[Freeipa-users] sssd failed with 'ldap_sasl_bindfailed(-2)[Localerror]'
Sumit Bose
sbose at redhat.com
Thu Nov 17 14:09:19 UTC 2016
On Thu, Nov 10, 2016 at 07:19:09PM +0800, Matrix wrote:
> Hi, Sumit
>
> I have checked, and did not find anything more:
>
> error logs from /var/log/dirsrv/slapd-EXAMPLE-NET/access:
> .......
> [10/Nov/2016:10:46:58 +0000] conn=816560 fd=189 slot=189 connection from 10.2.3.32 to 10.2.1.250
> [10/Nov/2016:10:46:58 +0000] conn=816560 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
> [10/Nov/2016:10:46:58 +0000] conn=816560 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> [10/Nov/2016:10:46:58 +0000] conn=816560 op=-1 fd=189 closed - B1
Sorry, I still have no idea, maybe running ldapwhoami with '-d -1' might
help to identify which step is failing.
bye,
Sumit
>
> .......
>
> Matrix
>
>
> ------------------ Original ------------------
> From: "Sumit Bose";<sbose at redhat.com>;
> Date: Thu, Nov 10, 2016 07:13 PM
> To: "Matrix"<matrix.zj at qq.com>;
> Cc: "Sumit Bose"<sbose at redhat.com>; "freeipa-users"<freeipa-users at redhat.com>;
> Subject: Re: [Freeipa-users] sssd failed with 'ldap_sasl_bindfailed(-2)[Localerror]'
>
>
>
> On Thu, Nov 10, 2016 at 06:48:54PM +0800, Matrix wrote:
> > Hi, Sumit
> >
> > Thanks for your reply
> >
> > I have tried. still failed
>
> Do you see any related messages on the LDAP server side?
>
> bye,
> Sumit
>
> >
> > # cat /etc/openldap/ldap.conf | grep -v ^#
> >
> > URI ldap://ipaslave.stg.example.net
> > BASE dc=example,dc=net
> > TLS_CACERT /etc/ipa/ca.crt
> > SASL_MECH GSSAPI
> > TLS_REQCERT allow
> > SASL_NOCANON on
> >
> >
> > # cat /etc/krb5.conf| grep rdns
> > rdns = false
> >
> > Matrix
> >
> > ------------------ Original ------------------
> > From: "Sumit Bose";<sbose at redhat.com>;
> > Date: Thu, Nov 10, 2016 06:32 PM
> > To: "freeipa-users"<freeipa-users at redhat.com>;
> >
> > Subject: Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed(-2)[Localerror]'
> >
> >
> >
> > On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote:
> > > debug steps have been tried:
> > >
> > > 1 kinit is workable:
> > > # /usr/kerberos/bin/kinit -k host/client02.stg.example.net at EXAMPLE.NET
> > >
> > > # /usr/kerberos/bin/klist
> > > Ticket cache: FILE:/tmp/krb5cc_0
> > > Default principal: host/client02.stg.example.net at EXAMPLE.NET
> > >
> > > Valid starting Expires Service principal
> > > 11/10/16 09:18:00 11/11/16 09:17:35 krbtgt/EXAMPLE.NET at EXAMPLE.NET
> > >
> > > Kerberos 4 ticket cache: /tmp/tkt0
> > > klist: You have no tickets cached
> > >
> > > 2 ldapwhoami with krb auth failed.
> > >
> > > # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net
> > > SASL/GSSAPI authentication started
> > > ldap_sasl_interactive_bind_s: Local error (-2)
> > > additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Mutual authentication failed)
> > >
> >
> > Have you made sure that canonicalizing is disabled, i.e.
> > /etc/krb5.conf:
> > [libdefaults]
> > ...
> > rdns = false
> > ...
> >
> > /etc/openldap/ldap.conf
> > ...
> > SASL_NOCANON on
> > ...
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> > >
> > > Matrix
> > >
> > > ------------------ Original ------------------
> > > From: "Matrix";<matrix.zj at qq.com>;
> > > Date: Thu, Nov 10, 2016 02:11 PM
> > > To: "freeipa-users"<freeipa-users at redhat.com>;
> > >
> > > Subject: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed (-2)[Localerror]'
> > >
> > >
> > >
> > > Hi,
> > >
> > > I have installed sssd in a RHEL5 client.
> > >
> > > ipa-client/sssd version:
> > > ipa-client-2.1.3-7.el5
> > > sssd-client-1.5.1-71.el5
> > > sssd-1.5.1-71.el5
> > >
> > > sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local error]'.
> > >
> > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net
> > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] (1): ldap_sasl_bind failed (-2)[Local error]
> > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (7): Waiting for child [11117].
> > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] (4): child [11117] finished successfully.
> > >
> > > I have tried to google to find root cause. some link explained it should be something wrong with dns. I have double confirmed it.
> > >
> > > # nslookup client02.stg.example.net
> > > Server: 10.2.1.21
> > > Address: 10.2.1.21#53
> > >
> > > Name: client02.stg.example.net
> > > Address: 10.2.3.32
> > >
> > >
> > > # nslookup 10.2.3.32
> > > Server: 10.2.1.21
> > > Address: 10.2.1.21#53
> > >
> > > 32.3.2.10.in-addr.arpa name = client02.stg.example.net.
> > >
> > >
> > > # nslookup ipaslave.stg.example.net
> > > Server: 10.2.1.21
> > > Address: 10.2.1.21#53
> > >
> > > Name: ipaslave.stg.example.net
> > > Address: 10.2.1.250
> > >
> > > # nslookup 10.2.1.250
> > > Server: 10.2.1.21
> > > Address: 10.2.1.21#53
> > >
> > > 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net.
> > >
> > > Any hints or troubleshooting ideas would be appreciated.
> > >
> > > Matrix
> >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list