<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 03/12/2014 05:07 PM, Todd Maugh
wrote:<br>
</div>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E22965ED@EXCHMB1-ELS.BWINC.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">so to verify this<br>
<br>
I am able to log in to the AD server as idmadmin with the
password I'm using in the winsync agreement.<br>
</div>
</blockquote>
<br>
I guess you mean that login to Windows using the standard Windows
login dialog is working correctly? And that this is still not
working correctly:<br>
<br>
[<a class="moz-txt-link-abbreviated" href="mailto:root@idm-master-els.ops.boingo.com">root@idm-master-els.ops.boingo.com</a> ipa]$
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch
-xLLLZZ -h adc13-els.bwinc.local -D
"cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" s base -b
"cn=Users,dc=bwinc,dc=local"<br>
<br>
Do you have the Windows administrator password? If so, can you try
something like this:<br>
<br>
[<a class="moz-txt-link-abbreviated" href="mailto:root@idm-master-els.ops.boingo.com">root@idm-master-els.ops.boingo.com</a> ipa]$
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch
-xLLLZZ -h adc13-els.bwinc.local -D
"cn=administrator,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" s base -b
"cn=Users,dc=bwinc,dc=local"<br>
<br>
Is AD configured to allow external LDAP binds?<br>
<br>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E22965ED@EXCHMB1-ELS.BWINC.local"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
is there a log I can look at to see what it is getting tripped
up on.<br>
</div>
</blockquote>
<br>
I suppose you could try somewhere in the Windows Event Viewer . . .<br>
<br>
<blockquote
cite="mid:6FB698E172A95F49BE009B36D56F53E22965ED@EXCHMB1-ELS.BWINC.local"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<br>
I double checked all the security groups for the AD user and
they all look good<br>
<br>
<br>
<div style="font-family: Times New Roman; color: #000000;
font-size: 16px">
<hr tabindex="-1">
<div style="direction: ltr;" id="divRpF526746"><font
color="#000000" face="Tahoma" size="2"><b>From:</b> Rich
Megginson [<a class="moz-txt-link-abbreviated" href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>]<br>
<b>Sent:</b> Wednesday, March 12, 2014 3:47 PM<br>
<b>To:</b> Todd Maugh; <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] [freeipa] Issues with
Winsync agreement<br>
</font><br>
</div>
<div>
<div class="moz-cite-prefix">On 03/12/2014 04:39 PM, Todd
Maugh wrote:<br>
</div>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">thanks Rich,<br>
<br>
when I run that I get the following:<br>
<br>
<br>
<b><font color="FF0000">[<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:root@idm-master-els.ops.boingo.com"
target="_blank">root@idm-master-els.ops.boingo.com</a>
ipa]$
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM
ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D
"cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX"
s base -b "cn=Users,dc=bwinc,dc=local"<br>
ldap_bind: Invalid credentials (49)<br>
</font></b></div>
</blockquote>
<br>
<font color="FF0000"><b>Invalid cre<font color="FF0000">dentials
almost always means your password "XXXXXX" is not
correct for user "</font></b></font><b><font
color="FF0000">cn=idmadmin,cn=Users,dc=bwinc,dc=local"<br>
<br>
</font></b>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt"><b><font color="FF0000">
additional info: 80090308: LdapErr: DSID-0C0903C5,
comment: AcceptSecurityContext error, data 52e,
v2580<br>
</font></b><br>
<br>
<br>
<div style="font-family:Times New Roman; color:#000000;
font-size:16px">
<hr tabindex="-1">
<div id="divRpF268373" style="direction:ltr"><font
color="#000000" face="Tahoma" size="2"><b>From:</b>
Rich Megginson [<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>]<br>
<b>Sent:</b> Wednesday, March 12, 2014 3:30 PM<br>
<b>To:</b> Todd Maugh; <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:freeipa-users@redhat.com"
target="_blank">
freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] [freeipa]
Issues with Winsync agreement<br>
</font><br>
</div>
<div>
<div class="moz-cite-prefix">On 03/12/2014 04:18 PM,
Todd Maugh wrote:<br>
</div>
<blockquote type="cite">
<style id="owaParaStyle" type="text/css">
<!--
p
{margin-top:0;
margin-bottom:0}
body
{direction:ltr;
font-family:Tahoma;
color:#000000;
font-size:10pt}
p
{margin-top:0;
margin-bottom:0}
-->
BODY {direction: ltr;font-family: Tahoma;color: #000000;font-size: 10pt;}P {margin-top:0;margin-bottom:0;}</style>
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt">Hello.<br>
<br>
I'm using latest IPA build on red hat 6.5<br>
<br>
I retrieved my CA cert from the AD Domain
controller<br>
<br>
I try to set up my winsyncagreement and I am
getting this<br>
<br>
<br>
<br>
[<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:root@idm-master-els.ops.boingo.com"
target="_blank">root@idm-master-els.ops.boingo.com</a>
ipa]$ ipa-replica-manage connect --winsync
--binddn "cn=idmadmin, cn=Users, dc=bwinc,
dc=local" --bindpw "XXXXXX" --passsync "XXXXXX"
--cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer
adc13-els.bwinc.local<br>
Directory Manager password: <br>
<br>
Added CA certificate
/etc/openldap/cacerts/ADC13-ELS.CA.cer to
certificate database for
idm-master-els.ops.boingo.com<br>
ipa: INFO: Failed to connect to AD server
adc13-els.bwinc.local<br>
ipa: INFO: The error was: {'info': '80090308:
LdapErr: DSID-0C0903C5, comment:
AcceptSecurityContext error, data 52e, v2580',
'desc': 'Invalid credentials'}<br>
Failed to setup winsync replication<br>
<br>
<br>
not sure where to look for the logs for this to
see what the invalivd credentials are or wether
this might still be a cert issue or a log in
issue or what not?<br>
</div>
</blockquote>
<br>
You can test with ldapsearch like this:<br>
<br>
$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM
ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D
"cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX"
-s base -b "cn=Users,dc=bwinc,dc=local"<br>
<br>
<blockquote type="cite">
<div style="direction:ltr; font-family:Tahoma;
color:#000000; font-size:10pt"><br>
<br>
Thanks in advance for the help<br>
<br>
-Todd<br>
<br>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"
target="_blank"></fieldset>
<br>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>