Re: nslcd SASL bind fails

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: steve <steve [at] steve-ss.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: nslcd SASL bind fails
Date: Sun, 12 Feb 2012 19:19:55 +0100

On 02/12/2012 06:04 PM, steve wrote:

On 02/12/2012 05:04 PM, steve wrote:
Hi
Ubuntu 11.10
nslcd 0.8.4 from nslcd_0.8.4_i386.deb

I can't do a GSSAPI bind:
Feb 12 16:51:54 hh3 nslcd[3002]: [e8944a] <passwd="steve2"> failed tobind to LDAP server ldap://192.168.1.3: Local error: No such file ordirectory
/etc/nslcd.conf
uid nslcd-user
gid nslcd-user
uri ldap://192.168.1.3
base dc=hh3,dc=site
map    passwd uid              samAccountName
map    passwd homeDirectory    unixHomeDirectory
sasl_mech GSSAPI
sasl_realm HH3.SITE
krb5_ccname /tmp/krb5cc_0
There is a ticket cache at /tmp/krb5cc_0 and a conventional bindworks fine. I can also use ldapsearch -Y GSSAPI and ldapmodify -Y GSSAPI
Any ideas?
Thanks,
Steve
Sorry. Forgot he details. I compiled from source from your site:

root@hh3:/tmp# getent passwd steve2
root@hh3:/tmp#

 nslcd -d
nslcd: DEBUG: add_uri(ldap://192.168.1.3)
nslcd: version 0.7.15 starting
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(126) done
nslcd: DEBUG: setuid(115) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=17216 uid=0 gid=0
nslcd: [8b4567] DEBUG: nslcd_passwd_byname(steve2)
nslcd: [8b4567] DEBUG: myldap_search(base="dc=hh3,dc=site",filter="(&(objectClass=posixAccount)(sAMAccountName=steve2))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://192.168.1.3)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG:ldap_sasl_bind_s("cn=Administrator,cn=Users,dc=hh3,dc=site","GSSAPI",NULL)(uri="ldap://192.168.1.3";)nslcd: [8b4567] failed to bind to LDAP server ldap://192.168.1.3:Invalid credentials
nslcd: [8b4567] DEBUG: ldap_unbind()
nslcd: [8b4567] no available LDAP server found

KDC
ldb_wrap open of secrets.ldb
GSS server Update(krb5)(1) Update failed: An unsupported mechanismwas requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
What is it saying? Which is at fault here?
Thanks,
Steve

Back to 0.7.13 on Ubuntu. This time no errors from the KDC but nslcd gives:
nslcd: [8b4567] DEBUG: ldap_initialize(ldap://hh3.site)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [8b4567] DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI")(uri="ldap://hh3.site";)nslcd: [8b4567] DEBUG: do_sasl_interact(): were asked for sasl_authzidbut we don't have anynslcd: [8b4567] failed to bind to LDAP server ldap://hh3.site: Localerror: No such file or directory

nslcd: [8b4567] DEBUG: ldap_unbind()
nslcd: [8b4567] no available LDAP server found

However, a ldap earch on the same dn works fine with gssapi:

ldapsearch -h 192.168.1.3 -D Administrator@HH3.SITE -b dc=hh3,dc=site'cn=steve2' -Y GSSAPI

SASL/GSSAPI authentication started
SASL username: Administrator@HH3.SITE
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=hh3,dc=site> with scope subtree
# filter: cn=steve2
# requesting: ALL
#

# steve2, Users, hh3.site
dn: CN=steve2,CN=Users,DC=hh3,DC=site
cn: steve2
instanceType: 4
whenCreated: 20120212141408.0Z
uSNCreated: 3724
name: steve2
objectGUID:: gBEQwhcY6UO42FL0ng0iOw==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAJ3dsOvSkaPcrfx06UgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: steve2
sAMAccountType: 805306368
userPrincipalName: steve2@hh3.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
pwdLastSet: 129735296490000000
userAccountControl: 512
uidNumber: 3000002
gidNumber: 3000001
unixHomeDirectory: /home/CACTUS/steve2
loginShell: /bin/bash
whenChanged: 20120212141458.0Z
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: user
uSNChanged: 3728
distinguishedName: CN=steve2,CN=Users,DC=hh3,DC=site





--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

nslcd SASL bind fails, steve
- Re: nslcd SASL bind fails, steve
  - Re: nslcd SASL bind fails, steve

Prev by Date: Re: nslcd SASL bind fails
Next by Date: Re: a new library for ID mapping
Previous by thread: Re: nslcd SASL bind fails
Next by thread: Problems with excessive LDAP CPU usage.