[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch + read-only domain controller: cannot bind

To: l@avc.su, openldap-technical@openldap.org
Subject: Re: ldapsearch + read-only domain controller: cannot bind
From: Mark Pröhl <mark@mproehl.net>
Date: Sat, 18 Jun 2016 14:48:17 +0200
In-reply-to: <3550941465644446@web21h.yandex.ru>
References: <3550941465644446@web21h.yandex.ru>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0

On 06/11/2016 01:27 PM, l@avc.su wrote:
> Hello.
>  
> I'm seeing very strange behavior with ldapsearch with GSSAPI on CentOS 7
> and Microsoft Windows 2012R2 Read-only Domain Controller.
> I can obtain Kerberos ticket with no errors, with my user's credentials,
> or with machine's keytab.
>  
> However, when I'm trying to make LDAP request with GSSAPI bind, i'm
> getting an error:
> 
> ldapsearch -Y GSSAPI -H ldap://dc.contoso.com/ -b "dc=contoso,dc=com"
> "(sAMAccountName=user)"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure. Minor code may provide more information (A service is not
> available that is required to process the request)
> 
> openldap-clients ver. 2.4.40 release 9.el7_2
> 
>  
> 
> Here's the -d1 output:
> 
> ldap_url_parse_ext(ldap://dc.contoso.com/)
> ldap_create
> ldap_url_parse_ext(ldap://dc.contoso.com:389/??base)
> ldap_sasl_interactive_bind: user selected: GSSAPI
> ldap_int_sasl_bind: GSSAPI
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP dc.contoso.com:389
> ldap_new_socket: 3
> ldap_prepare_socket: 3
> ldap_connect_to_host: Trying 192.168.0.100:389
> ldap_pvt_connect: fd: 3 tm: -1 async: 0
> attempting to connect:
> connect success
> ldap_int_sasl_open: host=dc.contoso.com
> SASL/GSSAPI authentication started
> ldap_msgfree
> ldap_err2string
> ldap_sasl_interactive_bind_s: Local error (-2)
> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure. Minor code may provide more information (A service is not
> available that is required to process the request)
> ldap_free_connection 1 1
> ldap_send_unbind
> ber_flush2: 7 bytes to sd 3
> ldap_free_connection: actually freed
> 
>  
> 
> This problem does not appear with regular DC servers. I can bind and
> search to them with no errors.
> 
> How can I debug this problem?
> 

Hi,

Maybe you can turn on kerberos tracing and repeat the failing ldapsearch
from CentOS7 and send us the output?

I.e.:

KRB5_TRACE=/dev/stdout ldapsearch -Y GSSAPI -H ldap://dc.contoso.com/ -b
"dc=contoso,dc=com" "(sAMAccountName=user)"


Cheers,

Mark

Follow-Ups:
- Re: ldapsearch + read-only domain controller: cannot bind
  - From: l@avc.su

References:
- ldapsearch + read-only domain controller: cannot bind
  - From: l@avc.su

Prev by Date: UNKNOWN attributeDescription "ATTRIBUTE1" inserted
Next by Date: auditContext attribute ?
Index(es):
- Chronological
- Thread