Bret Wortman via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
So I started working through the guide below and most of thesteps
just
worked. No errors, which was odd. For example:
# kinit -kt /etc/named.keytab
DNS/ipa3.my.net
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: DNS/ipa3.my.net(a)MY.NET
Valid starting
12/06/2018 14:51:08 12/07/2018 14:51:08 krbtgt/MY.NET(a)MY.NET
# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-MY-NET.socket' -Y GSSAPI
-b 'cn=dns,dc=my,dc=net'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
That's the first such error I received as I worked my way down the page,
but there's no real guidance there as to what to do when this fails. The
text assumes it'll work, but the previous steps didn't turn up anything
wrong...
I've been completely unable to turn on any sort of Kerberos logging
despite attempting both approaches in the guide.
Can you retry the ldapsearch command with KRB5_TRACE=/dev/stderr and
show the output?
Thanks,
--Robbie