On Tue, Oct 31, 2017 at 10:57:23AM -0600, Jeff Sadowski wrote:
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [ad_sasl_log]
(0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may
provide more information (Server not found in Kerberos database)
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
(0x0020): ldap_sasl_bind failed (-2)[Local error]
(Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [sasl_bind_send]
(0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI
Error: Unspecified GSS failure. Minor code may provide more
information (Server not found in Kerberos database)]
I would recommend to try testing with the help of ldapsearch -Y GSSAPI:
- kinit -k 'shortname$@realm'
- KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.dc.server -b
""
because it might be easier to take sssd out of the picture.
I would also recommend to check if the client's hostname matches how
the client is registered to AD and that all names resolve back and forth.
Finally, I would check the domain_realm mappings in krb5.conf
to make sure libkrb5 can infer the correct realm from the domain
part of the host name.