Yes:
# KRB5_TRACE=/dev/stderr ldapsearch -H
'ldapi://%2fvar%2frun%2fslapd-MY-NET.socket' -Y GSSAPI -b
'cn=dns,dc=my,dc=net'
SASL/GSSAPI authentication started
[28940] 1544178390.191479: ccselect module real chose cache
KEYRING:persistent:0:0 with client principal DNS/ipa3.my.net(a)MY.NET for
server principal ldap/ipa3.my.net(a)MY.NET
[28940] 1544178390.191480: Getting credentials DNS/ipa3.my.net(a)MY.NET ->
ldap/ipa3.my.net(a)MY.NET using ccache KEYRING:persistent:0:0
[28940] 1544178390.191481: Retrieving DNS/ipa3.my.net(a)MY.NET ->
ldap/ipa3.my.net(a)MY.NET from KEYRING:persistent:0:0 with result: 0/Success
[28940] 1544178390.191479: Creating authenticator for
DNS/ipa3.my.net(a)MY.NET -> ldap/ipa3.my.net(a)MY.NET, segnum 57129937,
subkey aes256-cts/D4C9, session key aes256-cts/0CA2
ldap_sasl_interactive_bind_s: Invalid credentials (49)
#
On 12/06/2018 03:20 PM, Robbie Harwood wrote:
Bret Wortman via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org>
writes:
> So I started working through the guide below and most of thesteps just
> worked. No errors, which was odd. For example:
>
> # kinit -kt /etc/named.keytab
DNS/ipa3.my.net
> # klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: DNS/ipa3.my.net(a)MY.NET
>
> Valid starting
>
> 12/06/2018 14:51:08 12/07/2018 14:51:08 krbtgt/MY.NET(a)MY.NET
> # ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-MY-NET.socket' -Y GSSAPI
> -b 'cn=dns,dc=my,dc=net'
>
> SASL/GSSAPI authentication started
>
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>
> That's the first such error I received as I worked my way down the page,
> but there's no real guidance there as to what to do when this fails. The
> text assumes it'll work, but the previous steps didn't turn up anything
> wrong...
>
> I've been completely unable to turn on any sort of Kerberos logging
> despite attempting both approaches in the guide.
Can you retry the ldapsearch command with KRB5_TRACE=/dev/stderr and
show the output?
Thanks,
--Robbie