On (15/06/17 10:48), Jakub Hrozek wrote: >On Thu, Jun 15, 2017 at 08:35:59AM -0000, Rishat Teregulov wrote: >> All logs too big >> https://contattafiles.s3-us-west-1.amazonaws.com/tnt3511/wqtpj4q4fAwIX3p/sssd.logs > >I see: >(Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [ad_sasl_log] >(0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may >provide more information (Server not found in Kerberos database) >(Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] >[sasl_bind_send] (0x0020): ldap_sasl_bind failed (-2)[Local error] >(Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] >[sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic >failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide >more information (Server not found in Kerberos database)] >(Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] >[child_sig_handler] (0x1000): Waiting for child [18783]. >(Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] >[child_sig_handler] (0x0100): child [18783] finished successfully. >(Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] >[_be_fo_set_port_status] (0x8000): Setting status: PORT_NOT_WORKING. >Called from: ../src/providers/ldap/sdap_async_connection.c: >sdap_cli_connect_recv: 2039 > >On older distributions, it used to help to set rdns=false in krb5.conf >and SASL_NOCANON on in ldap.conf. But it might be helpful to run kinit >-kt && ldapsearch -Y GSSAPI with KRB5_TRACE=/dev/stderr to check for >more diagnostic messages. >
I am not sure whether it is possible with newer version. Maybe the simplest way for Rishat would be disable SASL (ldap_sasl_mech) But I am not sure whether it is possible with AD provider. It should be possible with id_provider ldap + auth_provider krb5 LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
