On Mon, 2011-07-18 at 18:34 +0300, Oded Arbel wrote: > Hi List. First time poster, so I'm doing something wrong please let me > know. > > I'm trying to set up SSSD for a laptop running Fedora 14 to authenticate > against an Active Directory domain running on a Windows 2008 server. > I've followed the instructions in this page: > https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to% > 20authenticate%20with%20a%20Windows%202008%20Domain%20Server > (except the part about anonymous searches - our security policy will not > allow that), and I still can't get authentication to work. > > When I try to log in using ssh to the computer I get this in the sssd > log file for the AD connection: > > [sssd[be[AD]]] [simple_bind_done] (3): Bind result: Success(0), (null) > [sssd[be[AD]]] [be_run_online_cb] (3): Going online. Running callbacks. > [sssd[be[AD]]] [sdap_control_create] (3): Server does not support the > requested control [1.3.6.1.4.1.42.2.27.8.5.1]. > [sssd[be[AD]]] [sdap_get_generic_done] (2): Unexpected result from ldap: > Operations error(1), 00000000: LdapErr: DSID-0C090627, comment: In order > to perform this operation a successful bind must be completed on the > connection., data 0, vece > > Where the last two lines repeat a lot, though not interchangeably - I > get a lot more "server does not support the requested control" then the > other message. > > Looking at /var/log/secure I get this: > > sshd[8581]: pam_unix(sshd:auth): authentication failure; logname= uid=0 > euid=0 tty=ssh ruser= rhost=192.168.XXX.XXX user=oded.a > sshd[8581]: pam_sss(sshd:auth): system info: [Cannot find KDC for > requested realm] > sshd[8581]: pam_sss(sshd:auth): authentication failure; logname= uid=0 > euid=0 tty=ssh ruser= rhost=192.168.XXX.XXX user=oded.a > sshd[8581]: pam_sss(sshd:auth): received for user oded.a: 4 (System > error) > sshd[8581]: Failed password for oded.a from 192.168.XXX.XXX port 33213 > ssh2 > > I'm not sure which problem is the one that killing the authentication - > the KDC or the inability to bind even though bind was successful. > > Does anyone have any suggestions as to what I may try? I just looked at that page. Man is it out of date. I'll try to get that updated soon (I don't think it's been modified since SSSD 0.5.0). In order to communicate with AD, you need to set (in the domain section of sssd.conf): ldap_schema = rfc2307bis ldap_default_bind_dn = <DN of a user allowed to read from AD> ldap_default_authtok = <Password of that user> That should get you most of the way there.
Attachment:
signature.asc
Description: This is a digitally signed message part
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines