Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1003067: sssd: ssd offline SASL: No worthy mechs found
254 views
Skip to first unread message
leonardo
Jan 3, 2022, 11:00:03 AM1/3/22
to
Package: sssd
Version: 2.6.1-1
Severity: important
X-Debbugs-Cc: leon...@leone2000.net
Dear Maintainer,
I had some authentication problems, in /var/log/sssd/sssd_<MYDOMAIN>.log:
* (2022-01-02 0:01:25): [be[MYDOMAIN]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSS-SPNEGO, user: PCLEONOVO$
* (2022-01-02 0:01:25): [be[MYDOMAIN]] [ad_sasl_log] (0x0040): SASL: No worthy mechs found
********************** BACKTRACE DUMP ENDS HERE *********************************
(2022-01-02 0:01:25): [be[MYDOMAIN]] [sasl_bind_send] (0x0020): ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method]
(2022-01-02 0:01:25): [be[MYDOMAIN]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158227]: Authentication Failed
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2022-01-02 0:01:25): [be[MYDOMAIN]] [sasl_bind_send] (0x0020): ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method]
* (2022-01-02 0:01:25): [be[MYDOMAIN]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-4): no mechanism available: No worthy mechs found]
* (2022-01-02 0:01:25): [be[MYDOMAIN]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158227]: Authentication Failed
********************** BACKTRACE DUMP ENDS HERE *********************************
I tried to unjoin and now, when i try to join again, adcli returns:
* Using GSS-SPNEGO for SASL bind
! Couldn't authenticate to active directory: SASL(-4): no mechanism available: No worthy mechs found
adcli: couldn't connect to MYDOMAIN domain: Couldn't authenticate to active directory: SASL(-4): no mechanism available: No worthy mechs found
! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain
This happened after upgrade from from 2.5.2 to 2.6.1 (no problem with 2.5.2), the AD domain is Windows 2012r2 patched with november 2021 updates.
-- System Information:
Debian Release: bookworm/sid
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.0-2-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages sssd depends on:
ii python3-sss 2.6.1-1
ii sssd-ad 2.6.1-1
ii sssd-common 2.6.1-1
ii sssd-ipa 2.6.1-1
ii sssd-krb5 2.6.1-1
ii sssd-ldap 2.6.1-1
ii sssd-proxy 2.6.1-1
sssd recommends no packages.
sssd suggests no packages.
-- no debconf information
Version: 2.6.1-1
Severity: important
X-Debbugs-Cc: leon...@leone2000.net
Dear Maintainer,
I had some authentication problems, in /var/log/sssd/sssd_<MYDOMAIN>.log:
* (2022-01-02 0:01:25): [be[MYDOMAIN]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSS-SPNEGO, user: PCLEONOVO$
* (2022-01-02 0:01:25): [be[MYDOMAIN]] [ad_sasl_log] (0x0040): SASL: No worthy mechs found
********************** BACKTRACE DUMP ENDS HERE *********************************
(2022-01-02 0:01:25): [be[MYDOMAIN]] [sasl_bind_send] (0x0020): ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method]
(2022-01-02 0:01:25): [be[MYDOMAIN]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158227]: Authentication Failed
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2022-01-02 0:01:25): [be[MYDOMAIN]] [sasl_bind_send] (0x0020): ldap_sasl_interactive_bind_s failed (-6)[Unknown authentication method]
* (2022-01-02 0:01:25): [be[MYDOMAIN]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-4): no mechanism available: No worthy mechs found]
* (2022-01-02 0:01:25): [be[MYDOMAIN]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158227]: Authentication Failed
********************** BACKTRACE DUMP ENDS HERE *********************************
I tried to unjoin and now, when i try to join again, adcli returns:
* Using GSS-SPNEGO for SASL bind
! Couldn't authenticate to active directory: SASL(-4): no mechanism available: No worthy mechs found
adcli: couldn't connect to MYDOMAIN domain: Couldn't authenticate to active directory: SASL(-4): no mechanism available: No worthy mechs found
! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain
This happened after upgrade from from 2.5.2 to 2.6.1 (no problem with 2.5.2), the AD domain is Windows 2012r2 patched with november 2021 updates.
-- System Information:
Debian Release: bookworm/sid
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.15.0-2-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages sssd depends on:
ii python3-sss 2.6.1-1
ii sssd-ad 2.6.1-1
ii sssd-common 2.6.1-1
ii sssd-ipa 2.6.1-1
ii sssd-krb5 2.6.1-1
ii sssd-ldap 2.6.1-1
ii sssd-proxy 2.6.1-1
sssd recommends no packages.
sssd suggests no packages.
-- no debconf information
leonardo
Jan 3, 2022, 4:00:03 PM1/3/22
to
Timo Aaltonen
Jan 4, 2022, 3:40:03 AM1/4/22
to
> Pkg-sssd-devel mailing list
> Pkg-sss...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-sssd-devel
>
this is caused by cyrus-sasl2, see:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1000152
--
t
0 new messages