On Mon, 2011-07-18 at 18:34 +0300, Oded Arbel wrote:
Hi List. First time poster, so I'm doing something wrong please
let me
know.
I'm trying to set up SSSD for a laptop running Fedora 14 to authenticate
against an Active Directory domain running on a Windows 2008 server.
I've followed the instructions in this page:
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%
20authenticate%20with%20a%20Windows%202008%20Domain%20Server
(except the part about anonymous searches - our security policy will not
allow that), and I still can't get authentication to work.
When I try to log in using ssh to the computer I get this in the sssd
log file for the AD connection:
[sssd[be[AD]]] [simple_bind_done] (3): Bind result: Success(0), (null)
[sssd[be[AD]]] [be_run_online_cb] (3): Going online. Running callbacks.
[sssd[be[AD]]] [sdap_control_create] (3): Server does not support the
requested control [1.3.6.1.4.1.42.2.27.8.5.1].
[sssd[be[AD]]] [sdap_get_generic_done] (2): Unexpected result from ldap:
Operations error(1), 00000000: LdapErr: DSID-0C090627, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, vece
Where the last two lines repeat a lot, though not interchangeably - I
get a lot more "server does not support the requested control" then the
other message.
Looking at /var/log/secure I get this:
sshd[8581]: pam_unix(sshd:auth): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=192.168.XXX.XXX user=oded.a
sshd[8581]: pam_sss(sshd:auth): system info: [Cannot find KDC for
requested realm]
sshd[8581]: pam_sss(sshd:auth): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=192.168.XXX.XXX user=oded.a
sshd[8581]: pam_sss(sshd:auth): received for user oded.a: 4 (System
error)
sshd[8581]: Failed password for oded.a from 192.168.XXX.XXX port 33213
ssh2
I'm not sure which problem is the one that killing the authentication -
the KDC or the inability to bind even though bind was successful.
Does anyone have any suggestions as to what I may try?
I just looked at that page. Man is it out of date. I'll try to get that
updated soon (I don't think it's been modified since SSSD 0.5.0).
In order to communicate with AD, you need to set (in the domain section
of sssd.conf):
ldap_schema = rfc2307bis
ldap_default_bind_dn = <DN of a user allowed to read from AD>
ldap_default_authtok = <Password of that user>
That should get you most of the way there.