On Mon, Mar 06, 2017 at 04:28:04PM +0100, [email protected] wrote:
> Hello,
>
> thanks for your response, but i get the same error.......
>
> /etc/openldap/ldap.conf:
>
> -----------------------------------
> TLS_CACERT PATH
> URI ldap://NAT_IP
> BASE ou=ldap,dc=patronas,dc=de
> TLS_REQCERT allow
> SASL_MECH GSSAPI
> SASL_NOCANON on
> -----------------------------------
>
>
> relevant part of /etc/krb5.conf
>
> -----------------------------------
> [libdefaults]
> dns_canonicalize_hostname = false
> rdns = false
> forwardable = true
> default_realm = PATRONAS.DE
> default_etypes = des3-cbc-sha1
> default_etypes_des = des-cbc-crc
> default_tgs_enctypes = des3-cbc-sha1
> default_tkt_enctypes = des3-cbc-sha1
>
> dns_lookup_realm = false
> dns_lookup_kdc = false
> -----------------------------------
>
> ldapsearch fails, too.
> The debug Output of ldapsearch:
>
> -----------------------------------
>
> ldap_create
> ldap_sasl_interactive_bind: user selected: GSSAPI
> ldap_int_sasl_bind: GSSAPI
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP NAT_IP:389
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying NAT_IP:389
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> attempting to connect:
> connect success
> ldap_int_sasl_open: host=NAT_IP
> SASL/GSSAPI authentication started
> ldap_msgfree
> ldap_err2string
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information (No
> credentials found with supported encryption types (filename: /tmp/krb5cc_0))
But now there is a different error than the original 'Server not found
in Kerberos database'.
Your krb5.conf only allows des3-cbc-sha1. Is there a reason for this?
Please check with 'klist -e /tmp/krb5cc_0' if the credential cache has
des3-cdc-sha1 keys or not.
You can simulate the Kerberos steps SSSD does by calling:
kinit -k
and
kvno ldap/[email protected]
To get more details you can use
KRB5_TRACE=/dev/stdout kvno ldap/[email protected]
HTH
bye,
Sumit
> -----------------------------------
>
>
> greets
>
> Steffen
>
> > On Mon, 2017-03-06 at 09:38 +0100, Sumit Bose wrote:
> >
> > It is in general recommended to disable reverse lookups for
> > Kerberos/GSSAPI/SASL to avoid this kind of issues. On Fedora and RHEL it
> > is disabled by default by setting:
> >
> > rdns = false
> > You may also need to add:
> > dns_canonicalize_hostname = false
> >
> > HTH,
> > Simo.
> >
> >> in /etc/krb5.conf and
> >>
> >> SASL_NOCANON on
> >>
> >> in /etc/openldap/ldap.conf.
> >>
> >> HTH
> >>
> >> bye,
> >> Sumit
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
