Ubuntu

ad_use_ldaps sssd could not start tls encryption

Asked by Rex Goldsmith

New sssd.conf variable ad_use_ldaps not working. On starting sssd it errors with "sssd[be[13765]: Could not start TLS encryption. (unknown error code)"

# lsb_release -rd
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Note: problem also seen with Ubuntu 20.04.2
# apt-cache policy sssd | grep Installed
  Installed: 1.16.1-1ubuntu1.7

Expectation
Adding ad_use_ldaps to a working AD integrated /etc/sssd/sssd.conf to use port 636 instead of port 389 due ADV 190023. Reference https://bugs.launchpad.net/ubuntu/focal/+source/sssd/+bug/1868703/

Problem
Added a working Public root CA cert to the common ca-certificate (/etc/ssl/ca-certificates) and /etc/ldap/ldap.conf has following set:
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
An ldapsearch using the above certificate bundle against LDAPS is successful:

# openssl s_client -connect company-ad-server.company.com:636 CONNECTED(00000005)
# ldapsearch -v -H ldaps://company-ad-server.company.com:636 -b "dc=company,dc=com" "(sAMAccountName=superduperuser)" ldap_initialize( ldaps://company-ad-server.company.com:636/??base ) SASL/GSSAPI authentication started SASL username: <email address hidden> SASL SSF: 0 filter: (sAMAccountName=superduperuser) requesting: All userApplication attributes <snip>
# Duperuser\2C Super ADM, Users, Admin, company.com dn: CN=Duperuser\, Super ADM,OU=Internal,OU=Users,OU=Admin,DC=company,DC=com <snip>

sssd.conf is configured with:
[sssd]
domains = company.com
config_file_version = 2
services = nss, pam

[domain/company.com]
ad_domain = company.com
krb5_realm = company.com
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
ldap_id_mapping = True
ad_use_ldaps = True
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
auth_provider = ad
access_provider = simple
simple_allow_groups = linux-admins

Stopping sssd, clearing sssd cache, starting sssd returns following error:
sssd[be[13765]: Could not start TLS encryption. (unknown error code)

Setting debug_level = 4 (or higher) returns following around this unknown error:
[set_server_common_status] (0x0100): Marking server 'ad-server.company.com' as 'name resolved'
[be_resolve_server_process] (0x0200): Found address for server ad-server.company.com: [y.y.y.y] TTL 3600
[ad_resolve_callback] (0x0100): Constructed uri 'ldaps://ad-server.company.com'
[ad_resolve_callback] (0x0100): Constructed GC uri 'ldaps://ad-server.company.com'
[sssd_async_socket_init_send] (0x0400): Setting 6 seconds timeout for connecting
[sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: [Connect error] [(unknown error code)]
[sss_ldap_init_state_destructor] (0x0400): calling ldap_unbind_ext for ldap:[0x55d1149ef6e0] sd:[18]
[sss_ldap_init_state_destructor] (0x0400): closing socket [18]
[sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed: [5]: Input/output error.
[fo_set_port_status] (0x0100): Marking port 389 of server 'ad-server.company.com' as 'not working'
[fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'ad-server.company.com' as 'not working'

Above asked also on askubuntu.com, where it was recommended to open a bug report. Will first try here, before opening a bug report.

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Rex Goldsmith
Solved:
Last query:
Last reply:
Revision history for this message
Bernard Stafford (bernard010) said : 		#1

Looks as your certs are ok. This i found in documentation for TLS :
Note: LDAP over TLS/SSL (ldaps://) is deprecated in favour of StartTLS. The latter refers to an existing LDAP session (listening on TCP port 389) becoming protected by TLS/SSL whereas LDAPS, like HTTPS, is a distinct encrypted-from-the-start protocol that operates over TCP port 636.
 https://ubuntu.com/server/docs/service-ldap-with-tls
My self I would file a bug report. Please use apport in the terminal to gather information so the bug report is complete.
https://wiki.ubuntu.com/Apport
I will check further for more info.

Revision history for this message
Rex Goldsmith (rexgo) said : 		#2

This was resolved for me. And for anyone else that strikes this, then check your SSL certificates are not SHA1!

# openssl x509 -text -in /etc/ldap/certs/CAcert.pem | grep Signature

Testing via openssl didn't throw up any errors, but the way SSSD works (in combination with Ubuntu cracking down on SHA1), it fails.

I was lucky enough to have another domain (recently set up) where the Root CA cert was SHA256, and with adding that cert to my Ubuntu server - along with ad_use_ldaps in my sssd.conf - and it worked! LDAPS via port 636 without the uninformative errors noted above.