[Freeipa-users] AD - Freeipa trust confusion
Dmitri Pal
dpal at redhat.com
Thu Jan 2 13:41:05 UTC 2014
On 01/02/2014 07:38 AM, Andrew Holway wrote:
> I have gotten a little further along with this but am having problems
> connecting to the AD LDAP.
>
> [root at ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync
> --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw
> X9deiX9dei --passsync X9deiX9dei --cacert
> /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv
>
> Directory Manager password:
>
> Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate
> database for ipa.wibble.com
>
> ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com.
>
> ipa: INFO: The error was: {'info': '00000000: LdapErr: DSID-0C090E17,
> comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server
> is unavailable'}
>
> Failed to setup winsync replication
Hello,
Trusts and winsync are mutually exclusive.
You either do one or another. We do not have a way to move from one
configuration to another yet and the decision should be made at the
deployment time.
Which one do you prefer?
If you prefer trusts please follow the instructions on the wiki. The
guide is not updated yet, sorry.
http://www.freeipa.org/page/Trusts
http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
It seems that after the trust is established you try to login and fail.
Can you provide more details about those attempts?
http://www.freeipa.org/page/Troubleshooting#Reporting_bugs
also see other sections on the same page.
HTH
Thanks
Dmitri
>
> On 1 January 2014 22:27, Andrew Holway <andrew.holway at gmail.com> wrote:
>> Hello,
>>
>> I am attempting to set up trust between my test freeipa server at
>> ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com.
>>
>> In the GUI I can see the following in "Trusts » prattle.com".
>>
>> Realm name: prattle.com
>> Domain NetBIOS name: PRATTLE
>> Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436
>> Trust direction: Two-way trust
>> Trust type: Active Directory domain
>>
>> However I cant see any of the AD users that I have created nor can I
>> log on to any of the systems under my freeipa realm.
>>
>> Jan 1 20:50:30 host002 sshd[9959]: Failed password for invalid user
>> bob from 10.51.120.1 port 55101 ssh2
>>
>> I haven't actually done anything to AD to facilitate this trust. Its
>> not particularly clear what should be done.
>>
>> Many thanks,
>>
>> Andrew
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list