Bug 821962 - sssd: "Could not start TLS encryption"
sssd: "Could not start TLS encryption"
Status: CLOSED DUPLICATE of bug 821966
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-05-15 17:50 EDT by Andrew McNabb
Modified: 2012-05-15 18:43 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-05-15 18:43:25 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
sssd.conf (615 bytes, application/octet-stream)
2012-05-15 17:50 EDT, Andrew McNabb
no flags Details

  None (edit)
Description Andrew McNabb 2012-05-15 17:50:43 EDT
Created attachment 584794 [details]

In Fedora 17, authentication with sssd and ldap isn't quite working right. For example, SSH public keys don't work, and passwords only work sometimes. I think it might be related to an error message:

May 15 15:15:27 testvm sssd[be[LDAP]]: Could not start TLS encryption. TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

On Fedora 16 with the same LDAP server and same configuration files, it works without any problems and without the error message. On Fedora 17, the version is sssd-1.8.3-11.fc17.x86_64. The config file explicitly specifies a 
ldap_tls_cacert file.

I am attaching the sssd.conf file in case this is helpful. Is there any other information I can provide?
Comment 1 Andrew McNabb 2012-05-15 18:17:42 EDT
By the way, if I set `ldap_tls_reqcert = allow`, then password authentications work every time.
Comment 2 Andrew McNabb 2012-05-15 18:43:25 EDT
Sorry, this is actually a bug in Anaconda, not sssd. Stupid selinux. :(

*** This bug has been marked as a duplicate of bug 821966 ***

Note You need to log in before you can comment on or make changes to this bug.