В Fri, 25 Jun 2010 17:54:33 +0200
Sumit Bose <sbose(a)redhat.com> пишет:
On Fri, Jun 25, 2010 at 03:20:24PM +0400, Alexander Gordeev wrote:
> On Fri, 25 Jun 2010 13:10:52 +0200
> Sumit Bose <sbose(a)redhat.com> wrote:
>
> > On Fri, Jun 25, 2010 at 02:35:19PM +0400, Alexander Gordeev wrote:
> > > On Fri, 25 Jun 2010 11:25:22 +0200
> > > Sumit Bose <sbose(a)redhat.com> wrote:
> > >
> > > > On Fri, Jun 25, 2010 at 12:55:02PM +0400, Alexander Gordeev wrote:
> > > > >
> > > > > Sorry, I didn't tell you that this log was from another
machine, with
> > > > > it's own key, and therefore I changed ldap_sasl_authid
appropriately.
> > > > > On desktopvm everything is the same i.e. auth fails in the same
way.
> > > > >
> > > > > Seems I'll have to dive into debugging SASL... But maybe you
have some
> > > > > hints for me? :)
> > > > >
> > > > >
> > > > > --
> > > > > Alexander
> > > >
> > > > If
> > > >
> > > > kinit -k -t /etc/krb5.keytab && ldapsearch
> > > >
> > > > works on desktopvm you can try with the credentail cache of sssd
> > > > /var/lib/sss/db/ccache_GNET (please check if the TGT is still valid
> > > > before you use it):
> > > >
> > > > KRB5CCNAME=/var/lib/sss/db/ccache_GNET ldapsearch
> > > >
> > > > should work
> > >
> > > Thanks!
> > > It works.
> >
> > ok, you mean
> >
> > KRB5CCNAME=/var/lib/sss/db/ccache_GNET ldapsearch
> >
> > works, but sssd doesn't, right ?
>
> Yes, exactly. :)
> Sorry for ambiguous statements.
>
> > Please make sure to remove any other ccache file before calling
> > ldapsearch with sssd's ccache file. I'm not sure how clever the
> > underlying libraries try to be to find a valid TGT. Calling kdestroy
> > before the ldapsearch should be sufficient.
>
> All the caches were cleaned before the test. But from my experience the
> underlying libraries don't try to fallback to other caches.
>
> > > > If this work, then I think sssd does something wrong. If it does not
> > > > work, please compare the content of the ccache you get with
'kinit -k -t
> > > > /etc/krb5.keytab' with /var/lib/sss/db/ccache_GNET.
can you check if the attached patch will fix your problem?
Yes, it does! Now it binds ok and gets user and group info!
Thanks a lot!
Now I'll test it thoroughly and will return back if I find any more
bugs. :)
Kudos to all you guys for a very good and unique work!
--
Alexander