On Thu, Nov 10, 2016 at 06:48:54PM +0800, Matrix wrote: > Hi, Sumit > > Thanks for your reply > > I have tried. still failed
Do you see any related messages on the LDAP server side? bye, Sumit > > # cat /etc/openldap/ldap.conf | grep -v ^# > > URI ldap://ipaslave.stg.example.net > BASE dc=example,dc=net > TLS_CACERT /etc/ipa/ca.crt > SASL_MECH GSSAPI > TLS_REQCERT allow > SASL_NOCANON on > > > # cat /etc/krb5.conf| grep rdns > rdns = false > > Matrix > > ------------------ Original ------------------ > From: "Sumit Bose";<[email protected]>; > Date: Thu, Nov 10, 2016 06:32 PM > To: "freeipa-users"<[email protected]>; > > Subject: Re: [Freeipa-users] sssd failed with 'ldap_sasl_bind > failed(-2)[Localerror]' > > > > On Thu, Nov 10, 2016 at 05:22:26PM +0800, Matrix wrote: > > debug steps have been tried: > > > > 1 kinit is workable: > > # /usr/kerberos/bin/kinit -k host/[email protected] > > > > # /usr/kerberos/bin/klist > > Ticket cache: FILE:/tmp/krb5cc_0 > > Default principal: host/[email protected] > > > > Valid starting Expires Service principal > > 11/10/16 09:18:00 11/11/16 09:17:35 krbtgt/[email protected] > > > > Kerberos 4 ticket cache: /tmp/tkt0 > > klist: You have no tickets cached > > > > 2 ldapwhoami with krb auth failed. > > > > # ldapwhoami -Y GSSAPI -h ipaslave.stg.example.net > > SASL/GSSAPI authentication started > > ldap_sasl_interactive_bind_s: Local error (-2) > > additional info: SASL(-1): generic failure: GSSAPI Error: > > Unspecified GSS failure. Minor code may provide more information (Mutual > > authentication failed) > > > > Have you made sure that canonicalizing is disabled, i.e. > /etc/krb5.conf: > [libdefaults] > ... > rdns = false > ... > > /etc/openldap/ldap.conf > ... > SASL_NOCANON on > ... > > HTH > > bye, > Sumit > > > > > Matrix > > > > ------------------ Original ------------------ > > From: "Matrix";<[email protected]>; > > Date: Thu, Nov 10, 2016 02:11 PM > > To: "freeipa-users"<[email protected]>; > > > > Subject: [Freeipa-users] sssd failed with 'ldap_sasl_bind failed > > (-2)[Localerror]' > > > > > > > > Hi, > > > > I have installed sssd in a RHEL5 client. > > > > ipa-client/sssd version: > > ipa-client-2.1.3-7.el5 > > sssd-client-1.5.1-71.el5 > > sssd-1.5.1-71.el5 > > > > sssd failed to get ipa user info with 'ldap_sasl_bind failed (-2)[Local > > error]'. > > > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] > > (4): Executing sasl bind mech: GSSAPI, user: host/client02.stg.example.net > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [sasl_bind_send] > > (1): ldap_sasl_bind failed (-2)[Local error] > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] > > (7): Waiting for child [11117]. > > (Thu Nov 10 05:52:45 2016) [sssd[be[stg.example.net]]] [child_sig_handler] > > (4): child [11117] finished successfully. > > > > I have tried to google to find root cause. some link explained it should be > > something wrong with dns. I have double confirmed it. > > > > # nslookup client02.stg.example.net > > Server: 10.2.1.21 > > Address: 10.2.1.21#53 > > > > Name: client02.stg.example.net > > Address: 10.2.3.32 > > > > > > # nslookup 10.2.3.32 > > Server: 10.2.1.21 > > Address: 10.2.1.21#53 > > > > 32.3.2.10.in-addr.arpa name = client02.stg.example.net. > > > > > > # nslookup ipaslave.stg.example.net > > Server: 10.2.1.21 > > Address: 10.2.1.21#53 > > > > Name: ipaslave.stg.example.net > > Address: 10.2.1.250 > > > > # nslookup 10.2.1.250 > > Server: 10.2.1.21 > > Address: 10.2.1.21#53 > > > > 250.1.2.10.in-addr.arpa name = ipaslave.stg.example.net. > > > > Any hints or troubleshooting ideas would be appreciated. > > > > Matrix > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
