Hi, Sumit

I have checked, and did not find anything more:

error logs from /var/log/dirsrv/slapd-EXAMPLE-NET/access: 
.......
[10/Nov/2016:10:46:58 +0000] conn=816560 fd=189 slot=189 connection from 
10.2.3.32 to 10.2.1.250
[10/Nov/2016:10:46:58 +0000] conn=816560 op=0 BIND dn="" method=sasl version=3 
mech=GSSAPI
[10/Nov/2016:10:46:58 +0000] conn=816560 op=0 RESULT err=14 tag=97 nentries=0 
etime=0, SASL bind in progress
[10/Nov/2016:10:46:58 +0000] conn=816560 op=-1 fd=189 closed - B1

.......

Matrix


------------------ Original ------------------
From:  "Sumit Bose";<sb...@redhat.com>;
Date:  Thu, Nov 10, 2016 07:13 PM
To:  "Matrix"<matrix...@qq.com>; 
Cc:  "Sumit Bose"<sb...@redhat.com>; "freeipa-users"<freeipa-users@redhat.com>; 
Subject:  Re: [Freeipa-users] sssd failed with 
'ldap_sasl_bindfailed(-2)[Localerror]'



On Thu, Nov 10, 2016 at 06:48:54PM +0800, Matrix wrote:
> Hi, Sumit
> 
> Thanks for your reply
> 
> I have tried. still failed

Do you see any related messages on the LDAP server side?

bye,
Sumit

> 
> # cat /etc/openldap/ldap.conf  | grep -v ^#
> 
> URI ldap://ipaslave.stg.example.net
> BASE dc=example,dc=net
> TLS_CACERT /etc/ipa/ca.crt
> SASL_MECH GSSAPI
> TLS_REQCERT allow
> SASL_NOCANON on
> 
> 
> # cat /etc/krb5.conf| grep rdns
>   rdns = false
> 
> Matrix
> 
> ------------------ Original ------------------
> From:  "Sumit Bose";<sb...@redhat.com>;
> Date:  Thu, Nov 10, 2016 06:32 PM
> To:  "freeipa-users"<freeipa-users@redhat.com>; 
> 
> Subject:  Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind 
> failed(-2)[Localerror]'
> 
> 
> 
> On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote:
> > debug steps have been tried: 
> > 
> > 1 kinit is workable: 
> > # /usr/kerberos/bin/kinit -k host/client02.stg.example....@example.net
> > 
> > # /usr/kerberos/bin/klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: host/client02.stg.example....@example.net
> > 
> > Valid starting     Expires            Service principal
> > 11/10/16 09:18:00  11/11/16 09:17:35  krbtgt/example....@example.net
> > 
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> > 
> > 2 ldapwhoami with krb auth failed. 
> > 
> > # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net
> > SASL/GSSAPI authentication started
> > ldap_sasl_interactive_bind_s: Local error (-2)
> >         additional info: SASL(-1): generic failure: GSSAPI Error: 
> > Unspecified GSS failure.  Minor code may provide more information (Mutual 
> > authentication failed)
> > 
> 
> Have you made sure that canonicalizing is disabled, i.e.
> /etc/krb5.conf: 
> [libdefaults]
>  ...
>  rdns = false
>  ...
> 
> /etc/openldap/ldap.conf
> ...
> SASL_NOCANON    on
> ...
> 
> HTH
> 
> bye,
> Sumit
> 
> > 
> > Matrix
> > 
> > ------------------ Original ------------------
> > From:  "Matrix";<matrix...@qq.com>;
> > Date:  Thu, Nov 10, 2016 02:11 PM
> > To:  "freeipa-users"<freeipa-users@redhat.com>; 
> > 
> > Subject:  [Freeipa-users] sssd failed with 'ldap_sasl_bind failed 
> > (-2)[Localerror]'
> > 
> > 
> > 
> > Hi, 
> > 
> > I have installed sssd in a RHEL5 client. 
> > 
> > ipa-client/sssd version:
> > ipa-client-2.1.3-7.el5
> > sssd-client-1.5.1-71.el5
> > sssd-1.5.1-71.el5
> > 
> > sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local 
> > error]'. 
> > 
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] 
> > (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] 
> > (1): ldap_sasl_bind failed (-2)[Local error]
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] 
> > (7): Waiting for child [11117].
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] 
> > (4): child [11117] finished successfully.
> > 
> > I have tried to google to find root cause. some link explained it should be 
> > something wrong with dns. I have double confirmed it. 
> > 
> > # nslookup client02.stg.example.net
> > Server:         10.2.1.21
> > Address:        10.2.1.21#53
> > 
> > Name:   client02.stg.example.net
> > Address: 10.2.3.32
> > 
> > 
> > # nslookup 10.2.3.32
> > Server:         10.2.1.21
> > Address:        10.2.1.21#53
> > 
> > 32.3.2.10.in-addr.arpa  name = client02.stg.example.net.
> > 
> > 
> > # nslookup ipaslave.stg.example.net
> > Server:         10.2.1.21
> > Address:        10.2.1.21#53
> > 
> > Name:   ipaslave.stg.example.net
> > Address: 10.2.1.250
> > 
> > # nslookup 10.2.1.250
> > Server:         10.2.1.21
> > Address:        10.2.1.21#53
> > 
> > 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net.
> > 
> > Any hints or troubleshooting ideas would be appreciated. 
> > 
> > Matrix
> 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to