Troubleshooting
No worthy mechs found
ldap.AUTH_UNKNOWN: {'desc': 'Unknown authentication method', 'errno': 22, 'info': 'SASL(-4): no mechanism available: No worthy mechs found'}
You need to install the GSSAPI SASL modules. On Debian:
apt install libsasl2-modules-gssapi-mit
Insufficient access
ldap.INSUFFICIENT_ACCESS: {'desc': 'Insufficient access', 'info': '00002098: Object CN=adtest,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=ad-test,DC=vx has no write property access\n'}
The ADMan user needs to be a member of Domain Admins
.
Once this change has been made, you must remove the stale credential cache, e.g.:
rm /tmp/domain-janitor.cc
Server not found in Kerberos database
SASL: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database).
Various problems can lead to this error. One common case I’ve encountered is that a reverse DNS (PTR) record does not exist for the DC(s).