On 2/19/21 10:31 AM, Dario García Díaz-Miguel via Pdns-users wrote: > I had to add to the /etc/openldap/ldap.conf the following parameter: > > SASL_MECH GSSAPI
FYI: If you don't want to set this globally you can set env var LDAPRC or LDAPCONF to point to a service-specific ldap.conf. See the details in man-page ldap.conf(5). > GSSAPI Error: Unspecified GSS failure. Minor code may provide more > information (No Kerberos credentials available (default cache: /tmp/krb5cc_0) > ) > [LDAP GSSAPI] ldap_sasl_interactive_bind_s returned -2 > [LDAP GSSAPI] No TGT found, trying to acquire a new one > [LDAP GSSAPI] krb5 error when getting the TGT: Address family not supported > by protocol Do you have a correctly configured /etc/krb5.conf? Again you can point to a service-specific Kerberos config with env var KRB5_CONFIG. Also check ownership and permissions of your keytab file whether pdns can read it. I'd also check whether it works to get a TGT with the keytab for the expected client principal name. Assuming you're running pdns as user pdns: runuser -u pdns kinit -t /etc/pdns.keytab pdns-service-princi...@realm.example.com I don't have a kerberized setup so all of the above is just from memory. Ciao, Michael. _______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users