Bug 821962

Summary: sssd: "Could not start TLS encryption"
Product: [Fedora] Fedora Reporter: Andrew McNabb <amcnabb>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: jhrozek, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-15 18:43:25 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
sssd.conf none

Description Andrew McNabb 2012-05-15 17:50:43 EDT
Created attachment 584794 [details]

In Fedora 17, authentication with sssd and ldap isn't quite working right. For example, SSH public keys don't work, and passwords only work sometimes. I think it might be related to an error message:

May 15 15:15:27 testvm sssd[be[LDAP]]: Could not start TLS encryption. TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

On Fedora 16 with the same LDAP server and same configuration files, it works without any problems and without the error message. On Fedora 17, the version is sssd-1.8.3-11.fc17.x86_64. The config file explicitly specifies a 
ldap_tls_cacert file.

I am attaching the sssd.conf file in case this is helpful. Is there any other information I can provide?
Comment 1 Andrew McNabb 2012-05-15 18:17:42 EDT
By the way, if I set `ldap_tls_reqcert = allow`, then password authentications work every time.
Comment 2 Andrew McNabb 2012-05-15 18:43:25 EDT
Sorry, this is actually a bug in Anaconda, not sssd. Stupid selinux. :(

*** This bug has been marked as a duplicate of bug 821966 ***