On Wed, Oct 26, 2011 at 03:34:25PM +1000, GOLLSCHEWSKY, Tim wrote:
Hi Marko,
> you can of course check the keytab owner/permissions/context and the
> contents of /etc/krb5.conf but more importantly you should make sure
> manually that the keytab can be used to communicate with the server:
>
> # klist -ke /etc/krb5.keytab
> # kinit -k -t /etc/krb5.keytab 'host/myhost.xxx.xxx.xxx(a)XXX.XXX.XXX'
> # ldapsearch -Y GSSAPI -H ldap://myadserver.xxx.xxx.xxx/ -b
> "ou=Accounts,dc=xxx,dc=xxx,dc=xxx" -N
> "(&objectClass=user)(sAMAccountName=someuser))"
>
> If kinit fails try other possibly existing keys in the keytab. If none
> of them work you'll need to get a valid keytab. If the above steps work
> then it sounds more like an SSSD issue.
The klist and kinit commands work successfully.
The ldapsearch gives me this error though:
[root@jbsrd999586 /]# ldapsearch -Y GSSAPI -H ldap://myadserver.xxx.xxx.xxx/ -b
"ou=Accounts,dc=xxx,dc=xxx,dc=xxx" -N
"(&(objectClass=user)(sAMAccountName=u999888))"
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: An invalid name was
supplied (Unknown error)
However, if I remove the '-N' the ldap query works as you would expect.
So what I did was change my sssd.conf to point to one of the AD servers directly instead
of the round-robin DNS name (we have a large network, many AD servers to spread the
load...) and that has fixed the "ldap_sasl_bind failed (-2)[Local error]"
error.
"myldapserver" works like this:
[root@jbsrd999586 /]# nslookup myadserver
Server: 10.70.13.134
Address: 10.70.13.134#53
Name: myadserver.xxx.xxx.xxx
Address: 1.1.1.1
Name: myadserver.xxx.xxx.xxx
Address: 2.2.2.2
Name: myadserver.xxx.xxx.xxx
Address: 3.3.3.3
Name: myadserver.xxx.xxx.xxx
Address: 4.4.4.4
Name: myadserver.xxx.xxx.xxx
Address: 5.5.5.5
Name: myadserver.xxx.xxx.xxx
Address: 6.6.6.6
Name: myadserver.xxx.xxx.xxx
Address: 7.7.7.7
Name: myadserver.xxx.xxx.xxx
Address: 8.8.8.8
Note using this round-robin DNS name "myadserver" works with the RHEL6
"stock" sssd we are running (sssd-1.5.1-34.el6_1.3.x86_64).
So this has been introduced somewhere between that version and v1.5.14.
BTW I tried setting "ldap_sasl_canonicalize" to true and false btw. It
didn't make any difference.
Can I no longer use a round-robin DNS name for my ldap server?
Best regards,
Tim Gollschewsky.
Tim, what openldap and glibc versions are you running? I think getting the
"don't canonicalize" scenario to work involved fixes to several components
including glibc and openldap.
Does merely swapping the sssd version with the same openldap and glibc
versions help?