0

I am seeing problems when using adcli to join a RHEL7 machine to a Windows domain:

couldn't connect to local.net domain: couldn't authenticate to active directory: SASL( -7): invalid parameter supplied: unable to find a callback: 32775

SSSD configuration is good (same as working box), Kerberos config is good (could kinit). I have even tried removing a working box from AD and re-adding it: that worked fine too.

shearn89
  • 3,403
  • 2
  • 15
  • 39

1 Answers1

2

It turned out in this case to be a problem with the OpenLDAP configuration. In /etc/openldap/ldap.conf I had a line:

sasl_secprops minssf=0,maxssf=0

This line doesn't break machines that are already joined to the domain, but it does break the joining process!

I simply removed the line, but I expect (from my googling of the properties) that setting them to something other than 0 would work as well.

shearn89
  • 3,403
  • 2
  • 15
  • 39
  • 2
    The line in `/etc/openldap/ldap.conf` is needed when you for example do ldapsearch and authenticate with kerberos credentials. – Jimmy Hedman Jan 30 '17 at 14:17
  • @JimmyHedman You can also use `-O maxssf=0`on the ldapsearch command line, so technically the line in `/etc/openldap/ldap.conf` is not needed. – DomQ Sep 05 '18 at 14:07