[Freeipa-users] Re: Replica won't start

Fri, 07 Dec 2018 02:26:31 -0800 

Yes:
# KRB5_TRACE=/dev/stderr ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-MY-NET.socket' -Y GSSAPI -b 'cn=dns,dc=my,dc=net' 
SASL/GSSAPI authentication started
[28940] 1544178390.191479: ccselect module real chose cache KEYRING:persistent:0:0 with client principal DNS/ipa3.my....@my.net for server principal ldap/ipa3.my....@my.net [28940] 1544178390.191480: Getting credentials DNS/ipa3.my....@my.net -> ldap/ipa3.my....@my.net using ccache KEYRING:persistent:0:0 [28940] 1544178390.191481: Retrieving DNS/ipa3.my....@my.net -> ldap/ipa3.my....@my.net from KEYRING:persistent:0:0 with result: 0/Success [28940] 1544178390.191479: Creating authenticator for DNS/ipa3.my....@my.net -> ldap/ipa3.my....@my.net, segnum 57129937, subkey aes256-cts/D4C9, session key aes256-cts/0CA2 
ldap_sasl_interactive_bind_s: Invalid credentials (49)
#


On 12/06/2018 03:20 PM, Robbie Harwood wrote:

Bret Wortman via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:


So I started working through the guide below and most of thesteps just
worked. No errors, which was odd. For example:

# kinit -kt /etc/named.keytab DNS/ipa3.my.net
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: DNS/ipa3.my....@my.net

Valid starting

12/06/2018 14:51:08  12/07/2018 14:51:08  krbtgt/my....@my.net
# ldapsearch -H 'ldapi://%2fvar%2frun%2fslapd-MY-NET.socket' -Y GSSAPI
-b 'cn=dns,dc=my,dc=net'

SASL/GSSAPI authentication started

ldap_sasl_interactive_bind_s: Invalid credentials (49)

That's the first such error I received as I worked my way down the page,
but there's no real guidance there as to what to do when this fails. The
text assumes it'll work, but the previous steps didn't turn up anything
wrong...

I've been completely unable to turn on any sort of Kerberos logging
despite attempting both approaches in the guide.

Can you retry the ldapsearch command with KRB5_TRACE=/dev/stderr and
show the output?

Thanks,
--Robbie



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to