[Pdns-users] RV: Fatal Error: Trying to set unknown parameter 'ldap-authmethod'
michael at stroeder.com
Fri Feb 19 13:50:46 UTC 2021
On 2/19/21 10:31 AM, Dario García Díaz-Miguel via Pdns-users wrote:
> I had to add to the /etc/openldap/ldap.conf the following parameter:
> SASL_MECH GSSAPI
FYI: If you don't want to set this globally you can set env var LDAPRC
or LDAPCONF to point to a service-specific ldap.conf.
See the details in man-page ldap.conf(5).
> GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_0) )
> [LDAP GSSAPI] ldap_sasl_interactive_bind_s returned -2
> [LDAP GSSAPI] No TGT found, trying to acquire a new one
> [LDAP GSSAPI] krb5 error when getting the TGT: Address family not supported by protocol
Do you have a correctly configured /etc/krb5.conf? Again you can point
to a service-specific Kerberos config with env var KRB5_CONFIG.
Also check ownership and permissions of your keytab file whether pdns
can read it.
I'd also check whether it works to get a TGT with the keytab for the
expected client principal name. Assuming you're running pdns as user pdns:
runuser -u pdns kinit -t /etc/pdns.keytab
pdns-service-principal at REALM.EXAMPLE.COM
I don't have a kerberized setup so all of the above is just from memory.
More information about the Pdns-users