** Description changed: New sssd.conf variable ad_use_ldaps not working. On starting sssd it errors with "sssd[be[13765]: Could not start TLS encryption. (unknown error code)" # lsb_release -rd Description: Ubuntu 18.04.5 LTS Release: 18.04 Note: problem also seen with Ubuntu 20.04.2 # apt-cache policy sssd | grep Installed - Installed: 1.16.1-1ubuntu1.7 + Installed: 1.16.1-1ubuntu1.7 Expectation Adding ad_use_ldaps to a working AD integrated /etc/sssd/sssd.conf to use port 636 instead of port 389 due ADV 190023. Reference https://bugs.launchpad.net/ubuntu/focal/+source/sssd/+bug/1868703/ Problem Added a working Public root CA cert to the common ca-certificate (/etc/ssl/ca-certificates) and /etc/ldap/ldap.conf has following set: TLS_CACERT /etc/ssl/certs/ca-certificates.crt An ldapsearch using the above certificate bundle against LDAPS is successful: # openssl s_client -connect company-ad-server.company.com:636 CONNECTED(00000005) - # ldapsearch -v -H ldaps://company-ad-server.company.com:636 -b "dc=company,dc=com" "(sAMAccountName=superduperuser)" ldap_initialize( ldaps://company-ad-server.company.com:636/??base ) SASL/GSSAPI authentication started SASL username: superduperu...@company.com SASL SSF: 0 filter: (sAMAccountName=superduperuser) requesting: All userApplication attributes <snip> + # ldapsearch -v -H ldaps://company-ad-server.company.com:636 -b "dc=company,dc=com" "(sAMAccountName=superduperuser)" ldap_initialize( ldaps://company-ad-server.company.com:636/??base ) SASL/GSSAPI authentication started SASL username: superduperu...@company.com SASL SSF: 0 filter: (sAMAccountName=superduperuser) requesting: All userApplication attributes <snip> # Duperuser\2C Super ADM, Users, Admin, company.com dn: CN=Duperuser\, Super ADM,OU=Internal,OU=Users,OU=Admin,DC=company,DC=com <snip> sssd.conf is configured with: [sssd] domains = company.com config_file_version = 2 services = nss, pam [domain/company.com] ad_domain = company.com krb5_realm = company.com realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash use_fully_qualified_names = True fallback_homedir = /home/%u@%d ldap_id_mapping = True ad_use_ldaps = True ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt auth_provider = ad access_provider = simple simple_allow_groups = linux-admins Stopping sssd, clearing sssd cache, starting sssd returns following error: sssd[be[13765]: Could not start TLS encryption. (unknown error code) Setting debug_level = 4 (or higher) returns following around this unknown error: [set_server_common_status] (0x0100): Marking server 'ad-server.company.com' as 'name resolved' [be_resolve_server_process] (0x0200): Found address for server ad-server.company.com: [y.y.y.y] TTL 3600 [ad_resolve_callback] (0x0100): Constructed uri 'ldaps://ad-server.company.com' [ad_resolve_callback] (0x0100): Constructed GC uri 'ldaps://ad-server.company.com' [sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: [Connect error] [(unknown error code)] [sss_ldap_init_state_destructor] (0x0400): calling ldap_unbind_ext for ldap:[0x55d1149ef6e0] sd:[18] [sss_ldap_init_state_destructor] (0x0400): closing socket [18] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error. [fo_set_port_status] (0x0100): Marking port 389 of server 'ad-server.company.com' as 'not working' [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'ad-server.company.com' as 'not working'
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921494 Title: ad_use_ldaps error could not start tls encryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1921494/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs