The GSSAPI attempts from the MAc side are only attempted when a binddn
(security -> "use authentication when connecting") account is provided.
Otherwise I suspect it's unable to even work out what type of GSSAPI
transaction to attempt..

On 19 September 2017 at 15:19, David Harvey <>

> Some edits and expansion on my previous attempt to post...
> Free IPA 4.4.3
> Mac OSX 10.12
> Thanks for all the hard work on this, I've been enjoying an almost
> functional setup for the last week but have been tearing my hair out with
> making GSSAPI  behave.
> What I have found so far using the config instructions - may be error
> prone now as the number of combinations tried!
> Anonymous bind enabled on freeipa: Works If you also specify a real user
> in the Directory Utility auth
> RootDSE only enabled on freeipa    : Works If you also specify a real user
> in the Directory Utility auth section (not a service account)
> No anonymous binds                        : Will not play at all.
> Now the thing that is really throwing me, is that GSSAPI ldapsearch works
> just fine from the command line (using -Y GSSAPI) but  directory utility
> seems unable to use these credentials.
> I'm totally unsure if this is an OS limitation (as the login screen
> wouldn't have any creds until a user has typed them) or if I've managed to
> screw something up.
> From browsing my LDAP access logs it looks like only conventional binds
> are attempted regardless. On the mac side it did until recently still
> mentions GSSAPI attempts (when anonymous LDAP is disabled) although these
> couldn't be found int he LDAP log.  It feels like the Mac client is unable
> to work out how to present the krb credential due to a mapping issue or DNS
> discovery issue (both my IPA servers have RDNS entries).
> Other notable log entries on the Mac side are " failed to retrieve
> password for credential", and "failed to retrieve server schema". These
> both occur under the rootdse only ldap config.
> I'd like to be in a position where I can either have a very reduced access
> LDAP user enabled on all Mac clients, or that they can harness the host or
> user keytab in order to require no special LDAP credentials of their own.
> Most of all I suppose I want to know what should work, or be workable!
> Hope this makes sense, and thanks in advance,
> David
> p.s. I'm still not sure if I've managed to join this list, so subject to
> moderation, and I might require an explicit reply to in order to get
> responses!
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to