] >>>> (3): Bind result: Strong(er) authentication required(8), >>>> BindSimple: Transport encryption required. >>>> (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [fo_set_port_status] >>>> (4): Marking port 389 of server 'xxxxx' as 'not working' >>>> ri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] >>>> [sdap_id_op_connect_done] (1): Failed to connect, going offline (5 >>>> [Input/output error]) (Fri Sep 2 18:22:13 2016) >>>> [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline. Running >>>> callbacks. >>>> >>>> >>>> my sssd configuation is bellow >>>> >>>> [sssd] >>>> config_file_version = 2 >>>> domains = xxx.xxx >>>> services = nss, pam >>>> debug_level = 5 >>>> >>>> >>>> [nss] >>>> >>>> >>>> [pam] >>>> >>>> >>>> [domain/xxx.xx] >>>> ldap_referrals = false >>>> enumerate = true >>>> >>>> id_provider = ldap >>>> #access_provider = ldap >>>> auth_provider = ldap >>>> ldap_uri = ldap://xxx-DC-A.xxx.xxx:389 >>>> ldap_id_use_start_tls = False >>>> ldap_auth_disable_tls_never_use_in_production = true >>>> ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx >>>> ldap_default_authtok_type = password >>>> ldap_default_authtok = xxxxxxxx >>>> >>>> ldap_schema = rfc2307bis >>>> >>>> ldap_user_search_base = dc=xx,dc=xx >>>> ldap_user_object_class = user >>>> ldap_user_home_directory = unixHomeDirectory >>>> ldap_user_principal = userPrincipalName >>>> ldap_group_search_base = dc=xx,dc=xx >>>> ldap_group_object_class = group >>>> ldap_group_member = memberOf >>>> access_provider = simple >>>> >>>> >>>> >>>> simple_allow_groups = IT >>>> >>>> >>>> ldap_access_order = expire >>>> ldap_account_expire_policy = ad >>>> ldap_force_upper_case_realm = true >>>> [domain/default] >>>> cache_credentials = False >>>> >>> The error message is pretty clear. Samba now requires SSL/TLS for LDAP >>> binds. Once you have enabled TLS in sssd, everything should work. >>> While you can turn off the requirement in Samba, it's a bad idea, as >>> it'll result in unencrypted passwords being sent over the network. >>> >> Yes, you are correct about the reason, but what about fixing the >> problem ? >> >> I will say it again: SSSD has nothing to do with Samba and as such, the >> place to ask for help with SSSD is on the 'sssd users' mailing list. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >Hi, On debian this is /var/lib/samba/private/tls/ca.pem achim~
Marc Muehlfeld
2016-Sep-03 13:18 UTC
[Samba] Samba4 and sssd authentication not working due "Transport encryption required."
Hi Fosiul, Am 03.09.2016 um 14:59 schrieb Fosiul Alam via samba:> from Samba4 side i need this help, I can see that sshd has this option, can > you just tell me by default when i installed samba4 , did it create any > .crt file , if yes where? which i can use in sssd tls authenticaiton ? > Thanks for the help# ls -1 /usr/local/samba/private/tls/*.pem /usr/local/samba/private/tls/ca.pem /usr/local/samba/private/tls/cert.pem /usr/local/samba/private/tls/key.pem Regards, Marc
Michael A Weber
2016-Sep-03 14:28 UTC
[Samba] Samba4 and sssd authentication not working due "Transport encryption required."
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC <https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC>> On Sep 3, 2016, at 7:59 AM, Fosiul Alam via samba <samba at lists.samba.org> wrote: > > Hi Both > Thanks > > from Samba4 side i need this help, I can see that sshd has this option, can > you just tell me by default when i installed samba4 , did it create any > .crt file , if yes where? which i can use in sssd tls authenticaiton ? > Thanks for the help > > > # A native LDAP domain > [domain/LDAP] > enumerate = true > cache_credentials = TRUE > > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > > ldap_uri = ldap://ldap.mydomain.org > ldap_search_base = dc=mydomain,dc=org > tls_reqcert = demand > ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt > > > > On Fri, Sep 2, 2016 at 10:09 PM, Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Fri, 2 Sep 2016 12:33:34 -0700 >> John Yocum via samba <samba at lists.samba.org> wrote: >> >>> On 09/02/2016 08:36 AM, Fosiul Alam via samba wrote: >>>> Hi Experts >>>> I have setup samba4 version "samba-4.4.5" , Windows Authentication >>>> working fine. >>>> however sssd authentication not working, Same setup work with older >>>> version of samba4 , so i guess bellow requirement has been added >>>> new, but I dont understand what shall i do to make sssd work . >>>> >>>> bellow log i am getting from sssd log >>>> >>>> >>>> [simple_bind_done] (3): Bind result: Strong(er) authentication >>>> required(8), BindSimple: Transport encryption required. >>>> >>>> >>>> >>>> (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_send] >>>> (4): Executing simple bind as: CN=ldapadmin,cn=Users,dc=xxx,dc=xxxx >>>> (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] >>>> (5): Server returned no controls. >>>> (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [simple_bind_done] >>>> (3): Bind result: Strong(er) authentication required(8), >>>> BindSimple: Transport encryption required. >>>> (Fri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] [fo_set_port_status] >>>> (4): Marking port 389 of server 'xxxxx' as 'not working' >>>> ri Sep 2 18:22:13 2016) [sssd[be[xxx.xxx]]] >>>> [sdap_id_op_connect_done] (1): Failed to connect, going offline (5 >>>> [Input/output error]) (Fri Sep 2 18:22:13 2016) >>>> [sssd[be[xxx.xxx]]] [be_run_offline_cb] (3): Going offline. Running >>>> callbacks. >>>> >>>> >>>> my sssd configuation is bellow >>>> >>>> [sssd] >>>> config_file_version = 2 >>>> domains = xxx.xxx >>>> services = nss, pam >>>> debug_level = 5 >>>> >>>> >>>> [nss] >>>> >>>> >>>> [pam] >>>> >>>> >>>> [domain/xxx.xx] >>>> ldap_referrals = false >>>> enumerate = true >>>> >>>> id_provider = ldap >>>> #access_provider = ldap >>>> auth_provider = ldap >>>> ldap_uri = ldap://xxx-DC-A.xxx.xxx:389 >>>> ldap_id_use_start_tls = False >>>> ldap_auth_disable_tls_never_use_in_production = true >>>> ldap_default_bind_dn = CN=ldapadmin,cn=Users,dc=xxx,dc=xxx >>>> ldap_default_authtok_type = password >>>> ldap_default_authtok = xxxxxxxx >>>> >>>> ldap_schema = rfc2307bis >>>> >>>> ldap_user_search_base = dc=xx,dc=xx >>>> ldap_user_object_class = user >>>> ldap_user_home_directory = unixHomeDirectory >>>> ldap_user_principal = userPrincipalName >>>> ldap_group_search_base = dc=xx,dc=xx >>>> ldap_group_object_class = group >>>> ldap_group_member = memberOf >>>> access_provider = simple >>>> >>>> >>>> >>>> simple_allow_groups = IT >>>> >>>> >>>> ldap_access_order = expire >>>> ldap_account_expire_policy = ad >>>> ldap_force_upper_case_realm = true >>>> [domain/default] >>>> cache_credentials = False >>>> >>> >>> The error message is pretty clear. Samba now requires SSL/TLS for LDAP >>> binds. Once you have enabled TLS in sssd, everything should work. >>> While you can turn off the requirement in Samba, it's a bad idea, as >>> it'll result in unencrypted passwords being sent over the network. >>> >> >> Yes, you are correct about the reason, but what about fixing the >> problem ? >> >> I will say it again: SSSD has nothing to do with Samba and as such, the >> place to ask for help with SSSD is on the 'sssd users' mailing list. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > > > -- > Regards > Fosiul Alam > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- Samba4 and sssd authentication not working due "Transport encryption required."
- Samba4 and sssd authentication not working due "Transport encryption required."
- Samba4 and sssd authentication not working due "Transport encryption required."
- Samba4 and sssd authentication not working due "Transport encryption required."
- Samba4 and sssd authentication not working due "Transport encryption required."