I am trying to get nslcd to connect with an ldap instance using GSSAPI and kerberos authentication. Problem i'm having is that nslcd keeps using the wrong principal to try and connected with the remote ldap server.
My guess is its is using a reverse dns lookup to get the principal however I am unable to setup a reverse dns record for the instance on aws. I have set rdns = false in my krb5.conf file however it continue using the reverse dns principal name.
Is there a way to tell nslcd what principal to use or stop it doing a reverse dns lookup and use the hostname itself?
Its using mit kerberos and openldap if that makes any difference.
This is the log output and command running k5start
/usr/bin/k5start -b -p /var/run/nslcd/k5start_nslcd.pid -o nslcd -g nslcd -m 600 -f /etc/krb5.keytab -K 60 -u host/auth-02.example.com -k /tmp/nslcd.cc
Jul 20 14:55:20 auth-02.example.com nslcd[10585]: GSSAPI client step 1
Jul 20 14:55:20 auth-02.example.com nslcd[10585]: GSSAPI client step 1
Jul 20 14:55:20 auth-02.example.com nslcd[10585]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/COMPUTE-1.AMAZONAWS.COM@WEREQUIRE.COM not found in Kerberos database)
Jul 20 14:55:20 auth-02.example.com nslcd[10585]: [8b4567] <group/member="nslcd"> failed to bind to LDAP server ldap://auth-01.example.com: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/C...
Jul 20 14:55:20 auth-02.example.com nslcd[10585]: GSSAPI client step 1
Jul 20 14:55:20 auth-02.example.com nslcd[10585]: GSSAPI client step 1
Jul 20 14:55:20 auth-02.example.com nslcd[10585]: GSSAPI client step 1
Jul 20 14:55:20 auth-02.example.com nslcd[10585]: GSSAPI client step 1
Jul 20 14:55:20 auth-02.example.com nslcd[10585]: GSSAPI client step 2
Jul 20 14:55:20 auth-02.example.com nslcd[10585]: [8b4567] <group/member="nslcd"> connected to LDAP server ldap://auth-02.example.com
