[Freeipa-users] sssd failed with 'ldap_sasl_bindfailed(-2)[Localerror]'

Sumit Bose sbose at redhat.com
Thu Nov 17 14:09:19 UTC 2016 

On Thu, Nov 10, 2016 at 07:19:09PM +0800, Matrix wrote:
> Hi, Sumit
> 
> I have checked, and did not find anything more:
> 
> error logs from /var/log/dirsrv/slapd-EXAMPLE-NET/access: 
> .......
> [10/Nov/2016:10:46:58 +0000] conn=816560 fd=189 slot=189 connection from 10.2.3.32 to 10.2.1.250
> [10/Nov/2016:10:46:58 +0000] conn=816560 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
> [10/Nov/2016:10:46:58 +0000] conn=816560 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> [10/Nov/2016:10:46:58 +0000] conn=816560 op=-1 fd=189 closed - B1

Sorry, I still have no idea, maybe running ldapwhoami with '-d -1' might
help to identify which step is failing.

bye,
Sumit

> 
> .......
> 
> Matrix
> 
> 
> ------------------ Original ------------------
> From:  "Sumit Bose";<sbose at redhat.com>;
> Date:  Thu, Nov 10, 2016 07:13 PM
> To:  "Matrix"<matrix.zj at qq.com>; 
> Cc:  "Sumit Bose"<sbose at redhat.com>; "freeipa-users"<freeipa-users at redhat.com>; 
> Subject:  Re: [Freeipa-users] sssd failed with 'ldap_sasl_bindfailed(-2)[Localerror]'
> 
> 
> 
> On Thu, Nov 10, 2016 at 06:48:54PM +0800, Matrix wrote:
> > Hi, Sumit
> > 
> > Thanks for your reply
> > 
> > I have tried. still failed
> 
> Do you see any related messages on the LDAP server side?
> 
> bye,
> Sumit
> 
> > 
> > # cat /etc/openldap/ldap.conf  | grep -v ^#
> > 
> > URI ldap://ipaslave.stg.example.net
> > BASE dc=example,dc=net
> > TLS_CACERT /etc/ipa/ca.crt
> > SASL_MECH GSSAPI
> > TLS_REQCERT allow
> > SASL_NOCANON on
> > 
> > 
> > # cat /etc/krb5.conf| grep rdns
> >   rdns = false
> > 
> > Matrix
> > 
> > ------------------ Original ------------------
> > From:  "Sumit Bose";<sbose at redhat.com>;
> > Date:  Thu, Nov 10, 2016 06:32 PM
> > To:  "freeipa-users"<freeipa-users at redhat.com>; 
> > 
> > Subject:  Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed(-2)[Localerror]'
> > 
> > 
> > 
> > On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote:
> > > debug steps have been tried: 
> > > 
> > > 1 kinit is workable: 
> > > # /usr/kerberos/bin/kinit -k host/client02.stg.example.net at EXAMPLE.NET
> > > 
> > > # /usr/kerberos/bin/klist
> > > Ticket cache: FILE:/tmp/krb5cc_0
> > > Default principal: host/client02.stg.example.net at EXAMPLE.NET
> > > 
> > > Valid starting     Expires            Service principal
> > > 11/10/16 09:18:00  11/11/16 09:17:35  krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > > 
> > > Kerberos 4 ticket cache: /tmp/tkt0
> > > klist: You have no tickets cached
> > > 
> > > 2 ldapwhoami with krb auth failed. 
> > > 
> > > # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net
> > > SASL/GSSAPI authentication started
> > > ldap_sasl_interactive_bind_s: Local error (-2)
> > >         additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Mutual authentication failed)
> > > 
> > 
> > Have you made sure that canonicalizing is disabled, i.e.
> > /etc/krb5.conf: 
> > [libdefaults]
> >  ...
> >  rdns = false
> >  ...
> > 
> > /etc/openldap/ldap.conf
> > ...
> > SASL_NOCANON    on
> > ...
> > 
> > HTH
> > 
> > bye,
> > Sumit
> > 
> > > 
> > > Matrix
> > > 
> > > ------------------ Original ------------------
> > > From:  "Matrix";<matrix.zj at qq.com>;
> > > Date:  Thu, Nov 10, 2016 02:11 PM
> > > To:  "freeipa-users"<freeipa-users at redhat.com>; 
> > > 
> > > Subject:  [Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Localerror]'
> > > 
> > > 
> > > 
> > > Hi, 
> > > 
> > > I have installed sssd in a RHEL5 client. 
> > > 
> > > ipa-client/sssd version:
> > > ipa-client-2.1.3-7.el5
> > > sssd-client-1.5.1-71.el5
> > > sssd-1.5.1-71.el5
> > > 
> > > sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local error]'. 
> > > 
> > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net
> > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1): ldap_sasl_bind failed (-2)[Local error]
> > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (7): Waiting for child [11117].
> > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (4): child [11117] finished successfully.
> > > 
> > > I have tried to google to find root cause. some link explained it should be something wrong with dns. I have double confirmed it. 
> > > 
> > > # nslookup client02.stg.example.net
> > > Server:         10.2.1.21
> > > Address:        10.2.1.21#53
> > > 
> > > Name:   client02.stg.example.net
> > > Address: 10.2.3.32
> > > 
> > > 
> > > # nslookup 10.2.3.32
> > > Server:         10.2.1.21
> > > Address:        10.2.1.21#53
> > > 
> > > 32.3.2.10.in-addr.arpa  name = client02.stg.example.net.
> > > 
> > > 
> > > # nslookup ipaslave.stg.example.net
> > > Server:         10.2.1.21
> > > Address:        10.2.1.21#53
> > > 
> > > Name:   ipaslave.stg.example.net
> > > Address: 10.2.1.250
> > > 
> > > # nslookup 10.2.1.250
> > > Server:         10.2.1.21
> > > Address:        10.2.1.21#53
> > > 
> > > 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net.
> > > 
> > > Any hints or troubleshooting ideas would be appreciated. 
> > > 
> > > Matrix
> > 
> > > -- 
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> > 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list