> > This is unrelated, I think. Can you check if your CentOS
machine's DNS record is resolvable in both directions, iow if A and PTR records
match?
> >
> > Can you acquire a ticket with kinit and search the AD directory with ldapsearch
-Y GSSAPI ?
>
> Tickets seem fine:
> # kinit myuser(a)A.FOO.COM
> Password for myuser(a)A.FOO.COM:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: myuser(a)A.FOO.COM
>
> Valid starting Expires Service principal
> 06/24/15 20:52:34 06/25/15 06:52:39 krbtgt/A.FOO.COM(a)A.FOO.COM
> renew until 07/01/15 20:52:34
I'm sorry, I wasn't specific enough. I wanted you to test the same identity SSSD
uses, which is the machine account from the keytab (klist -k would show you the
principals)
Oh, ok. How would I do that, though? The machine account doesn't have a known
password, right? kinit 'MACHINE$(a)AD.EXAMPLE.COM' prompt for it. Nevertheless, I
already had a ticket, according to klist -k.
But I think even with the user principal, you found the issue..
>
> Ldapsearch does not look good:
> # ldapsearch -h
foo-ad02.a.foo.com -Y GSSAPI -b OU=...
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information
> (Cannot determine realm for numeric host address)
>
> And this I guess comes back to the DNS records? Because in
ad.example.com, both A
and PTR look good, but if I lookup from
foo-ad02.a.foo.com, I can only resolve the A
record. It looks like that domain only has conditional forwarders for the forward zone,
not reverse.
OK, then I think this is the issue. btw it help to add -N to the ldapsearch options to
tell libldap to not canonicalize the hostnames?
Yes, -N allowed me to query the other domain, when I used the myuser-ticket. Removing
that, however, I get the same error as before. I'm not familiar with ldapsearch, but I
tried using -U 'MACHINE$(a)AD.EXAMPLE.COM' to make it use the machine ticket, but
that didn't seem to work.
Would it help if you add a record to /etc/hosts?
My hosts-file contains only this row:
127.0.0.1
machine.ad.example.com machine localhost
Should that be enough, or do you mean some other row?