On 08/15/2016 08:05 PM, Rob Crittenden wrote:
> David Kowis wrote:
>> On 08/15/2016 04:33 AM, Petr Spacek wrote:
>>> This is weird as LDAP SASL & GSSAPI is pretty standard thing.
>>> In any case, you can check server logs or use tcpdump/wireshark and
>>> see if the
>>> error somes from LDAP server or if it is client side error.
>>> That would tell us where to focus.
>> Welp, I've got a pile of logs for you:
>> https://gist.github.com/dkowis/a82d4ec6b1823d9e1b95ffcc94666ae0
>> The last few lines are probably the relevant ones.
>> [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 BIND dn="" method=sasl
>> version=3 mech=GSSAPI
>> [15/Aug/2016:18:12:53 -0500] conn=1307 op=0 RESULT err=7 tag=97
>> nentries=0 etime=0
>> [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 UNBIND
>> [15/Aug/2016:18:12:54 -0500] conn=1307 op=1 fd=68 closed - U1
>> Something tries to bind with no dn, and then fails.... I think?
> No this is typical logging for GSSAPI (minus the error).
> The error code is LDAP_AUTH_METHOD_NOT_SUPPORTED. Do you have the cyrus
> SASL GSSAPI package installed? In Fedora the package is cyrus-sasl-gssapi.
> rob

searched for gssapi:

libsasl2-modules-gssapi-mit/xenial,now 2.1.26.dfsg1-14build1 i386
  Cyrus SASL - pluggable authentication modules (GSSAPI)

Pretty sure that's the equivalent package on ubuntu

# dpkg -L libsasl2-modules-gssapi-mit

python-gssapi is also installed.

David Kowis

PS: Sorry Rob for sending it directly, I derped in the mail client

Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to