-Y GSSAPI fixed the ldap query. Thanks. I figured out the problem with the ipa-getkeytab. In short, it was PEBKAC. Thanks for the help.
On Thu, Nov 20, 2014 at 4:07 AM, Sumit Bose <sb...@redhat.com> wrote: > On Wed, Nov 19, 2014 at 09:55:51PM -0500, Richard Betel wrote: > > I suddenly started getting errors when I try to use ipa-getkeytab: > > > > [root@ipa1 kerberize]# ipa-getkeytab -s jn01 -p hdfs/jn01 -k > > jn01.hdfs.keytab > > SASL Bind failed Can't contact LDAP server (-1) ! > > Please try to use the fully qualified name of the server. > > > > > ldap seems to be answering on the non-SASL port (ei: ldapsearch -x -h > > localhost CN=richard works fine) but if I don't use the -x, I get: > > ldapsearch -h localhost CN=richard > > SASL/EXTERNAL authentication started > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) > > additional info: SASL(-4): no mechanism available: > > As Alexander educated me, this is expected because SASL/EXTERNAL is only > used for the ldapi connection scheme. Please try to use the fully > qualified server name and '-Y GSSAPI' with ldapsearch. > > HTH > > bye, > Sumit > > > > > > > I'm kinda at a loss for how to debug this. I'm not really finding any > > errors in the dirsrv logs, just a warning that my DB is bigger than the > > cache. I'd appreciate some ideas on where to look. > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go To http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project > -- <http://www2.charitydynamics.com/site/PageServer?pagename=Boundless_Email_Client>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project