On 06/11/2016 01:27 PM, l@avc.su wrote:
Hello.
I'm seeing very strange behavior with ldapsearch with GSSAPI on CentOS 7 and Microsoft Windows 2012R2 Read-only Domain Controller. I can obtain Kerberos ticket with no errors, with my user's credentials, or with machine's keytab.
However, when I'm trying to make LDAP request with GSSAPI bind, i'm getting an error:
ldapsearch -Y GSSAPI -H ldap://dc.contoso.com/ -b "dc=contoso,dc=com" "(sAMAccountName=user)" SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (A service is not available that is required to process the request)
openldap-clients ver. 2.4.40 release 9.el7_2
Here's the -d1 output:
ldap_url_parse_ext(ldap://dc.contoso.com/) ldap_create ldap_url_parse_ext(ldap://dc.contoso.com:389/??base) ldap_sasl_interactive_bind: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP dc.contoso.com:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.0.100:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success ldap_int_sasl_open: host=dc.contoso.com SASL/GSSAPI authentication started ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (A service is not available that is required to process the request) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_free_connection: actually freed
This problem does not appear with regular DC servers. I can bind and search to them with no errors.
How can I debug this problem?
Hi,
Maybe you can turn on kerberos tracing and repeat the failing ldapsearch from CentOS7 and send us the output?
I.e.:
KRB5_TRACE=/dev/stdout ldapsearch -Y GSSAPI -H ldap://dc.contoso.com/ -b "dc=contoso,dc=com" "(sAMAccountName=user)"
Cheers,
Mark