Problems setting up SSSD to authenticate to Windows 2008 AD

Stephen Gallagher sgallagh at redhat.com
Mon Jul 25 16:15:19 UTC 2011 

On Mon, 2011-07-18 at 18:34 +0300, Oded Arbel wrote:
> Hi List. First time poster, so I'm doing something wrong please let me
> know.
> 
> I'm trying to set up SSSD for a laptop running Fedora 14 to authenticate
> against an Active Directory domain running on a Windows 2008 server. 
> I've followed the instructions in this page:
> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%
> 20authenticate%20with%20a%20Windows%202008%20Domain%20Server
> (except the part about anonymous searches - our security policy will not
> allow that), and I still can't get authentication to work.
> 
> When I try to log in using ssh to the computer I get this in the sssd
> log file for the AD connection:
> 
> [sssd[be[AD]]] [simple_bind_done] (3): Bind result: Success(0), (null)
> [sssd[be[AD]]] [be_run_online_cb] (3): Going online. Running callbacks.
> [sssd[be[AD]]] [sdap_control_create] (3): Server does not support the
> requested control [1.3.6.1.4.1.42.2.27.8.5.1].
> [sssd[be[AD]]] [sdap_get_generic_done] (2): Unexpected result from ldap:
> Operations error(1), 00000000: LdapErr: DSID-0C090627, comment: In order
> to perform this operation a successful bind must be completed on the
> connection., data 0, vece
> 
> Where the last two lines repeat a lot, though not interchangeably - I
> get a lot more "server does not support the requested control" then the
> other message.
> 
> Looking at /var/log/secure I get this:
> 
> sshd[8581]: pam_unix(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=192.168.XXX.XXX  user=oded.a
> sshd[8581]: pam_sss(sshd:auth): system info: [Cannot find KDC for
> requested realm]
> sshd[8581]: pam_sss(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=192.168.XXX.XXX user=oded.a
> sshd[8581]: pam_sss(sshd:auth): received for user oded.a: 4 (System
> error)
> sshd[8581]: Failed password for oded.a from 192.168.XXX.XXX port 33213
> ssh2
> 
> I'm not sure which problem is the one that killing the authentication -
> the KDC or the inability to bind even though bind was successful.
> 
> Does anyone have any suggestions as to what I may try?


I just looked at that page. Man is it out of date. I'll try to get that
updated soon (I don't think it's been modified since SSSD 0.5.0).

In order to communicate with AD, you need to set (in the domain section
of sssd.conf):
ldap_schema = rfc2307bis
ldap_default_bind_dn = <DN of a user allowed to read from AD>
ldap_default_authtok = <Password of that user>

That should get you most of the way there.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20110725/0faf1249/attachment.bin

More information about the users mailing list