Hello, thanks for your response, but i get the same error.......
/etc/openldap/ldap.conf: ----------------------------------- TLS_CACERT PATH URI ldap://NAT_IP BASE ou=ldap,dc=patronas,dc=de TLS_REQCERT allow SASL_MECH GSSAPI SASL_NOCANON on ----------------------------------- relevant part of /etc/krb5.conf ----------------------------------- [libdefaults] dns_canonicalize_hostname = false rdns = false forwardable = true default_realm = PATRONAS.DE default_etypes = des3-cbc-sha1 default_etypes_des = des-cbc-crc default_tgs_enctypes = des3-cbc-sha1 default_tkt_enctypes = des3-cbc-sha1 dns_lookup_realm = false dns_lookup_kdc = false ----------------------------------- ldapsearch fails, too. The debug Output of ldapsearch: ----------------------------------- ldap_create ldap_sasl_interactive_bind: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP NAT_IP:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying NAT_IP:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success ldap_int_sasl_open: host=NAT_IP SASL/GSSAPI authentication started ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No credentials found with supported encryption types (filename: /tmp/krb5cc_0)) ----------------------------------- greets Steffen > On Mon, 2017-03-06 at 09:38 +0100, Sumit Bose wrote: > > It is in general recommended to disable reverse lookups for > Kerberos/GSSAPI/SASL to avoid this kind of issues. On Fedora and RHEL it > is disabled by default by setting: > > rdns = false > You may also need to add: > dns_canonicalize_hostname = false > > HTH, > Simo. > >> in /etc/krb5.conf and >> >> SASL_NOCANON on >> >> in /etc/openldap/ldap.conf. >> >> HTH >> >> bye, >> Sumit _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
