-Y GSSAPI fixed the ldap query. Thanks.
I figured out the problem with the ipa-getkeytab. In short, it was PEBKAC.
Thanks for the help.
On Thu, Nov 20, 2014 at 4:07 AM, Sumit Bose <sb...@redhat.com> wrote:
> On Wed, Nov 19, 2014 at 09:55:51PM -0500, Richard Betel wrote:
> > I suddenly started getting errors when I try to use ipa-getkeytab:
> > [root@ipa1 kerberize]# ipa-getkeytab -s jn01 -p hdfs/jn01 -k
> > jn01.hdfs.keytab
> > SASL Bind failed Can't contact LDAP server (-1) !
> Please try to use the fully qualified name of the server.
> > ldap seems to be answering on the non-SASL port (ei: ldapsearch -x -h
> > localhost CN=richard works fine) but if I don't use the -x, I get:
> > ldapsearch -h localhost CN=richard
> > SASL/EXTERNAL authentication started
> > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> > additional info: SASL(-4): no mechanism available:
> As Alexander educated me, this is expected because SASL/EXTERNAL is only
> used for the ldapi connection scheme. Please try to use the fully
> qualified server name and '-Y GSSAPI' with ldapsearch.
> > I'm kinda at a loss for how to debug this. I'm not really finding any
> > errors in the dirsrv logs, just a warning that my DB is bigger than the
> > cache. I'd appreciate some ideas on where to look.
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
> Manage your subscription for the Freeipa-users mailing list:
> Go To http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project