On Tue, Oct 31, 2017 at 10:57:23AM -0600, Jeff Sadowski wrote:
> (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [ad_sasl_log]
> (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may
> provide more information (Server not found in Kerberos database)
> (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
> (0x0020): ldap_sasl_bind failed (-2)[Local error]
> (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
> (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
> Error: Unspecified GSS failure. Minor code may provide more
> information (Server not found in Kerberos database)]
I would recommend to try testing with the help of ldapsearch -Y GSSAPI:
- kinit -k 'shortname$@realm'
- KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.dc.server -b ""
because it might be easier to take sssd out of the picture.
I would also recommend to check if the client's hostname matches how
the client is registered to AD and that all names resolve back and forth.
Finally, I would check the domain_realm mappings in krb5.conf
to make sure libkrb5 can infer the correct realm from the domain
part of the host name.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
