Brian May <br...@microcomaustralia.com.au> writes: > With libsasl2-modules-gssapi-mit installed.
> root@tyla:~# ldapsearch -Y GSSAPI -R AD.VPAC.ORG -b dc=ad,dc=vpac,dc=org > uid=aspiers -H ldap://sys11.ad.vpac.org/ -A > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information (Cannot > determine realm for numeric host address) > With libsasl2-modules-gssapi-heimdal installed. > root@tyla:~# ldapsearch -Y GSSAPI -R AD.VPAC.ORG -b dc=ad,dc=vpac,dc=org > uid=aspiers -H ldap://sys11.ad.vpac.org/ -A > SASL/GSSAPI authentication started > ldap_sasl_interactive_bind_s: Local error (-2) > additional info: SASL(-1): generic failure: GSSAPI Error: > Miscellaneous failure (see text) (Matching credential (ldap/ > 2001:388:60ac:10d:214:85ff:fef6:8...@ad.vpac.org) not found) > It should not be trying to use ldap/ > 2001:388:60ac:10d:214:85ff:fef6:8...@ad.vpac.org, it should use the name I > specified on the command line, i.e. ldap/sys11.ad.vpac....@ad.vpac.org If you add: rdns = false to the [libdefaults] section of your /etc/krb5.conf, does it then work with MIT? (I'm not sure what the corresponding Heimdal setting; a quick man page check didn't reveal it.) I think this is your GSS-API library being excessively helpful and canonicalizing the host identity with DNS for you, and then getting confused by whatever nsswitch is returning. This isn't really under the control of the application; the GSS-API library will do this under the hood. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
