Ubuntu
sssd package

  1. Bug #1921494
  2. Comment #16

Comment 16 for bug 1921494

Revision history for this message
Matthias Winkler (snakekick) wrote (last edit ):

Hello Sergio, Hello Matthew

thanks for your help and the time you invest.
But my configuration is a bit different from the creator of this ticket.
We have only the same error message ;(
Sorry if that didn't come across clearly in the past.
I can't and didn't want to connect to this domain, we only use sssd with ldap as provider
I sent you my sssd.conf last week, but here is the relevant part

[sssd]
config_file_version = 2
domains = xxx
services = nss,pam,ssh
reconnection_retries = 3
#debug_level = 5

[pam]

[nss]
filter_users = bin,daemon,ftp,games,haldaemon,lp,mail,messagebus,nobody,ntp,polkituser,postfix,root,sshd,wwwrun,at,dergraf,abix,amboscl,sysnrpe,dnsmasq,hpsmh,ambosrtu,vmon,man,news,uucp
filter_groups = root,bin,daemon,sys,tty,disk,lp,www,kmem,wheel,mail,news,uuscp,shadow,dialout,audio,floppy,cdrom,console,utmp,public,video,games,xok,trusted,modem,ftp,man,users,nobody,nogroup,messagebus,haldaemon,sshd,tape,postfix,maildrop,polkituser,ntp,at,dergraf,abix,amboscl,sysnrpe,hpsmh,ambosrtu,vmon,winbind,ntadmin

[domain/xxx]
#debug_level = 7
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = simple
ldap_uri = ldaps://xx.xx.de:636,
ldap_search_base = dc=xx,dc=xx,dc=xx
ldap_schema = ad
ldap_id_mapping = True
fallback_homedir = /home/%u@%d
default_shell = /bin/bash
ldap_idmap_range_min = 100000000
ldap_idmap_range_max = 2100000000
ldap_idmap_range_size = 2000000000
ldap_idmap_default_domain_sid = S-1-5-21-32142354-212345234-839522115
ldap_idmap_default_domain = xx.xx.de
enumerate = False
ignore_group_members = True
ldap_idmap_autorid_compat = True
ldap_default_bind_dn = xxx
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = xxx
use_fully_qualified_names = False
case_sensitive = false
ldap_tls_cacertdir = /etc/ssl/certs
#ldap_tls_cacert = /etc/ssl/certs/Domain-Root.crt
ldap_id_use_start_tls = True
ldap_tls_reqcert = demand
ldap_tls_cipher_suite = ECDHE-RSA-AES256-GCM-SHA384
simple_allow_groups = xxx
sudo_provider = ldap
autofs_provider = ldap
resolver_provider = ldap

I try differtent settings with ldap_tls_cacertdir or ldap_tls_cacer (only the domain root crt or the ca-certificates.crt but it ends with the same error the same with different ldap_tls_reqcert settings

I have attached a screenshot of the working ldapsearch
( ldapsearch -x -b "dc=xx,dc=xx,dc=xx" -H ldaps://xx.xx.xx:636 -D user@domain -W "objectclass=*" -d1