On Tue, Aug 11, 2015 at 06:56:28PM +0000, Thackeray, Neil L wrote:
I've gotten logins to work from our AD, but for some reason after
a while they just stop working again. I'm using Ubuntu 14.04.1, sssd 1.12.5.
I don't know why it's trying to contact the AD over 389. We only allow ldaps 636
connections to the AD.
Well, here goes your reason :-) We use the LDAP port and the GC port,
not 636 in the AD provider.
Why do you allow port 636? The AD provider uses GSSAPI for
authentication already..and the default AD provider config doesn't
require or use a certificate.
I'm not sure how it's initially allowing logins and then
suddenly can't resolve the AD servers.
I would need to see the complete log file to be sure, the snippet you
sent already shows sssd being offline. What about the Global Catalog
port, do you allow that one? Maybe sssd reads the user data from GC..