[SSSD-users] Re: Force LDAP SSL
On Fri, Apr 21, 2017 at 07:58:53AM +0200, Troels Hansen wrote: > Thanks both Jakub and Stephen > > That explains it. It didn't seem really clear from the man pages But that's wrong, ideally there should be no things you 'need to know'. Let's fix the man page with: https://pagure.io/SSSD/sssd/issue/3377 Thanks for pointing out this documentation issue. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] session setup failed: NT_STATUS_NO_LOGON_SERVERS
Ubuntu 16.04.2 samba 4.3.11+dfsg-0ubuntu0.16.04.6 sssd 1.13.4-1ubuntu1.2 Windows Server 2008 R2 Standard Have 2 sites with the above setup. Each site has 1 ubuntu/samba server authenticating to 1 Windows Server 2008 R2 server running Active Directory Site 1 works as expected. Traditional linux service, like ssh, auth to AD as expected. So do the samba shares. Site 2 partially works. Linux services like ssh work but samba shares fail to auth, session setup failed: NT_STATUS_NO_LOGON_SERVERS connect_to_domain_password_server: unable to open the domain client session to machine DC-1.CORP.DOMAIN.COM. Error was : NT_STATUS_ACCESS_DENIED. [2017/04/20 01:49:28.902051, 0] ../source3/auth/auth_domain.c:184(domain_client_validate) domain_client_validate: Domain password server not available. I have double checked site1 smb.conf, sssd.conf, krb5.conf against site2 configuration and they are the "same". I don't understand why ssh can authenticate but not samba. It seems like the problem is on DC-1 but do not know where to start on the debugging of Windows! sssd.conf [nss] filter_groups = root filter_users = root reconnection_retries = 3 # debug_level = 7 [pam] reconnection_retries = 3 # debug_level = 7 [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam, pac config_file_version = 2 domains = CORP.DOMAIN.COM debug_level = 7 [domain/CORP.DOMAIN.COM] id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad cache_credentials = true debug_level = 7 # Use this if users are being logged in at /. # This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so override_homedir = /var/samba/users/%u smb.conf [global] workgroup = CORP realm = CORP.DOMAIN.COM preferred master = no wins server = 192.168.110.249 server string = samba-2 security = ADS encrypt passwords = true obey pam restrictions = yes kerberos method = secrets and keytab syslog = 0 log file = /var/log/samba/%m.log max xmit = 16384 # NO roaming profiles http://melecio.org/node/5 logon path = logon home = logon script = %U.bat idmap config CORP : backend = ad idmap uid = 600-2 idmap gid = 600-2 template shell = /bin/bash template homedir = /var/samba/users/%U server signing = auto client signing = auto client use spnego = yes client ntlmv2 auth = yes restrict anonymous = 2 load printers = no ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: Force LDAP SSL
Thanks both Jakub and Stephen That explains it. It didn't seem really clear from the man pages and looking at the SSSD log's didn't seem to reveal it either, so I guess its just one of those things that you need to know. - On Apr 20, 2017, at 5:18 PM, Jakub Hrozek jhro...@redhat.com wrote: > On Thu, Apr 20, 2017 at 05:08:02PM +0200, Troels Hansen wrote: >> I'm trying to force SSSD to only communicate encrypted, because of company >> rules. >> I think i'm missing something: >> >> SSSD configured with: id_provider = ad >> >> and DNS service resolution is enabled (default) >> >> I have tried about every combination of: >> >> ldap_id_use_start_tls = true >> ldap_service_port = 636 >> ldap_tls_reqcert = allow >> >> in sssd.conf [domain] section. >> However, I can see SSSD LDAP connection over port 389. >> >> # netstat -tanp | grep sssd_be >> tcp 0 0 172.16.5.202:53520 172.16.1.241:389 ESTABLISHED 18080/sssd_be >> >> Have I just missed something? >> Do I need to pull the certificates from AD to make it work. I'm not really >> interested in verifying the certificates but only ensuring an encrypted >> channel. >> > > sssd-ad already uses gssapi to encrypt the communication. You don't need > to add any more manual configuration. > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: Force LDAP SSL
On 04/20/2017 11:08 AM, Troels Hansen wrote: > I'm trying to force SSSD to only communicate encrypted, because of company > rules. > I think i'm missing something: > > SSSD configured with: id_provider = ad > > and DNS service resolution is enabled (default) > > I have tried about every combination of: > > ldap_id_use_start_tls = true > ldap_service_port = 636 > ldap_tls_reqcert = allow > > in sssd.conf [domain] section. > However, I can see SSSD LDAP connection over port 389. > > # netstat -tanp | grep sssd_be > tcp0 0 172.16.5.202:53520 172.16.1.241:389 > ESTABLISHED > 18080/sssd_be > > Have I just missed something? > Do I need to pull the certificates from AD to make it work. I'm not really > interested in verifying the certificates but only ensuring an encrypted > channel. > Well, first of all be aware that if you are using the AD provider, your communication across port 389 *is* encrypted using GSSAPI (Kerberos). It uses the host keytab to encrypt that communication. Using SSL atop that would be a waste of resources (and unsupported by Microsoft, if I recall correctly). If you have GSSAPI encryption available (you do) then SSSD ignores the `ldap_id_use_start_tls` argument because you don't need both encryption streams. `ldap_id_use_start_tls` tells the LDAP provider to use the STARTTLS command on port 389 to wrap communication in a secure layer. If you REALLY, wanted to use port 636, you would need to use `ldap_uri = ldaps://server.host.name` (note the "ldaps" in the URI) which tells it to use SSL-based encryption and the default port for that which is 636. I don't actually know what happens when you try this with `ad_provider=ad`, though. It's unnecessary, wasteful and possibly disallowed by Microsoft. signature.asc Description: OpenPGP digital signature ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: Force LDAP SSL
On Thu, Apr 20, 2017 at 05:08:02PM +0200, Troels Hansen wrote: > I'm trying to force SSSD to only communicate encrypted, because of company > rules. > I think i'm missing something: > > SSSD configured with: id_provider = ad > > and DNS service resolution is enabled (default) > > I have tried about every combination of: > > ldap_id_use_start_tls = true > ldap_service_port = 636 > ldap_tls_reqcert = allow > > in sssd.conf [domain] section. > However, I can see SSSD LDAP connection over port 389. > > # netstat -tanp | grep sssd_be > tcp 0 0 172.16.5.202:53520 172.16.1.241:389 ESTABLISHED 18080/sssd_be > > Have I just missed something? > Do I need to pull the certificates from AD to make it work. I'm not really > interested in verifying the certificates but only ensuring an encrypted > channel. > sssd-ad already uses gssapi to encrypt the communication. You don't need to add any more manual configuration. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Force LDAP SSL
I'm trying to force SSSD to only communicate encrypted, because of company rules. I think i'm missing something: SSSD configured with: id_provider = ad and DNS service resolution is enabled (default) I have tried about every combination of: ldap_id_use_start_tls = true ldap_service_port = 636 ldap_tls_reqcert = allow in sssd.conf [domain] section. However, I can see SSSD LDAP connection over port 389. # netstat -tanp | grep sssd_be tcp 0 0 172.16.5.202:53520 172.16.1.241:389 ESTABLISHED 18080/sssd_be Have I just missed something? Do I need to pull the certificates from AD to make it work. I'm not really interested in verifying the certificates but only ensuring an encrypted channel. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org