On (15/06/17 10:48), Jakub Hrozek wrote:
On Thu, Jun 15, 2017 at 08:35:59AM -0000, Rishat Teregulov wrote:
> All logs too big
>
https://contattafiles.s3-us-west-1.amazonaws.com/tnt3511/wqtpj4q4fAwIX3p/...
I see:
(Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [ad_sasl_log]
(0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Server not found in Kerberos database)
(Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]]
[sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error]
(Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]]
[sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic
failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide
more information (Server not found in Kerberos database)]
(Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]]
[child_sig_handler] (0x1000): Waiting for child [18783].
(Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]]
[child_sig_handler] (0x0100): child [18783] finished successfully.
(Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]]
[_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING.
Called from: ../src/providers/ldap/sdap_async_connection.c:
sdap_cli_connect_recv: 2039
On older distributions, it used to help to set rdns=false in krb5.conf
and SASL_NOCANON on in ldap.conf. But it might be helpful to run kinit
-kt && ldapsearch -Y GSSAPI with KRB5_TRACE=/dev/stderr to check for
more diagnostic messages.
I am not sure whether it is possible with newer version.
Maybe the simplest way for Rishat would be disable SASL (ldap_sasl_mech)
But I am not sure whether it is possible with AD provider.
It should be possible with id_provider ldap + auth_provider krb5
LS