Can't query AD using Kerberos from Linux host

I've found that specifying "-O maxssf=0" on the ldapsearch command line is necessary in order for GSSAPI AD searches to work properly. The following command works for me to search the AD global catalog via a SSL connection:

ldapsearch -LLL -O maxssf=0 -Y GSSAPI -H ldaps://ad.realm.local:3269 -b "dc=realm,dc=local" '(sAMAccountName=userid)'

Also, in order for Kerberos authentication to work with ldapsearch, DNS must be properly configured for reverse IP lookups. If not, you'll get a "cannot determine realm for numeric host address" error. If necessary, you can put the IP and hostname of your AD server in your hosts file to get it working.


From the ldapsearch(1) manpage:

-Y mech
Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows. 

For example:

ldapsearch -Y GSSAPI -b "dc=example,dc=com" uid=user

Assuming your /etc/gssapi_mech.conf looks something like:

# grep -v ^# /etc/gssapi_mech.conf
libgssapi_krb5.so.2             mechglue_internal_krb5_init