I have a domain-joined Windows 11 laptop running WSL2 and I have an instance of Ubuntu 24.04.3 LTS installed in WSL2.
I'm trying to using ldapsearch to run some queries, to help colleagues running an application on linux. Currently, I have it working with simple binds but I'd like to get it running so that I don't have to type my password every time.
This is my /etc/ldap/ldap.conf:
BASE dc=my,dc=domain,dc=comURI ldap://my.domain.com ldaps://my.domain.comTLS_CACERT /etc/ssl/certs/ca-certificates.crtAnd a query like this works:
ldapsearch -x -W -D "MYDOMAIN\MyUser" -s sub -b "OU=Users,OU=T2,DC=my,DC=domain,DC=com" "(samAccountName=AnotherUser)" givenName sn displayNameI figured I'd get a TGT from kerberos and try to get SASL working. Using what I found online, I've installed a couple of packages:
sudo apt install libsasl2-modules-gssapi-mit sudo apt install krb5-user And got a kerberos TGT:
kinit -c /tmp/MyUser.cc.tmp MyUserexporting it with:
export KRB5CCNAME=/tmp/MyUser.cc.tmpAnd now when I try:
ldapsearch -Y GSSAPI -s sub -b "OU=Users,OU=T2,DC=my,DC=domain,DC=com" "(samAccountName=AnotherUser)" givenName sn displayNameFirst I see:
ldap_initialize( <DEFAULT> )SASL/GSSAPI authentication startedAnd there's a multi-second pause and then:
ldap_sasl_interactive_bind: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (KDC reply did not match expectations)I've checked the supported mechanisms and it is supported:
ldapsearch -H ldap://my.domain.com -x -b "" -s base -LLL supportedSASLMechanismsdn:supportedSASLMechanisms: GSSAPIsupportedSASLMechanisms: GSS-SPNEGOsupportedSASLMechanisms: EXTERNALsupportedSASLMechanisms: DIGEST-MD5The ldapSearch version info is:
ldapsearch: @(#) $OpenLDAP: ldapsearch 2.6.7+dfsg-1~exp1ubuntu8.2 (Dec 9 2024 02:50:18) $ Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> (LDAP library: OpenLDAP 20607)