<div dir="ltr">Are you able to connect without a Start TLS?<div><br></div><div>ldapsearch -x -h <a href="http://test.example.com" target="_blank">test.example.com</a> -b dc=example,dc=com -w supersecretpassphrase</div><div> <br></div><div> If that works, then you have no ldap issues, and should be able to go straight to getting sssd running with a keytab. If you want to test the keytab, you can export it to a system, and run ..</div><div><br></div><div>kinit -kt /path/to/keytab</div> <div><br></div><div>Then take a look to see if you have a ticket ...</div><div><br></div><div>klist</div><div><br></div><div>If you have a ticket, then you should be able to auth to the ldap server using SASL</div><div><br> </div><div>ldapsearch -Y GSSAPI -h <a href="http://test.example.com">test.example.com</a> blah blah blah.</div><div><br></div><div>I have IPA setup with Ubuntu 12 clients, so I'm happy to lend a hand if you need more information along the way.</div> <div><br></div><div>Terry</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Dec 3, 2013 at 2:28 PM, Andrew Precht <span dir="ltr"><<a href="mailto:andrewprecht06@gmail.com" target="_blank">andrewprecht06@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi IPA users,<div>I'm having trouble getting the FreeIPA client to work in Ubuntu 12.04. I'm working my way through the Red Hat sssd troubleshooting guide: <a href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Troubleshooting.html</a></div> <div><br></div><div>When I try a:<i> ldapsearch -x -ZZ -h <a href="http://test.example.com" target="_blank">test.example.com</a> -b dc=example,dc=com</i></div><div><br></div><div>I get: <i>ldap_start_tls: Connect error (-11)<span style="white-space:pre-wrap"> </span>additional info: (unknown error code)</i></div> <div><br></div><div>I have copied the /etc/ipa/ca.crt from the ipa server to the ubuntu client and the sssd.conf has: <i>ldap_tls_cacert = /etc/ipa/ca.crt</i></div><div><i><br></i></div><div>My syslog file has no mention of a non-trusted certificate. </div> <div><span style="line-height:18px;color:rgb(51,51,51);font-family:'liberation sans',Myriad,'Bitstream Vera Sans','Lucida Grande','Luxi Sans','Trebuchet MS',helvetica,verdana,arial,sans-serif"><br> </span></div><div><span style="line-height:18px;color:rgb(51,51,51);font-family:'liberation sans',Myriad,'Bitstream Vera Sans','Lucida Grande','Luxi Sans','Trebuchet MS',helvetica,verdana,arial,sans-serif">Any ideas on where to look next?</span></div> <div><span style="line-height:18px;color:rgb(51,51,51);font-family:'liberation sans',Myriad,'Bitstream Vera Sans','Lucida Grande','Luxi Sans','Trebuchet MS',helvetica,verdana,arial,sans-serif"><br> </span></div><div><span style="line-height:18px;color:rgb(51,51,51);font-family:'liberation sans',Myriad,'Bitstream Vera Sans','Lucida Grande','Luxi Sans','Trebuchet MS',helvetica,verdana,arial,sans-serif">Thanks Andrew Precht </span></div> </div> <br>_______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr">Terry Soucy - Systems Engineer<br> Salesforce MarketingCloud - <a href="http://www.salesforce.com" target="_blank">http://www.salesforce.com</a><br>(o) 506.631.7445 (c) 506.609.3247 | (e) <a href="mailto:tsoucy@salesforce.com" target="_blank">tsoucy@salesforce.com</a></div> </div>