On Thu, Nov 10, 2016 at 07:19:09PM +0800, Matrix wrote: > Hi, Sumit > > I have checked, and did not find anything more: > > error logs from /var/log/dirsrv/slapd-EXAMPLE-NET/access: > ....... > [10/Nov/2016:10:46:58 +0000] conn=816560 fd=189 slot=189 connection from > 10.2.3.32 to 10.2.1.250 > [10/Nov/2016:10:46:58 +0000] conn=816560 op=0 BIND dn="" method=sasl > version=3 mech=GSSAPI > [10/Nov/2016:10:46:58 +0000] conn=816560 op=0 RESULT err=14 tag=97 nentries=0 > etime=0, SASL bind in progress > [10/Nov/2016:10:46:58 +0000] conn=816560 op=-1 fd=189 closed - B1
Sorry, I still have no idea, maybe running ldapwhoami with '-d -1' might help to identify which step is failing. bye, Sumit > > ....... > > Matrix > > > ------------------ Original ------------------ > From: "Sumit Bose";<sb...@redhat.com>; > Date: Thu, Nov 10, 2016 07:13 PM > To: "Matrix"<matrix...@qq.com>; > Cc: "Sumit Bose"<sb...@redhat.com>; > "freeipa-users"<freeipa-users@redhat.com>; > Subject: Re: [Freeipa-users] sssd failed with > 'ldap_sasl_bindfailed(-2)[Localerror]' > > > > On Thu, Nov 10, 2016 at 06:48:54PM +0800, Matrix wrote: > > Hi, Sumit > > > > Thanks for your reply > > > > I have tried. still failed > > Do you see any related messages on the LDAP server side? > > bye, > Sumit > > > > > # cat /etc/openldap/ldap.conf | grep -v ^# > > > > URI ldap://ipaslave.stg.example.net > > BASE dc=example,dc=net > > TLS_CACERT /etc/ipa/ca.crt > > SASL_MECH GSSAPI > > TLS_REQCERT allow > > SASL_NOCANON on > > > > > > # cat /etc/krb5.conf| grep rdns > > rdns = false > > > > Matrix > > > > ------------------ Original ------------------ > > From: "Sumit Bose";<sb...@redhat.com>; > > Date: Thu, Nov 10, 2016 06:32 PM > > To: "freeipa-users"<freeipa-users@redhat.com>; > > > > Subject: Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind > > failed(-2)[Localerror]' > > > > > > > > On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote: > > > debug steps have been tried: > > > > > > 1 kinit is workable: > > > # /usr/kerberos/bin/kinit -k host/client02.stg.example....@example.net > > > > > > # /usr/kerberos/bin/klist > > > Ticket cache: FILE:/tmp/krb5cc_0 > > > Default principal: host/client02.stg.example....@example.net > > > > > > Valid starting Expires Service principal > > > 11/10/16 09:18:00 11/11/16 09:17:35 krbtgt/example....@example.net > > > > > > Kerberos 4 ticket cache: /tmp/tkt0 > > > klist: You have no tickets cached > > > > > > 2 ldapwhoami with krb auth failed. > > > > > > # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net > > > SASL/GSSAPI authentication started > > > ldap_sasl_interactive_bind_s: Local error (-2) > > > additional info: SASL(-1): generic failure: GSSAPI Error: > > > Unspecified GSS failure. Minor code may provide more information (Mutual > > > authentication failed) > > > > > > > Have you made sure that canonicalizing is disabled, i.e. > > /etc/krb5.conf: > > [libdefaults] > > ... > > rdns = false > > ... > > > > /etc/openldap/ldap.conf > > ... > > SASL_NOCANON on > > ... > > > > HTH > > > > bye, > > Sumit > > > > > > > > Matrix > > > > > > ------------------ Original ------------------ > > > From: "Matrix";<matrix...@qq.com>; > > > Date: Thu, Nov 10, 2016 02:11 PM > > > To: "freeipa-users"<freeipa-users@redhat.com>; > > > > > > Subject: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed > > > (-2)[Localerror]' > > > > > > > > > > > > Hi, > > > > > > I have installed sssd in a RHEL5 client. > > > > > > ipa-client/sssd version: > > > ipa-client-2.1.3-7.el5 > > > sssd-client-1.5.1-71.el5 > > > sssd-1.5.1-71.el5 > > > > > > sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local > > > error]'. > > > > > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] > > > (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net > > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] > > > (1): ldap_sasl_bind failed (-2)[Local error] > > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] > > > [child_sig_handler] (7): Waiting for child [11117]. > > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] > > > [child_sig_handler] (4): child [11117] finished successfully. > > > > > > I have tried to google to find root cause. some link explained it should > > > be something wrong with dns. I have double confirmed it. > > > > > > # nslookup client02.stg.example.net > > > Server: 10.2.1.21 > > > Address: 10.2.1.21#53 > > > > > > Name: client02.stg.example.net > > > Address: 10.2.3.32 > > > > > > > > > # nslookup 10.2.3.32 > > > Server: 10.2.1.21 > > > Address: 10.2.1.21#53 > > > > > > 32.3.2.10.in-addr.arpa name = client02.stg.example.net. > > > > > > > > > # nslookup ipaslave.stg.example.net > > > Server: 10.2.1.21 > > > Address: 10.2.1.21#53 > > > > > > Name: ipaslave.stg.example.net > > > Address: 10.2.1.250 > > > > > > # nslookup 10.2.1.250 > > > Server: 10.2.1.21 > > > Address: 10.2.1.21#53 > > > > > > 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net. > > > > > > Any hints or troubleshooting ideas would be appreciated. > > > > > > Matrix > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project