Description of problem: I cannot use GSSAPI with ldapsearch, but is work from the 2.4.46 source code. Version-Release number of selected component (if applicable): $ rpm -qa | grep -i ldap python3-ldap-3.3.1-2.el8.x86_64 openldap-2.4.46-18.el8.x86_64 sssd-ldap-2.6.2-3.el8.x86_64 perl-LDAP-0.66-7.el8.noarch openldap-clients-2.4.46-18.el8.x86_64 How reproducible: Install the latest version of openldap-client from Rhel8_BaseOS depot with Red Hat Enterprise Linux 8.6. Steps to Reproduce: 1. sudo dnf install openldap-clients 2. ldapsearch -H ldap://yourldapserver.lan -b "dc=yourldapserver,dc=lan" "(sAMAccountName=guest)" -LLL -Y GSSAPI Actual results: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success) Expected results: SASL/GSSAPI authentication started SASL username: USER SASL SSF: 256 SASL data security layer installed. Additional info: When i compile with the same version (openldap-2.4.46), i got the expected results with : wget https://www.openldap.org/software/download/OpenLDAP/openldap-release/openldap-2.4.46.tgz tar -xf openldap-2.4.46.tgz cd openldap-2.4.46/ sudo dnf install libdb-devel cyrus-sasl-devel libtool-ltdl-devel rpm -qa | grep -e libdb-devel -e cyrus-sasl-devel -e libtool-ltdl-devel #libtool-ltdl-devel-2.4.6-25.el8.x86_64 #cyrus-sasl-devel-2.1.27-6.el8_5.x86_64 #libdb-devel-5.3.28-42.el8_4.x86_64 ./configure --with-cyrus-sasl make depend make ./clients/tools/ldapsearch -H ldap://yourldapserver.lan -b "dc=yourldapserver,dc=lan" "(sAMAccountName=guest)" -Y GSSAPI
Please, provide more information about your configuration. OpenLDAP on RHEL 8 is built to work with SSSD, IPA and RHDS in a certain way. We have many patches on top of openldap-2.4.46 to make the experience smooth and adjusted to RHEL 8 (as well as it has many additional CVEs fixed). It's possible that you have misconfigured krb5.conf or ldap.conf. Do you have SSSD setup? Do you use 389-ds-base? (remember, openldap-servers is not a supported option on RHEL 8) Additionally, please, provide the ldapsearch output with the "-d 9" option.
Yes SSSD is setup and i use it with Active Directory so i didn't use 389-ds-base and openldap-servers. The output with "-d 9" $ ldapsearch -H ldap://yourldapserver.lan -b "dc=yourldapserver,dc=lan" "(sAMAccountName=guest)" -Y GSSAPI -d 9 ldap_url_parse_ext(ldap://yourldapserver.lan) ldap_create ldap_url_parse_ext(ldap://yourldapserver.lan:389/??base) ldap_sasl_interactive_bind: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP yourldapserver.lan:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 1.2.3.4:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success ldap_int_sasl_open: host=yourldapserver.lan SASL/GSSAPI authentication started ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 3839 bytes to sd 3 ldap_msgfree ldap_result ld 0x556efbad3570 msgid 1 wait4msg ld 0x556efbad3570 msgid 1 (infinite timeout) wait4msg continue ld 0x556efbad3570 msgid 1 all 1 ** ld 0x556efbad3570 Connections: * host: yourldapserver.lan port: 389 (default) refcnt: 2 status: Connected last used: Tue Jun 27 08:26:59 2023 ** ld 0x556efbad3570 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x556efbad3570 request count 1 (abandoned 0) ** ld 0x556efbad3570 Response Queue: Empty ld 0x556efbad3570 response count 0 ldap_chkResponseList ld 0x556efbad3570 msgid 1 all 1 ldap_chkResponseList returns ld 0x556efbad3570 NULL ldap_int_select read1msg: ld 0x556efbad3570 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 120 contents: read1msg: ld 0x556efbad3570 msgid 1 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x556efbad3570 0 new referrals read1msg: mark request completed, ld 0x556efbad3570 msgid 1 request done: ld 0x556efbad3570 msgid 1 res_errno: 14, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_int_sasl_bind: GSSAPI ldap_parse_sasl_bind_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (O) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: sasl_client_step: -1 ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Success) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_free_connection: actually freed
The same output but with the compiled openldap 2.4.46 source code : ./clients/tools/ldapsearch -H ldap://yourldapserver.lan -b "dc=yourldapserver,dc=lan" "(sAMAccountName=guest)" -Y GSSAPI -d 9 ldap_url_parse_ext(ldap://yourldapserver.lan) ldap_create ldap_url_parse_ext(ldap://yourldapserver.lan:389/??base) ldap_sasl_interactive_bind: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP yourldapserver.lan:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 1.2.3.4:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success ldap_int_sasl_open: host=dc.yourldapserver.lan SASL/GSSAPI authentication started ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 3839 bytes to sd 3 ldap_msgfree ldap_result ld 0xf00180 msgid 1 wait4msg ld 0xf00180 msgid 1 (infinite timeout) wait4msg continue ld 0xf00180 msgid 1 all 1 ** ld 0xf00180 Connections: * host: yourldapserver.lan port: 389 (default) refcnt: 2 status: Connected last used: Tue Jun 27 08:52:03 2023 ** ld 0xf00180 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0xf00180 request count 1 (abandoned 0) ** ld 0xf00180 Response Queue: Empty ld 0xf00180 response count 0 ldap_chkResponseList ld 0xf00180 msgid 1 all 1 ldap_chkResponseList returns ld 0xf00180 NULL ldap_int_select read1msg: ld 0xf00180 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 176 contents: read1msg: ld 0xf00180 msgid 1 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0xf00180 0 new referrals read1msg: mark request completed, ld 0xf00180 msgid 1 request done: ld 0xf00180 msgid 1 res_errno: 14, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_int_sasl_bind: GSSAPI ldap_parse_sasl_bind_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (O) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: sasl_client_step: 1 ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 22 bytes to sd 3 ldap_msgfree ldap_result ld 0xf00180 msgid 2 wait4msg ld 0xf00180 msgid 2 (infinite timeout) wait4msg continue ld 0xf00180 msgid 2 all 1 ** ld 0xf00180 Connections: * host: yourldapserver.lan port: 389 (default) refcnt: 2 status: Connected last used: Tue Jun 27 08:52:03 2023 ** ld 0xf00180 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0xf00180 request count 1 (abandoned 0) ** ld 0xf00180 Response Queue: Empty ld 0xf00180 response count 0 ldap_chkResponseList ld 0xf00180 msgid 2 all 1 ldap_chkResponseList returns ld 0xf00180 NULL ldap_int_select read1msg: ld 0xf00180 msgid 2 all 1 ber_get_next ber_get_next: tag 0x30 len 50 contents: read1msg: ld 0xf00180 msgid 2 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0xf00180 0 new referrals read1msg: mark request completed, ld 0xf00180 msgid 2 request done: ld 0xf00180 msgid 2 res_errno: 14, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_int_sasl_bind: GSSAPI ldap_parse_sasl_bind_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (O) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: sasl_client_step: 0 ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 56 bytes to sd 3 ldap_msgfree ldap_result ld 0xf00180 msgid 3 wait4msg ld 0xf00180 msgid 3 (infinite timeout) wait4msg continue ld 0xf00180 msgid 3 all 1 ** ld 0xf00180 Connections: * host: yourldapserver.lan port: 389 (default) refcnt: 2 status: Connected last used: Tue Jun 27 08:52:03 2023 ** ld 0xf00180 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0xf00180 request count 1 (abandoned 0) ** ld 0xf00180 Response Queue: Empty ld 0xf00180 response count 0 ldap_chkResponseList ld 0xf00180 msgid 3 all 1 ldap_chkResponseList returns ld 0xf00180 NULL ldap_int_select read1msg: ld 0xf00180 msgid 3 all 1 ber_get_next ber_get_next: tag 0x30 len 18 contents: read1msg: ld 0xf00180 msgid 3 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0xf00180 0 new referrals read1msg: mark request completed, ld 0xf00180 msgid 3 request done: ld 0xf00180 msgid 3 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 3, msgid 3) ldap_int_sasl_bind: GSSAPI ldap_parse_sasl_bind_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (O) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: SASL username: USERNAME SASL SSF: 256 ldap_pvt_sasl_generic_install SASL data security layer installed. ldap_msgfree ... ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_free_connection: actually freed
I think the issue could be with the configuration, as all of our tests for RHEL 8 pass. Yes, we use additional patches for certain features used by SSSD - so it could be a misconfiguration issue on your side... Please, provide more information about your setup and attach the config files for OpenLDAP and SSSD (and Active Directory, if possible). I'll check it, and if my knowledge of this topic won't be enough, I'll transition the issue to SSSD team.