Hi Dieter.
 
I've tried performing this search from CentOS6 machine, with my own UPN, with machine UPN, and it were successful. Accessing SPN ldap/dc.contoso.com@CONTOSO.COM
Keytab is located in /etc/krb5.keytab, owned by root, access mode 0600. 
 
Dumped traffic from the problem server. On myTGS-REQ, DC responds with 'krb5kdc_err_svc_unavailable' packet.
 
 
12.06.2016, 10:41, "Dieter Klünter" <dieter@dkluenter.de>:

Am Sat, 11 Jun 2016 14:27:26 +0300
schrieb l@avc.su:

 Hello.
  
 I'm seeing very strange behavior with ldapsearch with GSSAPI on
 CentOS 7 and Microsoft Windows 2012R2 Read-only Domain Controller. I
 can obtain Kerberos ticket with no errors, with my user's
 credentials, or with machine's keytab. However, when I'm trying to
 make LDAP request with GSSAPI bind, i'm getting an error:

 ldapsearch -Y GSSAPI -H ldap://dc.contoso.com/ -b "dc=contoso,dc=com"
 "(sAMAccountName=user)" SASL/GSSAPI authentication started
 ldap_sasl_interactive_bind_s: Local error (-2)
 additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
 GSS failure. Minor code may provide more information (A service is
 not available that is required to process the request)

 openldap-clients ver. 2.4.40 release 9.el7_2

  

 Here's the -d1 output:

 ldap_url_parse_ext(ldap://dc.contoso.com/)
 ldap_create
 ldap_url_parse_ext(ldap://dc.contoso.com:389/??base)
 ldap_sasl_interactive_bind: user selected: GSSAPI
 ldap_int_sasl_bind: GSSAPI
 ldap_new_connection 1 1 0
 ldap_int_open_connection
 ldap_connect_to_host: TCP dc.contoso.com:389
 ldap_new_socket: 3
 ldap_prepare_socket: 3
 ldap_connect_to_host: Trying 192.168.0.100:389
 ldap_pvt_connect: fd: 3 tm: -1 async: 0
 attempting to connect:
 connect success
 ldap_int_sasl_open: host=dc.contoso.com
 SASL/GSSAPI authentication started
 ldap_msgfree
 ldap_err2string
 ldap_sasl_interactive_bind_s: Local error (-2)
 additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
 GSS failure. Minor code may provide more information (A service is
 not available that is required to process the request)
 ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3
 ldap_free_connection: actually freed

  

 This problem does not appear with regular DC servers. I can bind and
 search to them with no errors.

 How can I debug this problem?


host principal? service principal? path to keytab?

-Dieter

--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E