Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed(-2)[Localerror]'
On Thu, Nov 10, 2016 at 06:48:54PM +0800, Matrix wrote: > Hi, Sumit > > Thanks for your reply > > I have tried. still failed Do you see any related messages on the LDAP server side? bye, Sumit > > # cat /etc/openldap/ldap.conf | grep -v ^# > > URI ldap://ipaslave.stg.example.net > BASE dc=example,dc=net > TLS_CACERT /etc/ipa/ca.crt > SASL_MECH GSSAPI > TLS_REQCERT allow > SASL_NOCANON on > > > # cat /etc/krb5.conf| grep rdns > rdns = false > > Matrix > > -- Original -- > From: "Sumit Bose";<sb...@redhat.com>; > Date: Thu, Nov 10, 2016 06:32 PM > To: "freeipa-users"<freeipa-users@redhat.com>; > > Subject: Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind > failed(-2)[Localerror]' > > > > On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote: > > debug steps have been tried: > > > > 1 kinit is workable: > > # /usr/kerberos/bin/kinit -k host/client02.stg.example@example.net > > > > # /usr/kerberos/bin/klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: host/client02.stg.example@example.net > > > > Valid starting ExpiresService principal > > 11/10/16 09:18:00 11/11/16 09:17:35 krbtgt/example@example.net > > > > Kerberos 4 ticket cache: /tmp/tkt0 > > klist: You have no tickets cached > > > > 2 ldapwhoami with krb auth failed. > > > > # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net > > SASL/GSSAPI authentication started > > ldap_sasl_interactive_bind_s: Local error (-2) > > additional info: SASL(-1): generic failure: GSSAPI Error: > > Unspecified GSS failure. Minor code may provide more information (Mutual > > authentication failed) > > > > Have you made sure that canonicalizing is disabled, i.e. > /etc/krb5.conf: > [libdefaults] > ... > rdns = false > ... > > /etc/openldap/ldap.conf > ... > SASL_NOCANONon > ... > > HTH > > bye, > Sumit > > > > > Matrix > > > > -- Original -- > > From: "Matrix";<matrix...@qq.com>; > > Date: Thu, Nov 10, 2016 02:11 PM > > To: "freeipa-users"<freeipa-users@redhat.com>; > > > > Subject: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed > > (-2)[Localerror]' > > > > > > > > Hi, > > > > I have installed sssd in a RHEL5 client. > > > > ipa-client/sssd version: > > ipa-client-2.1.3-7.el5 > > sssd-client-1.5.1-71.el5 > > sssd-1.5.1-71.el5 > > > > sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local > > error]'. > > > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] > > (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] > > (1): ldap_sasl_bind failed (-2)[Local error] > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] > > (7): Waiting for child [7]. > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] > > (4): child [7] finished successfully. > > > > I have tried to google to find root cause. some link explained it should be > > something wrong with dns. I have double confirmed it. > > > > # nslookup client02.stg.example.net > > Server: 10.2.1.21 > > Address:10.2.1.21#53 > > > > Name: client02.stg.example.net > > Address: 10.2.3.32 > > > > > > # nslookup 10.2.3.32 > > Server: 10.2.1.21 > > Address:10.2.1.21#53 > > > > 32.3.2.10.in-addr.arpa name = client02.stg.example.net. > > > > > > # nslookup ipaslave.stg.example.net > > Server: 10.2.1.21 > > Address:10.2.1.21#53 > > > > Name: ipaslave.stg.example.net > > Address: 10.2.1.250 > > > > # nslookup 10.2.1.250 > > Server: 10.2.1.21 > > Address:10.2.1.21#53 > > > > 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net. > > > > Any hints or troubleshooting ideas would be appreciated. > > > > Matrix > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed(-2)[Localerror]'
Hi, Sumit Thanks for your reply I have tried. still failed # cat /etc/openldap/ldap.conf | grep -v ^# URI ldap://ipaslave.stg.example.net BASE dc=example,dc=net TLS_CACERT /etc/ipa/ca.crt SASL_MECH GSSAPI TLS_REQCERT allow SASL_NOCANON on # cat /etc/krb5.conf| grep rdns rdns = false Matrix -- Original -- From: "Sumit Bose";<sb...@redhat.com>; Date: Thu, Nov 10, 2016 06:32 PM To: "freeipa-users"<freeipa-users@redhat.com>; Subject: Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed(-2)[Localerror]' On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote: > debug steps have been tried: > > 1 kinit is workable: > # /usr/kerberos/bin/kinit -k host/client02.stg.example@example.net > > # /usr/kerberos/bin/klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: host/client02.stg.example@example.net > > Valid starting ExpiresService principal > 11/10/16 09:18:00 11/11/16 09:17:35 krbtgt/example@example.net > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > 2 ldapwhoami with krb auth failed. > > # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Mutual authentication > failed) > Have you made sure that canonicalizing is disabled, i.e. /etc/krb5.conf: [libdefaults] ... rdns = false ... /etc/openldap/ldap.conf ... SASL_NOCANONon ... HTH bye, Sumit > > Matrix > > -- Original -- > From: "Matrix";<matrix...@qq.com>; > Date: Thu, Nov 10, 2016 02:11 PM > To: "freeipa-users"<freeipa-users@redhat.com>; > > Subject: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed > (-2)[Localerror]' > > > > Hi, > > I have installed sssd in a RHEL5 client. > > ipa-client/sssd version: > ipa-client-2.1.3-7.el5 > sssd-client-1.5.1-71.el5 > sssd-1.5.1-71.el5 > > sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local > error]'. > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4): > Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1): > ldap_sasl_bind failed (-2)[Local error] > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] > (7): Waiting for child [7]. > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] > (4): child [7] finished successfully. > > I have tried to google to find root cause. some link explained it should be > something wrong with dns. I have double confirmed it. > > # nslookup client02.stg.example.net > Server: 10.2.1.21 > Address:10.2.1.21#53 > > Name: client02.stg.example.net > Address: 10.2.3.32 > > > # nslookup 10.2.3.32 > Server: 10.2.1.21 > Address:10.2.1.21#53 > > 32.3.2.10.in-addr.arpa name = client02.stg.example.net. > > > # nslookup ipaslave.stg.example.net > Server: 10.2.1.21 > Address:10.2.1.21#53 > > Name: ipaslave.stg.example.net > Address: 10.2.1.250 > > # nslookup 10.2.1.250 > Server: 10.2.1.21 > Address:10.2.1.21#53 > > 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net. > > Any hints or troubleshooting ideas would be appreciated. > > Matrix > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Localerror]'
On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote: > debug steps have been tried: > > 1 kinit is workable: > # /usr/kerberos/bin/kinit -k host/client02.stg.example@example.net > > # /usr/kerberos/bin/klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: host/client02.stg.example@example.net > > Valid starting ExpiresService principal > 11/10/16 09:18:00 11/11/16 09:17:35 krbtgt/example@example.net > > Kerberos 4 ticket cache: /tmp/tkt0 > klist: You have no tickets cached > > 2 ldapwhoami with krb auth failed. > > # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (Mutual authentication > failed) > Have you made sure that canonicalizing is disabled, i.e. /etc/krb5.conf: [libdefaults] ... rdns = false ... /etc/openldap/ldap.conf ... SASL_NOCANONon ... HTH bye, Sumit > > Matrix > > -- Original -- > From: "Matrix";<matrix...@qq.com>; > Date: Thu, Nov 10, 2016 02:11 PM > To: "freeipa-users"<freeipa-users@redhat.com>; > > Subject: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed > (-2)[Localerror]' > > > > Hi, > > I have installed sssd in a RHEL5 client. > > ipa-client/sssd version: > ipa-client-2.1.3-7.el5 > sssd-client-1.5.1-71.el5 > sssd-1.5.1-71.el5 > > sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local > error]'. > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4): > Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1): > ldap_sasl_bind failed (-2)[Local error] > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] > (7): Waiting for child [7]. > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] > (4): child [7] finished successfully. > > I have tried to google to find root cause. some link explained it should be > something wrong with dns. I have double confirmed it. > > # nslookup client02.stg.example.net > Server: 10.2.1.21 > Address:10.2.1.21#53 > > Name: client02.stg.example.net > Address: 10.2.3.32 > > > # nslookup 10.2.3.32 > Server: 10.2.1.21 > Address:10.2.1.21#53 > > 32.3.2.10.in-addr.arpa name = client02.stg.example.net. > > > # nslookup ipaslave.stg.example.net > Server: 10.2.1.21 > Address:10.2.1.21#53 > > Name: ipaslave.stg.example.net > Address: 10.2.1.250 > > # nslookup 10.2.1.250 > Server: 10.2.1.21 > Address:10.2.1.21#53 > > 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net. > > Any hints or troubleshooting ideas would be appreciated. > > Matrix > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Localerror]'
debug steps have been tried: 1 kinit is workable: # /usr/kerberos/bin/kinit -k host/client02.stg.example@example.net # /usr/kerberos/bin/klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/client02.stg.example@example.net Valid starting ExpiresService principal 11/10/16 09:18:00 11/11/16 09:17:35 krbtgt/example@example.net Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached 2 ldapwhoami with krb auth failed. # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Mutual authentication failed) Matrix -- Original -- From: "Matrix";<matrix...@qq.com>; Date: Thu, Nov 10, 2016 02:11 PM To: "freeipa-users"<freeipa-users@redhat.com>; Subject: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Localerror]' Hi, I have installed sssd in a RHEL5 client. ipa-client/sssd version: ipa-client-2.1.3-7.el5 sssd-client-1.5.1-71.el5 sssd-1.5.1-71.el5 sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local error]'. (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1): ldap_sasl_bind failed (-2)[Local error] (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (7): Waiting for child [7]. (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (4): child [7] finished successfully. I have tried to google to find root cause. some link explained it should be something wrong with dns. I have double confirmed it. # nslookup client02.stg.example.net Server: 10.2.1.21 Address:10.2.1.21#53 Name: client02.stg.example.net Address: 10.2.3.32 # nslookup 10.2.3.32 Server: 10.2.1.21 Address:10.2.1.21#53 32.3.2.10.in-addr.arpa name = client02.stg.example.net. # nslookup ipaslave.stg.example.net Server: 10.2.1.21 Address:10.2.1.21#53 Name: ipaslave.stg.example.net Address: 10.2.1.250 # nslookup 10.2.1.250 Server: 10.2.1.21 Address:10.2.1.21#53 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net. Any hints or troubleshooting ideas would be appreciated. Matrix-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
