[Bug 1921494] Re: ad_use_ldaps error could not start tls encryption
** Also affects: sssd (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: sssd (Ubuntu Impish) Importance: Undecided Status: Incomplete ** Also affects: sssd (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: sssd (Ubuntu Hirsute) Importance: Undecided Status: New ** Changed in: sssd (Ubuntu Bionic) Status: New => In Progress ** Changed in: sssd (Ubuntu Focal) Status: New => In Progress ** Changed in: sssd (Ubuntu Hirsute) Status: New => In Progress ** Changed in: sssd (Ubuntu Impish) Status: Incomplete => In Progress ** Changed in: sssd (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: sssd (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: sssd (Ubuntu Hirsute) Importance: Undecided => Medium ** Changed in: sssd (Ubuntu Impish) Importance: Undecided => Medium ** Changed in: sssd (Ubuntu Bionic) Assignee: (unassigned) => Matthew Ruffell (mruffell) ** Changed in: sssd (Ubuntu Focal) Assignee: (unassigned) => Matthew Ruffell (mruffell) ** Changed in: sssd (Ubuntu Hirsute) Assignee: (unassigned) => Matthew Ruffell (mruffell) ** Changed in: sssd (Ubuntu Impish) Assignee: (unassigned) => Matthew Ruffell (mruffell) ** Tags added: seg -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921494 Title: ad_use_ldaps error could not start tls encryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1921494/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921494] Re: ad_use_ldaps error could not start tls encryption
my sssd ldap log ** Attachment added: "sssd_ldap_server.log" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1921494/+attachment/5531319/+files/sssd_ldap_server.log -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921494 Title: ad_use_ldaps error could not start tls encryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1921494/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921494] Re: ad_use_ldaps error could not start tls encryption
Hello, i am also affected from this bug and like to test the testbuilds ldapsearch can conntect to the ldap server. With my sssd config i can success connect from RHEL8 and 7 but have problems with different ubuntu and debian versions if you need more information i can try to provide this to ** Attachment added: "ldaps.JPG" https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1921494/+attachment/5531294/+files/ldaps.JPG -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921494 Title: ad_use_ldaps error could not start tls encryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1921494/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921494] Re: ad_use_ldaps error could not start tls encryption
Hi Athos and Matthew. The original Ubuntu server I used for the testing back in February/March has been deleted, so I will need to create a new server and set it up to (hopefully) replicate the issue seen and reported in the bug report I filed. Due to ongoing work commitments I will need to do this over the next few days. Once the server is available, tested and the problem I see is reproduced, then it can certainly be used for any testing you desire. I will also respond in full with regards to more info and the ldapsearch query result. Regards, Rex -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921494 Title: ad_use_ldaps error could not start tls encryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1921494/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921494] Re: ad_use_ldaps error could not start tls encryption
Hi Rex, Looking closer at the logging which you provided when debug_level = 4, the important part is: [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: [Connect error] [(unknown error code)] This looks very similar to this upstream bug report: https://github.com/SSSD/sssd/issues/5531 In which case, I believe the below commit should fix the issue: commit da55e3e69707de416b7949d08c165c950090bbb6 From: Iker Pedrosa Date: Wed, 3 Mar 2021 15:34:49 +0100 Subject: ldap: retry ldap_install_tls() when watchdog interruption Link: https://github.com/SSSD/sssd/commit/da55e3e69707de416b7949d08c165c950090bbb6 I will make some test packages for Bionic, Focal, Hirsute and Impish. Will you be able to try some test packages? I will also try and reproduce myself, but this looks like a unreliable race condition between the watchdog and ldap_install_tls(). Thanks, Matthew ** Bug watch added: github.com/SSSD/sssd/issues #5531 https://github.com/SSSD/sssd/issues/5531 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921494 Title: ad_use_ldaps error could not start tls encryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1921494/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921494] Re: ad_use_ldaps error could not start tls encryption
Hi Rex, Thank you for taking the time to file a bug report. Would you mind also providing the access logs for the server when the connection is attempted? Moreover, could you confirm that you can also use ldapsearch with TLS; e.g., `ldapsearch -x -Z`? Since there is not enough information in your report to begin triage or to differentiate between a local configuration problem and a bug in Ubuntu, I am marking this bug as "Incomplete". We would be grateful if you would: provide a more complete description of the problem, explain why you believe this is a bug in Ubuntu rather than a problem specific to your system, and then change the bug status back to "New". For local configuration issues, you can find assistance here: http://www.ubuntu.com/support/community ** Changed in: sssd (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921494 Title: ad_use_ldaps error could not start tls encryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1921494/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921494] Re: ad_use_ldaps error could not start tls encryption
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: sssd (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921494 Title: ad_use_ldaps error could not start tls encryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1921494/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921494] Re: ad_use_ldaps error could not start tls encryption
** Description changed: New sssd.conf variable ad_use_ldaps not working. On starting sssd it errors with "sssd[be[13765]: Could not start TLS encryption. (unknown error code)" # lsb_release -rd Description:Ubuntu 18.04.5 LTS Release:18.04 Note: problem also seen with Ubuntu 20.04.2 # apt-cache policy sssd | grep Installed - Installed: 1.16.1-1ubuntu1.7 + Installed: 1.16.1-1ubuntu1.7 Expectation Adding ad_use_ldaps to a working AD integrated /etc/sssd/sssd.conf to use port 636 instead of port 389 due ADV 190023. Reference https://bugs.launchpad.net/ubuntu/focal/+source/sssd/+bug/1868703/ Problem Added a working Public root CA cert to the common ca-certificate (/etc/ssl/ca-certificates) and /etc/ldap/ldap.conf has following set: TLS_CACERT /etc/ssl/certs/ca-certificates.crt An ldapsearch using the above certificate bundle against LDAPS is successful: # openssl s_client -connect company-ad-server.company.com:636 CONNECTED(0005) - # ldapsearch -v -H ldaps://company-ad-server.company.com:636 -b "dc=company,dc=com" "(sAMAccountName=superduperuser)" ldap_initialize( ldaps://company-ad-server.company.com:636/??base ) SASL/GSSAPI authentication started SASL username: superduperu...@company.com SASL SSF: 0 filter: (sAMAccountName=superduperuser) requesting: All userApplication attributes + # ldapsearch -v -H ldaps://company-ad-server.company.com:636 -b "dc=company,dc=com" "(sAMAccountName=superduperuser)" ldap_initialize( ldaps://company-ad-server.company.com:636/??base ) SASL/GSSAPI authentication started SASL username: superduperu...@company.com SASL SSF: 0 filter: (sAMAccountName=superduperuser) requesting: All userApplication attributes # Duperuser\2C Super ADM, Users, Admin, company.com dn: CN=Duperuser\, Super ADM,OU=Internal,OU=Users,OU=Admin,DC=company,DC=com sssd.conf is configured with: [sssd] domains = company.com config_file_version = 2 services = nss, pam [domain/company.com] ad_domain = company.com krb5_realm = company.com realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash use_fully_qualified_names = True fallback_homedir = /home/%u@%d ldap_id_mapping = True ad_use_ldaps = True ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt auth_provider = ad access_provider = simple simple_allow_groups = linux-admins Stopping sssd, clearing sssd cache, starting sssd returns following error: sssd[be[13765]: Could not start TLS encryption. (unknown error code) Setting debug_level = 4 (or higher) returns following around this unknown error: [set_server_common_status] (0x0100): Marking server 'ad-server.company.com' as 'name resolved' [be_resolve_server_process] (0x0200): Found address for server ad-server.company.com: [y.y.y.y] TTL 3600 [ad_resolve_callback] (0x0100): Constructed uri 'ldaps://ad-server.company.com' [ad_resolve_callback] (0x0100): Constructed GC uri 'ldaps://ad-server.company.com' [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: [Connect error] [(unknown error code)] [sss_ldap_init_state_destructor] (0x0400): calling ldap_unbind_ext for ldap:[0x55d1149ef6e0] sd:[18] [sss_ldap_init_state_destructor] (0x0400): closing socket [18] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error. [fo_set_port_status] (0x0100): Marking port 389 of server 'ad-server.company.com' as 'not working' [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'ad-server.company.com' as 'not working' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921494 Title: ad_use_ldaps error could not start tls encryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1921494/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921494] Re: ad_use_ldaps error could not start tls encryption
** Package changed: ubuntu => sssd (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921494 Title: ad_use_ldaps error could not start tls encryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1921494/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921494] Re: ad_use_ldaps error could not start tls encryption
Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode. To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1921494/+editstatus and add the package name in the text box next to the word Package. [This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.] ** Tags added: bot-comment -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921494 Title: ad_use_ldaps error could not start tls encryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1921494/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921494] Re: ad_use_ldaps error could not start tls encryption
Apport file attached ** Attachment added: "apport file attached." https://bugs.launchpad.net/ubuntu/+bug/1921494/+attachment/5481105/+files/apport.sssd.h805vgu_.apport -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921494 Title: ad_use_ldaps error could not start tls encryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1921494/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
