FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 07-18-2011, 03:34 PM
Oded Arbel
 
Default Problems setting up SSSD to authenticate to Windows 2008 AD

Hi List. First time poster, so I'm doing something wrong please let me
know.

I'm trying to set up SSSD for a laptop running Fedora 14 to authenticate
against an Active Directory domain running on a Windows 2008 server.
I've followed the instructions in this page:
https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%
20authenticate%20with%20a%20Windows%202008%20Domai n%20Server
(except the part about anonymous searches - our security policy will not
allow that), and I still can't get authentication to work.

When I try to log in using ssh to the computer I get this in the sssd
log file for the AD connection:

[sssd[be[AD]]] [simple_bind_done] (3): Bind result: Success(0), (null)
[sssd[be[AD]]] [be_run_online_cb] (3): Going online. Running callbacks.
[sssd[be[AD]]] [sdap_control_create] (3): Server does not support the
requested control [1.3.6.1.4.1.42.2.27.8.5.1].
[sssd[be[AD]]] [sdap_get_generic_done] (2): Unexpected result from ldap:
Operations error(1), 00000000: LdapErr: DSID-0C090627, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, vece

Where the last two lines repeat a lot, though not interchangeably - I
get a lot more "server does not support the requested control" then the
other message.

Looking at /var/log/secure I get this:

sshd[8581]: pam_unix(sshd:auth): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=192.168.XXX.XXX user=oded.a
sshd[8581]: pam_sss(sshd:auth): system info: [Cannot find KDC for
requested realm]
sshd[8581]: pam_sss(sshd:auth): authentication failure; logname= uid=0
euid=0 tty=ssh ruser= rhost=192.168.XXX.XXX user=oded.a
sshd[8581]: pam_sss(sshd:auth): received for user oded.a: 4 (System
error)
sshd[8581]: Failed password for oded.a from 192.168.XXX.XXX port 33213
ssh2

I'm not sure which problem is the one that killing the authentication -
the KDC or the inability to bind even though bind was successful.

Does anyone have any suggestions as to what I may try?

Thanks in advance.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-25-2011, 04:15 PM
Stephen Gallagher
 
Default Problems setting up SSSD to authenticate to Windows 2008 AD

On Mon, 2011-07-18 at 18:34 +0300, Oded Arbel wrote:
> Hi List. First time poster, so I'm doing something wrong please let me
> know.
>
> I'm trying to set up SSSD for a laptop running Fedora 14 to authenticate
> against an Active Directory domain running on a Windows 2008 server.
> I've followed the instructions in this page:
> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%
> 20authenticate%20with%20a%20Windows%202008%20Domai n%20Server
> (except the part about anonymous searches - our security policy will not
> allow that), and I still can't get authentication to work.
>
> When I try to log in using ssh to the computer I get this in the sssd
> log file for the AD connection:
>
> [sssd[be[AD]]] [simple_bind_done] (3): Bind result: Success(0), (null)
> [sssd[be[AD]]] [be_run_online_cb] (3): Going online. Running callbacks.
> [sssd[be[AD]]] [sdap_control_create] (3): Server does not support the
> requested control [1.3.6.1.4.1.42.2.27.8.5.1].
> [sssd[be[AD]]] [sdap_get_generic_done] (2): Unexpected result from ldap:
> Operations error(1), 00000000: LdapErr: DSID-0C090627, comment: In order
> to perform this operation a successful bind must be completed on the
> connection., data 0, vece
>
> Where the last two lines repeat a lot, though not interchangeably - I
> get a lot more "server does not support the requested control" then the
> other message.
>
> Looking at /var/log/secure I get this:
>
> sshd[8581]: pam_unix(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=192.168.XXX.XXX user=oded.a
> sshd[8581]: pam_sss(sshd:auth): system info: [Cannot find KDC for
> requested realm]
> sshd[8581]: pam_sss(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=192.168.XXX.XXX user=oded.a
> sshd[8581]: pam_sss(sshd:auth): received for user oded.a: 4 (System
> error)
> sshd[8581]: Failed password for oded.a from 192.168.XXX.XXX port 33213
> ssh2
>
> I'm not sure which problem is the one that killing the authentication -
> the KDC or the inability to bind even though bind was successful.
>
> Does anyone have any suggestions as to what I may try?


I just looked at that page. Man is it out of date. I'll try to get that
updated soon (I don't think it's been modified since SSSD 0.5.0).

In order to communicate with AD, you need to set (in the domain section
of sssd.conf):
ldap_schema = rfc2307bis
ldap_default_bind_dn = <DN of a user allowed to read from AD>
ldap_default_authtok = <Password of that user>

That should get you most of the way there.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-25-2011, 04:15 PM
Stephen Gallagher
 
Default Problems setting up SSSD to authenticate to Windows 2008 AD

On Mon, 2011-07-18 at 18:34 +0300, Oded Arbel wrote:
> Hi List. First time poster, so I'm doing something wrong please let me
> know.
>
> I'm trying to set up SSSD for a laptop running Fedora 14 to authenticate
> against an Active Directory domain running on a Windows 2008 server.
> I've followed the instructions in this page:
> https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%
> 20authenticate%20with%20a%20Windows%202008%20Domai n%20Server
> (except the part about anonymous searches - our security policy will not
> allow that), and I still can't get authentication to work.
>
> When I try to log in using ssh to the computer I get this in the sssd
> log file for the AD connection:
>
> [sssd[be[AD]]] [simple_bind_done] (3): Bind result: Success(0), (null)
> [sssd[be[AD]]] [be_run_online_cb] (3): Going online. Running callbacks.
> [sssd[be[AD]]] [sdap_control_create] (3): Server does not support the
> requested control [1.3.6.1.4.1.42.2.27.8.5.1].
> [sssd[be[AD]]] [sdap_get_generic_done] (2): Unexpected result from ldap:
> Operations error(1), 00000000: LdapErr: DSID-0C090627, comment: In order
> to perform this operation a successful bind must be completed on the
> connection., data 0, vece
>
> Where the last two lines repeat a lot, though not interchangeably - I
> get a lot more "server does not support the requested control" then the
> other message.
>
> Looking at /var/log/secure I get this:
>
> sshd[8581]: pam_unix(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=192.168.XXX.XXX user=oded.a
> sshd[8581]: pam_sss(sshd:auth): system info: [Cannot find KDC for
> requested realm]
> sshd[8581]: pam_sss(sshd:auth): authentication failure; logname= uid=0
> euid=0 tty=ssh ruser= rhost=192.168.XXX.XXX user=oded.a
> sshd[8581]: pam_sss(sshd:auth): received for user oded.a: 4 (System
> error)
> sshd[8581]: Failed password for oded.a from 192.168.XXX.XXX port 33213
> ssh2
>
> I'm not sure which problem is the one that killing the authentication -
> the KDC or the inability to bind even though bind was successful.
>
> Does anyone have any suggestions as to what I may try?


I just looked at that page. Man is it out of date. I'll try to get that
updated soon (I don't think it's been modified since SSSD 0.5.0).

In order to communicate with AD, you need to set (in the domain section
of sssd.conf):
ldap_schema = rfc2307bis
ldap_default_bind_dn = <DN of a user allowed to read from AD>
ldap_default_authtok = <Password of that user>

That should get you most of the way there.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 01:08 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org