TL;DR: Try using the IP address of the Domain Controller directly:
Code:
# List all the IP addresses
$ dig @contoso.com contoso.com
# Print your local IP address
$ ifconfig | grep 'inet '
# Pick the closest IP address to your local IP address
$ ldapsearch -v -h 172.16.53.12 -U turiya.gouw -w 'MY_PASSWORD' -b 'DC=contoso,DC=com' '(objectClass=computer)'
I FINALLY got a single query to work, after getting this error time and again:
Code:
# I'm pretending that my login username is turiya.gouw@contoso.com, with a password of MY_PASSWORD.
# This search should find all computers in the domain, and since there MUST be at least one computer on the domain, it should always return a result
# I got this loads of times
$ ldapsearch -v -h contoso.com -U turiya.gouw -w 'MY_PASSWORD' -b 'DC=contoso,DC=com' '(objectClass=computer)'
ldap_initialize( ldap://contoso.com )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (Server (krbtgt/18.5.13@CONTOSO.COM) unknown)
But one time, it worked perfectly! So I figured, "Sweet, I've finally authenticated!" and then I tried it again and it didn't work!!! I was like, "hey wait wut?"
So it turned out that my Domain Controller was set to be fault tolerant and distributed. It had multiple computers running it, and I was "supposed to" use the one closest to me. I figured this out when I just did:
Code:
$ ping contoso.com
PING contoso.com (172.18.5.13): 56 data bytes
64 bytes from 172.18.5.13: icmp_seq=0 ttl=126 time=54.460 ms
64 bytes from 172.18.5.13: icmp_seq=1 ttl=126 time=54.861 ms
And I was like, "wow, 54ms? That's a slow domain controller!"
And then later, it said:
Code:
$ ping contoso.com
PING contoso.com (172.16.53.12): 56 data bytes
64 bytes from 172.16.53.12: icmp_seq=0 ttl=127 time=0.747 ms
64 bytes from 172.16.53.12: icmp_seq=1 ttl=127 time=1.016 ms
And I was like, "WAIT, that's 0ms! That's bloody quick!"
So it turned out that to force it to use the closest domain controller, I needed to do this, which worked 100% reliably:
Code:
$ ldapsearch -v -h 172.16.53.12 -U turiya.gouw -w 'MY_PASSWORD' -b 'DC=contoso,DC=com' '(objectClass=computer)'
You can find all of your domain controller's IP addresses with:
Code:
dig @contoso.com contoso.com