TLS + GSSAPI ldap binds in 4.0.0alpha17-GIT-2d23dff

Stephen Gallagher sgallagh at
Mon Aug 15 05:44:02 MDT 2011

On Mon, 2011-08-15 at 10:40 +0100, Lukasz Zalewski wrote:
> Hi all,
> After the update to alpha17 (from alpha12) we have not been able to 
> perform GSSAPI + TLS binds against the ldap server,
> i.e. after successful kinit the following:
> ldapsearch -ZZ -Y GSSAPI -h my.domain -b "dc=my,dc=domain" cn=somecn
> produces error message:
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
> 	additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used
> TLS without GSSAPI and GSSAPI without TLS binds work fine. Has anyone 
> experienced this issue? Any help would be apreciated :)
> Many thanks
> Luk

Why are you trying to do GSSAPI+TLS? It's unnecessary overhead. If
you're doing a GSSAPI bind, then the GSSAPI tunnel has already encrypted
all of the communications. You're essentially just asking it to
re-encrypt everything a second time.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list