[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch + read-only domain controller: cannot bind

To: openldap-technical@openldap.org
Subject: Re: ldapsearch + read-only domain controller: cannot bind
From: Dieter Klünter <dieter@dkluenter.de>
Date: Wed, 15 Jun 2016 22:04:53 +0200
In-reply-to: <4599541465742087@web21j.yandex.ru>
Organization: AVCI
References: <3550941465644446@web21h.yandex.ru> <20160612093833.79a23ad3@pink.avci.de> <4599541465742087@web21j.yandex.ru>

Am Sun, 12 Jun 2016 17:34:47 +0300
schrieb l@avc.su:

> Hi Dieter.
>  
> I've tried performing this search from CentOS6 machine, with my own
> UPN, with machine UPN, and it were successful. Accessing SPN
> ldap/dc.contoso.com@CONTOSO.COM Keytab is located
> in /etc/krb5.keytab, owned by root, access mode 0600. Dumped traffic
> from the problem server. On myTGS-REQ, DC responds with
> 'krb5kdc_err_svc_unavailable' packet. 
> 12.06.2016, 10:41, "Dieter Klünter" <dieter@dkluenter.de>:
> 
> Am Sat, 11 Jun 2016 14:27:26 +0300
> schrieb l@avc.su:
[...]

the user, slapd runs as, needs to read keytab. Check with klist
whether a ldap service principal ticket is available.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: ldapsearch + read-only domain controller: cannot bind
  - From: l@avc.su

References:
- ldapsearch + read-only domain controller: cannot bind
  - From: l@avc.su
- Re: ldapsearch + read-only domain controller: cannot bind
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: ldapsearch + read-only domain controller: cannot bind
  - From: l@avc.su

Prev by Date: Re: Odd MMR behaviour with delta-syncrepl and refreshAndPersist
Next by Date: Re: Checking that account is locked
Index(es):
- Chronological
- Thread