TLS + GSSAPI ldap binds in 4.0.0alpha17-GIT-2d23dff

Stephen Gallagher sgallagh at
Mon Aug 15 14:48:07 MDT 2011

On Aug 15, 2011, at 4:43 PM, Lukasz Zalewski <lukas at> wrote:

> On 15/08/2011 12:44, Stephen Gallagher wrote:
>> On Mon, 2011-08-15 at 10:40 +0100, Lukasz Zalewski wrote:
>>> Hi all,
>>> After the update to alpha17 (from alpha12) we have not been able to
>>> perform GSSAPI + TLS binds against the ldap server,
>>> i.e. after successful kinit the following:
>>> ldapsearch -ZZ -Y GSSAPI -h my.domain -b "dc=my,dc=domain" cn=somecn
>>> produces error message:
>>> SASL/GSSAPI authentication started
>>> ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
>>>    additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used
>>> TLS without GSSAPI and GSSAPI without TLS binds work fine. Has anyone
>>> experienced this issue? Any help would be apreciated :)
>>> Many thanks
>>> Luk
>> Why are you trying to do GSSAPI+TLS? It's unnecessary overhead. If
>> you're doing a GSSAPI bind, then the GSSAPI tunnel has already encrypted
>> all of the communications. You're essentially just asking it to
>> re-encrypt everything a second time.
> Hi Stephen,
> Can i assume that all of the data transmitted is also encrypted in that tunnel?

Barring implementation bugs, yes.

> Thanks
> Luk

More information about the samba-technical mailing list