3 files changed, 81 insertions, 3 deletions

diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 3369d7098..a2e658395 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -136,6 +136,10 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
     krb5_creds my_creds;
     krb5_get_init_creds_opt options;
     krb5_error_code krberr;
+    krb5_kt_cursor cursor;
+    krb5_keytab_entry entry;
+    char *principal;
+    bool found;
     int ret;
 
     krberr = krb5_init_context(&context);
@@ -200,8 +204,57 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
         krberr = krb5_kt_default(context, &keytab);
     }
     if (krberr) {
-        DEBUG(2, ("Failed to read keytab file: %s\n",
+        DEBUG(0, ("Failed to read keytab file: %s\n",
                   sss_krb5_get_error_message(context, krberr)));
+
+        ret = EFAULT;
+        goto done;
+    }
+
+    /* Verify the keytab */
+    krberr = krb5_kt_start_seq_get(context, keytab, &cursor);
+    if (krberr) {
+        DEBUG(0, ("Cannot read keytab [%s].\n", keytab_name));
+
+        sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. "
+                             "Unable to create GSSAPI-encrypted LDAP connection.",
+                             keytab_name, krberr,
+                             sss_krb5_get_error_message(context, krberr));
+
+        ret = EFAULT;
+        goto done;
+    }
+
+    found = false;
+    while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
+        krb5_unparse_name(context, entry.principal, &principal);
+        if (strcmp(full_princ, principal) == 0) {
+            found = true;
+        }
+        free(principal);
+        krb5_free_keytab_entry_contents(context, &entry);
+
+        if (found) {
+            break;
+        }
+    }
+    krberr = krb5_kt_end_seq_get(context, keytab, &cursor);
+    if (krberr) {
+        DEBUG(0, ("Could not close keytab.\n"));
+        sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].",
+                             keytab_name);
+        ret = EFAULT;
+        goto done;
+    }
+
+    if (!found) {
+        DEBUG(0, ("Principal [%s] not found in keytab [%s]\n",
+                  full_princ, keytab_name));
+        sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: "
+                             "Principal [%s] was not found. "
+                             "Unable to create GSSAPI-encrypted LDAP connection.",
+                             keytab_name, full_princ);
+
         ret = EFAULT;
         goto done;
     }
@@ -232,8 +285,11 @@ static int ldap_child_get_tgt_sync(TALLOC_CTX *memctx,
                                         keytab, 0, NULL, &options);
 
     if (krberr) {
-        DEBUG(2, ("Failed to init credentials: %s\n",
+        DEBUG(0, ("Failed to init credentials: %s\n",
                   sss_krb5_get_error_message(context, krberr)));
+        sss_log(SSS_LOG_ERR, "Failed to initialize credentials using keytab [%s]: %s. "
+                             "Unable to create GSSAPI-encrypted LDAP connection.",
+                             keytab_name, sss_krb5_get_error_message(context, krberr));
         ret = EFAULT;
         goto done;
     }
diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c
index 18f2bc0c5..fee3c11d0 100644
--- a/src/providers/ldap/sdap_async.c
+++ b/src/providers/ldap/sdap_async.c
@@ -764,7 +764,9 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx,
 {
     struct tevent_req *req = NULL;
     struct sdap_get_generic_state *state = NULL;
+    char *errmsg;
     int lret;
+    int optret;
     int ret;
     int msgid;
 
@@ -805,7 +807,21 @@ struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx,
         DEBUG(3, ("ldap_search_ext failed: %s\n", ldap_err2string(lret)));
         if (lret == LDAP_SERVER_DOWN) {
             ret = ETIMEDOUT;
-        } else {
+            optret = ldap_get_option(state->sh->ldap,
+                                     SDAP_DIAGNOSTIC_MESSAGE,
+                                     (void*)&errmsg);
+            if (optret == LDAP_SUCCESS) {
+                DEBUG(3, ("Connection error: %s\n", errmsg));
+                sss_log(SSS_LOG_ERR, "LDAP connection error: %s", errmsg);
+                ldap_memfree(errmsg);
+            }
+            else {
+                sss_log(SSS_LOG_ERR, "LDAP connection error, %s",
+                                     ldap_err2string(lret));
+            }
+        }
+
+        else {
             ret = EIO;
         }
         goto fail;
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index fd1cc8c72..69baf1a34 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -153,11 +153,14 @@ struct tevent_req *sdap_connect_send(TALLOC_CTX *memctx,
             DEBUG(3, ("ldap_start_tls failed: [%s] [%s]\n",
                       ldap_err2string(lret),
                       errmsg));
+            sss_log(SSS_LOG_ERR, "Could not start TLS. %s", errmsg);
             ldap_memfree(errmsg);
         }
         else {
             DEBUG(3, ("ldap_start_tls failed: [%s]\n",
                       ldap_err2string(lret)));
+            sss_log(SSS_LOG_ERR, "Could not start TLS. "
+                                 "Check for certificate issues.");
         }
         goto fail;
     }
@@ -236,11 +239,14 @@ static void sdap_connect_done(struct sdap_op *op,
             DEBUG(3, ("ldap_install_tls failed: [%s] [%s]\n",
                       ldap_err2string(ret),
                       tlserr));
+            sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr);
             ldap_memfree(tlserr);
         }
         else {
             DEBUG(3, ("ldap_install_tls failed: [%s]\n",
                       ldap_err2string(ret)));
+            sss_log(SSS_LOG_ERR, "Could not start TLS encryption. "
+                                 "Check for certificate issues.");
         }
 
         state->result = ret;