Bret Wortman via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

> So I started working through the guide below and most of thesteps just 
> worked. No errors, which was odd. For example:
>
> # kinit -kt /etc/named.keytab DNS/ipa3.my.net
> # klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: DNS/ipa3.my....@my.net
>
> Valid starting
>
> 12/06/2018 14:51:08  12/07/2018 14:51:08  krbtgt/my....@my.net
> # ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-MY-NET.socket' -Y GSSAPI 
> -b 'cn=dns,dc=my,dc=net'
>
> SASL/GSSAPI authentication started
>
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>
> That's the first such error I received as I worked my way down the page, 
> but there's no real guidance there as to what to do when this fails. The 
> text assumes it'll work, but the previous steps didn't turn up anything 
> wrong...
>
> I've been completely unable to turn on any sort of Kerberos logging 
> despite attempting both approaches in the guide.

Can you retry the ldapsearch command with KRB5_TRACE=/dev/stderr and
show the output?

Thanks,
--Robbie

Attachment: signature.asc
Description: PGP signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to