Bret Wortman via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> So I started working through the guide below and most of thesteps just > worked. No errors, which was odd. For example: > > # kinit -kt /etc/named.keytab DNS/ipa3.my.net > # klist > Ticket cache: KEYRING:persistent:0:0 > Default principal: DNS/ipa3.my....@my.net > > Valid starting > > 12/06/2018 14:51:08 12/07/2018 14:51:08 krbtgt/my....@my.net > # ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-MY-NET.socket' -Y GSSAPI > -b 'cn=dns,dc=my,dc=net' > > SASL/GSSAPI authentication started > > ldap_sasl_interactive_bind_s: Invalid credentials (49) > > That's the first such error I received as I worked my way down the page, > but there's no real guidance there as to what to do when this fails. The > text assumes it'll work, but the previous steps didn't turn up anything > wrong... > > I've been completely unable to turn on any sort of Kerberos logging > despite attempting both approaches in the guide. Can you retry the ldapsearch command with KRB5_TRACE=/dev/stderr and show the output? Thanks, --Robbie
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org