RHEL 6, Active Directory, pam, sssd, TLS and kickstart

I am currently working on building a kickstart profile for a RHEL6 build. All our servers are still running RHEL5 at the moment.

Our RHEL5 servers authenticate to our Active Directory server using pam, nscd and kerberos. However, after just copying our base kickstart profile and changing the settings to use RHEL6, the authentication does not work.

Since it seems that RHEL is moving toward using sssd, we want to build a profile that uses sssd and pam rather than nscd. But I'm having some trouble getting this working. I'm starting out by just building a RHEL6.3 server and then getting the authentication configured. Once that's successful, I'll translate that into a kickstart script and test that.

After much Googling and such, I have not found anything that actuall works. I've found stuff that is close, but nothing that matches what we're doing. Either they're using sssd and pam to authenticate with AD without TLS or they're not using AD or they're not using sssd or they're using winbind or some such thing.

Perhaps someone here can help me figure out what we're doing wrong?

Here is how I have set up the sssd.conf file:

[sssd]
 config_file_version = 2
 services = nss, pam
 domains = LDAP

[nss]
 filter_users = root
 filter_groups = root
 reconnection_retries = 3

[pam]
 reconnection_retries =3
 offline_credentials_expiration = 2
 offline_failed_login_attempts = 3
 offline_failed_login_delay = 5

[domain/LDAP]
 debug_level = 5
 enumerate = true
 cache_credentials = true
 id_provider = ldap
 access_provider = ldap
 auth_provider = krb5
 chpass_provider = krb5
 min_id = 1000

 entry_cache_timeout = 1

 ldap_uri = ldap://server1.domain.com,ldap://server2.domain.com,ldap://server3.domain.com
 ldap_search_base = dc=domain,dc=com
 ldap_user_object_class = user
 ldap_group_object_class = group
 ldap_user_home_directory = unixHomeDirectory
 ldap_id_use_start_tls = true
 ldap-tls_reqcert = demand
 ldap-tls_cacertdir = /etc/openldap/cacerts
 ldap_default_bind_dn = cn=serviceaccount,dc=domain,dc=com
 ldap_default_authtok_type = password
 ldap_default_authtok = accountpassword
 ldap_access_filter = &(objectClass=User)
 krb5_server = domain.com
 krb5_realm = DOMAIN.COM
 krb5_aut_timeout = 15

When starting sssd, I check the sssd_LDAP.log file and I am seeing the following:

(Sun Dec  9 03:28:15 2012) [sssd[be[LDAP]]] [sdap_sys_connect_done] (4): Executing START TLS
(Sun Dec  9 03:28:15 2012) [sssd[be[LDAP]]] [sdap_connect_done] (3): START TLS result: Success(0), (null)
(Sun Dec  9 03:28:15 2012) [sssd[be[LDAP]]] [sdap_process_result] (4): ldap_result gave -1, something bad happend!
(Sun Dec  9 03:28:15 2012) [sssd[be[LDAP]]] [fo_set_port_status] (4): Marking port 389 of server 'server3.domain.com' as 'not working'
(Sun Dec  9 03:28:15 2012) [sssd[be[LDAP]]] [fo_resolve_service_send] (4): Trying to resolve service 'LDAP'
(Sun Dec  9 03:28:15 2012) [sssd[be[LDAP]]] [fo_resolve_service_send] (1): No available servers for service 'LDAP'
(Sun Dec  9 03:28:15 2012) [sssd[be[LDAP]]] [sdap_id_op_connect_done] (1): Failed to connect, going offline (5 [Input/output error])
(Sun Dec  9 03:28:15 2012) [sssd[be[LDAP]]] [be_run_offline_cb] (3): Going offline. Running callbacks.
(Sun Dec  9 03:28:16 2012) [sssd[be[LDAP]]] [remove_krb5_info_files] (5): Could not remove [/var/lib/sss/pubconf/kdcinfo.DOMAIN.COM], [2][No such file or directory]
(Sun Dec  9 03:28:16 2012) [sssd[be[LDAP]]] [remove_krb5_info_files] (5): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.TRTC.COM], [2][No such file or directory]
 

Regarding the last two lines, I had found https://bugzilla.redhat.com/show_bug.cgi?id=621541, but it says that the issue there was fixed in an earlier release of sssd than we what have (we have 1.5.1-66). I'm not sure that's even relevant at the moment or if that is yet another issue that I have to deal with.

Has anyone gotten this to work?