Re: Problems setting up SSSD to authenticate to Windows 2008 AD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2011-07-18 at 18:34 +0300, Oded Arbel wrote:
> Hi List. First time poster, so I'm doing something wrong please let me
> know.
> 
> I'm trying to set up SSSD for a laptop running Fedora 14 to authenticate
> against an Active Directory domain running on a Windows 2008 server. 
> I've followed the instructions in this page:
> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%
> 20authenticate%20with%20a%20Windows%202008%20Domain%20Server
> (except the part about anonymous searches - our security policy will not
> allow that), and I still can't get authentication to work.
> 
> When I try to log in using ssh to the computer I get this in the sssd
> log file for the AD connection:
> 
> [sssd[be[AD]]] [simple_bind_done] (3): Bind result: Success(0), (null)
> [sssd[be[AD]]] [be_run_online_cb] (3): Going online. Running callbacks.
> [sssd[be[AD]]] [sdap_control_create] (3): Server does not support the
> requested control [1.3.6.1.4.1.42.2.27.8.5.1].
> [sssd[be[AD]]] [sdap_get_generic_done] (2): Unexpected result from ldap:
> Operations error(1), 00000000: LdapErr: DSID-0C090627, comment: In order
> to perform this operation a successful bind must be completed on the
> connection., data 0, vece
> 
> Where the last two lines repeat a lot, though not interchangeably - I
> get a lot more "server does not support the requested control" then the
> other message.
> 
> Looking at /var/log/secure I get this:
> 
> sshd[8581]: pam_unix(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=192.168.XXX.XXX  user=oded.a
> sshd[8581]: pam_sss(sshd:auth): system info: [Cannot find KDC for
> requested realm]
> sshd[8581]: pam_sss(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=192.168.XXX.XXX user=oded.a
> sshd[8581]: pam_sss(sshd:auth): received for user oded.a: 4 (System
> error)
> sshd[8581]: Failed password for oded.a from 192.168.XXX.XXX port 33213
> ssh2
> 
> I'm not sure which problem is the one that killing the authentication -
> the KDC or the inability to bind even though bind was successful.
> 
> Does anyone have any suggestions as to what I may try?


I just looked at that page. Man is it out of date. I'll try to get that
updated soon (I don't think it's been modified since SSSD 0.5.0).

In order to communicate with AD, you need to set (in the domain section
of sssd.conf):
ldap_schema = rfc2307bis
ldap_default_bind_dn = <DN of a user allowed to read from AD>
ldap_default_authtok = <Password of that user>

That should get you most of the way there.

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux