On Mon, Mar 06, 2017 at 04:28:04PM +0100, knauf(a)patronas.com wrote:
Hello,
thanks for your response, but i get the same error.......
/etc/openldap/ldap.conf:
-----------------------------------
TLS_CACERT PATH
URI ldap://NAT_IP
BASE ou=ldap,dc=patronas,dc=de
TLS_REQCERT allow
SASL_MECH GSSAPI
SASL_NOCANON on
-----------------------------------
relevant part of /etc/krb5.conf
-----------------------------------
[libdefaults]
dns_canonicalize_hostname = false
rdns = false
forwardable = true
default_realm = PATRONAS.DE
default_etypes = des3-cbc-sha1
default_etypes_des = des-cbc-crc
default_tgs_enctypes = des3-cbc-sha1
default_tkt_enctypes = des3-cbc-sha1
dns_lookup_realm = false
dns_lookup_kdc = false
-----------------------------------
ldapsearch fails, too.
The debug Output of ldapsearch:
-----------------------------------
ldap_create
ldap_sasl_interactive_bind: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP NAT_IP:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying NAT_IP:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_int_sasl_open: host=NAT_IP
SASL/GSSAPI authentication started
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (No
credentials found with supported encryption types (filename: /tmp/krb5cc_0))
But now there is a different error than the original 'Server not found
in Kerberos database'.
Your krb5.conf only allows des3-cbc-sha1. Is there a reason for this?
Please check with 'klist -e /tmp/krb5cc_0' if the credential cache has
des3-cdc-sha1 keys or not.
You can simulate the Kerberos steps SSSD does by calling:
kinit -k
and
kvno ldap/REAL_HOSTNAME(a)KERBEROS.REALM
To get more details you can use
KRB5_TRACE=/dev/stdout kvno ldap/REAL_HOSTNAME(a)KERBEROS.REALM
HTH
bye,
Sumit
> -----------------------------------
>
>
> greets
>
> Steffen
>
> > On Mon, 2017-03-06 at 09:38 +0100, Sumit Bose wrote:
> >
> > It is in general recommended to disable reverse lookups for
> > Kerberos/GSSAPI/SASL to avoid this kind of issues. On Fedora and RHEL it
> > is disabled by default by setting:
> >
> > rdns = false
> > You may also need to add:
> > dns_canonicalize_hostname = false
> >
> > HTH,
> > Simo.
> >
> >> in /etc/krb5.conf and
> >>
> >> SASL_NOCANON on
> >>
> >> in /etc/openldap/ldap.conf.
> >>
> >> HTH
> >>
> >> bye,
> >> Sumit
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org