Hello, I have a demo setup with slapd on Debian Stable, and a while back followed Debian's Switch to Buster, with slapd 2.4.47. Since about that time, slapd stopped recognising its SASL realm.
This is in a dev/demo/test environment in Docker, so naming is a bit silly, but that always worked. Config and such are shown at https://github.com/arpa2/docker-demo/tree/master/demo-reservoir Using "ldapsearch -Y GSSAPI -H ldap://reservoir.arpa2:1388 -b ou=Reservoir,o=arpa2.net,ou=InternetWide" gives the message SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No key table entry found matching ldap/reservoir.arpa2@) **In this output, note the lacking realm after the @.** This appears to be a server-side issue, because the client had the realm in the klist output and that name is present in the keytab: 02/29/20 11:54:53 02/29/20 21:47:26 ldap/[email protected] renew until 03/01/20 11:47:22 The configuration of the server in /etc/ldap/slapd.conf still says: sasl-host reservoir.arpa2 sasl-realm ARPA2.NET FWIW, slapd runs as /usr/sbin/slapd -d any -h "ldapi://%2ftmp%2fldap-socket ldap://:1388/"; Have I missed changes to slapd? Are there log messages that I overlooked (or should selected for)? Thanks! -Rick
