Hi, Sumit
I have checked, and did not find anything more:
error logs from /var/log/dirsrv/slapd-EXAMPLE-NET/access:
.......
[10/Nov/2016:10:46:58 +0000] conn=816560 fd=189 slot=189 connection from
10.2.3.32 to 10.2.1.250
[10/Nov/2016:10:46:58 +0000] conn=816560 op=0 BIND dn="" method=sasl version=3
mech=GSSAPI
[10/Nov/2016:10:46:58 +0000] conn=816560 op=0 RESULT err=14 tag=97 nentries=0
etime=0, SASL bind in progress
[10/Nov/2016:10:46:58 +0000] conn=816560 op=-1 fd=189 closed - B1
.......
Matrix
------------------ Original ------------------
From: "Sumit Bose";<[email protected]>;
Date: Thu, Nov 10, 2016 07:13 PM
To: "Matrix"<[email protected]>;
Cc: "Sumit Bose"<[email protected]>; "freeipa-users"<[email protected]>;
Subject: Re: [Freeipa-users] sssd failed with
'ldap_sasl_bindfailed(-2)[Localerror]'
On Thu, Nov 10, 2016 at 06:48:54PM +0800, Matrix wrote:
> Hi, Sumit
>
> Thanks for your reply
>
> I have tried. still failed
Do you see any related messages on the LDAP server side?
bye,
Sumit
>
> # cat /etc/openldap/ldap.conf | grep -v ^#
>
> URI ldap://ipaslave.stg.example.net
> BASE dc=example,dc=net
> TLS_CACERT /etc/ipa/ca.crt
> SASL_MECH GSSAPI
> TLS_REQCERT allow
> SASL_NOCANON on
>
>
> # cat /etc/krb5.conf| grep rdns
> rdns = false
>
> Matrix
>
> ------------------ Original ------------------
> From: "Sumit Bose";<[email protected]>;
> Date: Thu, Nov 10, 2016 06:32 PM
> To: "freeipa-users"<[email protected]>;
>
> Subject: Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind
> failed(-2)[Localerror]'
>
>
>
> On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote:
> > debug steps have been tried:
> >
> > 1 kinit is workable:
> > # /usr/kerberos/bin/kinit -k host/[email protected]
> >
> > # /usr/kerberos/bin/klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: host/[email protected]
> >
> > Valid starting Expires Service principal
> > 11/10/16 09:18:00 11/11/16 09:17:35 krbtgt/[email protected]
> >
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> >
> > 2 ldapwhoami with krb auth failed.
> >
> > # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net
> > SASL/GSSAPI authentication started
> > ldap_sasl_interactive_bind_s: Local error (-2)
> > additional info: SASL(-1): generic failure: GSSAPI Error:
> > Unspecified GSS failure. Minor code may provide more information (Mutual
> > authentication failed)
> >
>
> Have you made sure that canonicalizing is disabled, i.e.
> /etc/krb5.conf:
> [libdefaults]
> ...
> rdns = false
> ...
>
> /etc/openldap/ldap.conf
> ...
> SASL_NOCANON on
> ...
>
> HTH
>
> bye,
> Sumit
>
> >
> > Matrix
> >
> > ------------------ Original ------------------
> > From: "Matrix";<[email protected]>;
> > Date: Thu, Nov 10, 2016 02:11 PM
> > To: "freeipa-users"<[email protected]>;
> >
> > Subject: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed
> > (-2)[Localerror]'
> >
> >
> >
> > Hi,
> >
> > I have installed sssd in a RHEL5 client.
> >
> > ipa-client/sssd version:
> > ipa-client-2.1.3-7.el5
> > sssd-client-1.5.1-71.el5
> > sssd-1.5.1-71.el5
> >
> > sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local
> > error]'.
> >
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send]
> > (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send]
> > (1): ldap_sasl_bind failed (-2)[Local error]
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler]
> > (7): Waiting for child [11117].
> > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler]
> > (4): child [11117] finished successfully.
> >
> > I have tried to google to find root cause. some link explained it should be
> > something wrong with dns. I have double confirmed it.
> >
> > # nslookup client02.stg.example.net
> > Server: 10.2.1.21
> > Address: 10.2.1.21#53
> >
> > Name: client02.stg.example.net
> > Address: 10.2.3.32
> >
> >
> > # nslookup 10.2.3.32
> > Server: 10.2.1.21
> > Address: 10.2.1.21#53
> >
> > 32.3.2.10.in-addr.arpa name = client02.stg.example.net.
> >
> >
> > # nslookup ipaslave.stg.example.net
> > Server: 10.2.1.21
> > Address: 10.2.1.21#53
> >
> > Name: ipaslave.stg.example.net
> > Address: 10.2.1.250
> >
> > # nslookup 10.2.1.250
> > Server: 10.2.1.21
> > Address: 10.2.1.21#53
> >
> > 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net.
> >
> > Any hints or troubleshooting ideas would be appreciated.
> >
> > Matrix
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
