[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Re: ldapsearch + read-only domain controller: cannot bind
From:       Mark =?utf-8?q?Pr=C3=B6hl?= <mark () mproehl ! net>
Date:       2016-06-24 11:05:19
Message-ID: 576D13EF.3060301 () mproehl ! net
[Download RAW message or body]


On 06/22/2016 10:28 AM, Dieter Klünter wrote:
> Am Tue, 21 Jun 2016 11:55:35 +0300
> schrieb l(a)avc.su:
> 
>> Hi Mark.
>>
>> Thank you, looks like the problem is not related to OpenLDAP package.
>> I've tried to get a service ticket for
>> ldap/dc.contoso.com(a)CONTOSO.COM, but to no avail:
> [...]
> 
> As i mentioned in my first post, linux kerberized clients require a
> host principal and a service principal. Read the Microsoft docs on
> kerberos services for Unix.
> 

you do not need a kerberized linux client for performing a kerberized
ldapsearch command in this scenario. No host principal or any other
service principals for the linux systems are required to do this. The
ldapsearch command fails to retrieve the LDAP service ticket for the RODC.

- Mark




[prev in list] [next in list] [prev in thread] [next in thread]