We have been using Openldap on a old Tru64 machine for a couple of
years to glue our Oracle database and W2K Active Directory together.
We're moving the database to a Linux machine. I rebuilt the Openldap
software and it almost works. The Unix machines are in a MIT Kerberos
Realm and a trust exists between the MIT realm and the W2K Domain. The
account I'm running with on the Unix side is mapped to a Windows account.
Using the latest openssl, Cyrus SASL, and stable openldap source
packages I built everything in the same manner as before. I tested the
SASL code using the sample-client/server programs to make sure that
GSSAPI was working properly. I built openldap with --with-cyrus-sasl
as my only option.
When I test using ldapsearch I'm seeing the infamous
ldap_sasl_interactive_bind_s: message
$ ldapsearch -Y GSSAPI
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
My config files are set right. I see a logon/logoff to the AD domain
when I try the ldapsearch.
I get tickets from the Windows domain and from the domain controller
I'm attempting to query.
If I use -x I get the expected response from the domain controller.
Any ideas on what I might have missed?