Sorry, see that you already set that, I didn't read enough first.

I would guess AD is saying use TLS. LDAP will say success, cause the query was successful. The result was probably access denied, which is not an error, it's just not what you expected for a result, but the result was a success. 

On my setups, I put all the krb5 configuration in krb5.conf. I setup ldap.conf. I use msktutil to join the machine to the domain after being able to successfully kinit username from the machine.

My sssd conf looks basically like this, but substituted your values:
enumerate = false
cache_credentials = true
id_provider = ad
auth_provider = ad
chpass_provider = ad
#access_provider = ad
lookup_family_order = ipv4_first
ad_domain = ds.fs.fed.us
#dns_discovery_domain = ds.fs.fed.us
ldap_uri = ldaps://ds.fs.fed.us
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/certs/ad-server-public-cert.pem

ldap_schema = ad
#ldap_id_mapping = False


At some point I really should learn how to put the cert into a cert db thing so I can use the ldap_tls_cacertdir = /etc/openldap/cacerts setting.

Chris


On Thu, Jan 30, 2014 at 1:03 AM, Chris Gray <fathed@gmail.com> wrote:
I had this problem.

Thanks to the SSSD guessing the realm, you can set your ldap_user_principal to the following, and it will append the @realm.
ldap_user_principal = sAMAccountName

Also, IMO, ignore the suggestions in that link, use the AD provider. Ditch the bind account.
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad


Use msktutil to join the pc to the AD domain, or create the krb5.keytab file on your domain controller and move it to the pc running fedora, if you do that, be sure to tell selinux to accept the foreign file.

Chris



On Wed, Jan 29, 2014 at 3:18 PM, Nordgren, Bryce L -FS <bnordgren@fs.fed.us> wrote:

> > > > I think the most important log would be the one from the back end,
> > > > generated by including debug_level in the [domain] section.

Oh...I noticed that according to the man page, "debug_level" is listed as an option for services, but is not listed for domains. Perhaps this is something to put into trac?




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users



--
Intelligence is a matter of opinion.



--
Intelligence is a matter of opinion.