Hi, Sumit
Thanks for your reply
I have tried. still failed
# cat /etc/openldap/ldap.conf | grep -v ^#
URI ldap://ipaslave.stg.example.net
BASE dc=example,dc=net
TLS_CACERT /etc/ipa/ca.crt
SASL_MECH GSSAPI
TLS_REQCERT allow
SASL_NOCANON on
# cat /etc/krb5.conf| grep rdns
rdns = false
Matrix
------------------ Original ------------------
From: "Sumit Bose";<sb...@redhat.com>;
Date: Thu, Nov 10, 2016 06:32 PM
To: "freeipa-users"<freeipa-users@redhat.com>;
Subject: Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind
failed(-2)[Localerror]'
On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote:
> debug steps have been tried:
>
> 1 kinit is workable:
> # /usr/kerberos/bin/kinit -k host/client02.stg.example....@example.net
>
> # /usr/kerberos/bin/klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: host/client02.stg.example....@example.net
>
> Valid starting Expires Service principal
> 11/10/16 09:18:00 11/11/16 09:17:35 krbtgt/example....@example.net
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> 2 ldapwhoami with krb auth failed.
>
> # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure. Minor code may provide more information (Mutual authentication
> failed)
>
Have you made sure that canonicalizing is disabled, i.e.
/etc/krb5.conf:
[libdefaults]
...
rdns = false
...
/etc/openldap/ldap.conf
...
SASL_NOCANON on
...
HTH
bye,
Sumit
>
> Matrix
>
> ------------------ Original ------------------
> From: "Matrix";<matrix...@qq.com>;
> Date: Thu, Nov 10, 2016 02:11 PM
> To: "freeipa-users"<freeipa-users@redhat.com>;
>
> Subject: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed
> (-2)[Localerror]'
>
>
>
> Hi,
>
> I have installed sssd in a RHEL5 client.
>
> ipa-client/sssd version:
> ipa-client-2.1.3-7.el5
> sssd-client-1.5.1-71.el5
> sssd-1.5.1-71.el5
>
> sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local
> error]'.
>
> (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4):
> Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net
> (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1):
> ldap_sasl_bind failed (-2)[Local error]
> (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler]
> (7): Waiting for child [11117].
> (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler]
> (4): child [11117] finished successfully.
>
> I have tried to google to find root cause. some link explained it should be
> something wrong with dns. I have double confirmed it.
>
> # nslookup client02.stg.example.net
> Server: 10.2.1.21
> Address: 10.2.1.21#53
>
> Name: client02.stg.example.net
> Address: 10.2.3.32
>
>
> # nslookup 10.2.3.32
> Server: 10.2.1.21
> Address: 10.2.1.21#53
>
> 32.3.2.10.in-addr.arpa name = client02.stg.example.net.
>
>
> # nslookup ipaslave.stg.example.net
> Server: 10.2.1.21
> Address: 10.2.1.21#53
>
> Name: ipaslave.stg.example.net
> Address: 10.2.1.250
>
> # nslookup 10.2.1.250
> Server: 10.2.1.21
> Address: 10.2.1.21#53
>
> 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net.
>
> Any hints or troubleshooting ideas would be appreciated.
>
> Matrix
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project