Am Sat, 11 Jun 2016 14:27:26 +0300
schrieb l@avc.su:Hello.
I'm seeing very strange behavior with ldapsearch with GSSAPI on
CentOS 7 and Microsoft Windows 2012R2 Read-only Domain Controller. I
can obtain Kerberos ticket with no errors, with my user's
credentials, or with machine's keytab. However, when I'm trying to
make LDAP request with GSSAPI bind, i'm getting an error:
ldapsearch -Y GSSAPI -H ldap://dc.contoso.com/ -b "dc=contoso,dc=com"
"(sAMAccountName=user)" SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (A service is
not available that is required to process the request)
openldap-clients ver. 2.4.40 release 9.el7_2
Here's the -d1 output:
ldap_url_parse_ext(ldap://dc.contoso.com/)
ldap_create
ldap_url_parse_ext(ldap://dc.contoso.com:389/??base)
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP dc.contoso.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.0.100:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_int_sasl_open: host=dc.contoso.com
SASL/GSSAPI authentication started
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
GSS failure. Minor code may provide more information (A service is
not available that is required to process the request)
ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
This problem does not appear with regular DC servers. I can bind and
search to them with no errors.
How can I debug this problem?--
host principal? service principal? path to keytab?
-Dieter
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E