[Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Localerror]'

Matrix matrix.zj at qq.com
Thu Nov 10 09:22:26 UTC 2016 

debug steps have been tried: 

1 kinit is workable: 
# /usr/kerberos/bin/kinit -k host/client02.stg.example.net at EXAMPLE.NET

# /usr/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/client02.stg.example.net at EXAMPLE.NET

Valid starting     Expires            Service principal
11/10/16 09:18:00  11/11/16 09:17:35  krbtgt/EXAMPLE.NET at EXAMPLE.NET

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

2 ldapwhoami with krb auth failed. 

# ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Mutual authentication failed)


Matrix

------------------ Original ------------------
From:  "Matrix";<matrix.zj at qq.com>;
Date:  Thu, Nov 10, 2016 02:11 PM
To:  "freeipa-users"<freeipa-users at redhat.com>; 

Subject:  [Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Localerror]'



Hi, 

I have installed sssd in a RHEL5 client. 

ipa-client/sssd version:
ipa-client-2.1.3-7.el5
sssd-client-1.5.1-71.el5
sssd-1.5.1-71.el5

sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local error]'. 

(Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net
(Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1): ldap_sasl_bind failed (-2)[Local error]
(Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (7): Waiting for child [11117].
(Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (4): child [11117] finished successfully.

I have tried to google to find root cause. some link explained it should be something wrong with dns. I have double confirmed it. 

# nslookup client02.stg.example.net
Server:         10.2.1.21
Address:        10.2.1.21#53

Name:   client02.stg.example.net
Address: 10.2.3.32


# nslookup 10.2.3.32
Server:         10.2.1.21
Address:        10.2.1.21#53

32.3.2.10.in-addr.arpa  name = client02.stg.example.net.


# nslookup ipaslave.stg.example.net
Server:         10.2.1.21
Address:        10.2.1.21#53

Name:   ipaslave.stg.example.net
Address: 10.2.1.250

# nslookup 10.2.1.250
Server:         10.2.1.21
Address:        10.2.1.21#53

250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net.

Any hints or troubleshooting ideas would be appreciated. 

Matrix
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161110/90ed8e99/attachment.htm>

More information about the Freeipa-users mailing list