ldap_sasl_bind failed

Asked by Jason Sharp on 2012-04-03

Here is my sssd.conf

I'm using DNS resolution to grab my kdc and kpasswd servers

config_file_version = 2
services = nss, pam
domains = AD
debug_level = 10


filter_groups = root, jason
filter_users = root, jason


min_id = 1000
id_provider = ldap
acces_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_uri = ldaps://us.mycompany.com
ldap_search_base = dc=us,dc=mycompany,dc=com
ldap_schema = rfc2307bis
ldap_tls_reqcert = allow
ldap_krb5_init_creds = true
ldap_sasl_mech = GSSAPI
ldap_krb5_keytab = /etc/krb5.keytab

dns_discovery_domain = US.MYCOMPANY.COM
krb5_realm = US.MYCOMPANY.COM
krb5_keytab = /etc/krb5.keytab

i can see that a tgt is created in /var/lib/sss/db

when I run sssd -i -d 10 I can see the following

(Tue Apr 3 16:22:33 2012) [sssd[be[AD]]] [sdap_kinit_send] (0x0400): Attempting kinit (/etc/krb5.keytab, (null), US.MYCOMPANY.COM, 86400)
(Tue Apr 3 16:22:33 2012) [sssd[be[AD]]] [sdap_kinit_next_kdc] (0x1000): Resolving next KDC for service KERBEROS
(Tue Apr 3 16:22:33 2012) [sssd[be[AD]]] [sdap_kinit_kdc_resolved] (0x1000): KDC resolved, attempting to get TGT...

why is it attempting to send (null) as my username...shouldn't it be sending the principal in my krb5.keytab? this is probably why my bind is failing

Question information

English Edit question
Ubuntu sssd Edit question
No assignee Edit question
Solved by:
Jason Sharp
Last query:
Last reply:
Jason Sharp (jsharp) said : #1

us.mycompany.com is a round robin DNS entry, which requires ldap_sasl_canonicalize = true