Am Sat, 11 Jun 2016 14:27:26 +0300 schrieb [email protected]: > Hello. > > I'm seeing very strange behavior with ldapsearch with GSSAPI on > CentOS 7 and Microsoft Windows 2012R2 Read-only Domain Controller. I > can obtain Kerberos ticket with no errors, with my user's > credentials, or with machine's keytab. However, when I'm trying to > make LDAP request with GSSAPI bind, i'm getting an error: > > ldapsearch -Y GSSAPI -H ldap://dc.contoso.com/ -b "dc=contoso,dc=com" > "(sAMAccountName=user)" SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (A service is > not available that is required to process the request) > > openldap-clients ver. 2.4.40 release 9.el7_2 > > > > Here's the -d1 output: > > ldap_url_parse_ext(ldap://dc.contoso.com/) > ldap_create > ldap_url_parse_ext(ldap://dc.contoso.com:389/??base) > ldap_sasl_interactive_bind: user selected: GSSAPI > ldap_int_sasl_bind: GSSAPI > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP dc.contoso.com:389 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying 192.168.0.100:389 > ldap_pvt_connect: fd: 3 tm: -1 async: 0 > attempting to connect: > connect success > ldap_int_sasl_open: host=dc.contoso.com > SASL/GSSAPI authentication started > ldap_msgfree > ldap_err2string > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified > GSS failure. Minor code may provide more information (A service is > not available that is required to process the request) > ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 > ldap_free_connection: actually freed > > > > This problem does not appear with regular DC servers. I can bind and > search to them with no errors. > > How can I debug this problem?
host principal? service principal? path to keytab? -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
