<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 03/19/2015 05:10 AM, Gonzalo
Fernandez Ordas wrote:<br>
</div>
<blockquote cite="mid:550A9276.7060409@unicyber.co.uk" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Hi<br>
<br>
I have completed changed the scenario and I managed to install
freeipa-server 4.1 (Somebody publish the right repo for Centos and
it worked really well)<br>
<br>
--Let me double check a couple of things. You wrote you installed
PassSync on Windows 2013 (which could be a typo?) We support
Windows Server 2008 R2 and 2012 R2. We also confirmed it works on
Windows Server 2003 R2.<br>
<br>
Yes, sorry, that was a typo.<br>
<br>
So, starting again from scratch, new machine, the whole
installation process went well, not issues there but:<br>
<br>
* FreeIPA is supposed to generate a PassSync user by running
ipa-replica-manage <b>--winsync </b><b>--passsync</b>=<i>PASSSYNC_PWD.
(See also man ipa-replica-manage).<br>
<br>
I tried 5 times, the user was never created on the ipa server, I
had to create it manually (I gave it admin permissions so it
could create/delete/update users).<br>
Doing that, the password sync worked all right. We submit a
password reset in AD and that propagated all right, tested and
it worked fine.<br>
</i><br>
* In one scenario I uninstalled freeipa (still kept the packages),
installed again and something went wrong with the kerberos keys.<br>
After creating the AD --> LDAP certs and successfully syncing
the passwords, I could read in the /var/log/messages a password
decryption issue (kerberos related) everytime I tried to log as
any user.<br>
I have tried uninstalling freeipa and also uninstalling removing
the product completely and re-installing. it did not matter if I
tried to rebuild the kerberos keys, the issue was always there, so
I have to start afresh with a new box.<br>
<br>
</blockquote>
<br>
Something is really messed up with the system.<br>
Do you have some kind of backup and restore running in the
background?<br>
It seems that for some reason a kerberos (probably master) key was
rewritten in some way.<br>
<br>
<br>
<blockquote cite="mid:550A9276.7060409@unicyber.co.uk" type="cite">
So.. that has been all so far<br>
<br>
Thanks<br>
<br>
Gonzalo<br>
<br>
<br>
<div class="moz-cite-prefix">On 16/03/2015 20:05, Noriko Hosoi
wrote:<br>
</div>
<blockquote cite="mid:550737A2.10807@redhat.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hello, Gonzalo,<br>
<br>
Any progress on your Password Synchronization?<br>
<br>
Let me double check a couple of things. You wrote you
installed PassSync on Windows 2013 (which could be a typo?)
We support Windows Server 2008 R2 and 2012 R2. We also
confirmed it works on Windows Server 2003 R2.<br>
<pre>> On 03/13/2015 12:45 PM, <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:g.fer.ordas@unicyber.co.uk">g.fer.ordas@unicyber.co.uk</a> wrote:
>> I got the Password Sync Tool installed in the Windows2013 box</pre>
You can find the doc on PassSync here.<br>
<pre wrap=""><a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#windows-pass-sync">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#windows-pass-sync</a></pre>
The doc is on PassSync 1.1.5, but 1.1.6 remains intact except
the default SSL version to connect to the 389 Directory Server
(as we discussed before).<br>
<br>
We had a dicussion regarding the PassSync user you had to
create:<br>
<pre>uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com</pre>
FreeIPA is supposed to generate a PassSync user by running
ipa-replica-manage <b>--winsync </b><b>--passsync</b>=<i>PASSSYNC_PWD.
(See also man ipa-replica-manage).</i>
<pre wrap="">> there must some problem as FreeIPA
> creates own Passsync user in "cn=sysaccounts,cn=etc,<SUFFIX>" also sets it's DN
> as passSyncManagersDNs in ipa_pwd_extop plugin to avoid it creating expired
> passwords. So there is no need to create
> "uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" manually.
</pre>
Please see the above doc regarding the user creation.<br>
<ul>
<li class="listitem">
<div class="para"> The username of the system user which
Active Directory uses to connect to the IdM machine.
This account is configured automatically when sync is
configured on the IdM server. The default account is <code
class="command">uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com</code>.
</div>
</li>
<li class="listitem">
<div class="para"> The password set in the <code
class="option">--passsync</code> option when the sync
agreement was created. </div>
</li>
</ul>
I'm sending this response to freeipa-users to share the info
and request for more suggestions.<br>
<br>
Thanks,<br>
--noriko<br>
<br>
On 03/13/2015 02:48 PM, <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:g.fer.ordas@unicyber.co.uk">g.fer.ordas@unicyber.co.uk</a>
wrote:<br>
</div>
<blockquote
cite="mid:3bccb84836c1afa05d3e78e01c30bbde@unicyber.co.uk"
type="cite">I forgot to attach the search command now: <br>
# passsync, users, accounts, corp.company.com <br>
dn:
uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com <br>
cn: passsync <br>
displayName: passsync <br>
krbLastFailedAuth: 20150313211546Z <br>
krbLoginFailedCount: 1 <br>
krbExtraData::
AALUUQNVcm9vdC9hZG1pbkBDT1JQLkhPT1RTVUlURU1FRElBLkNPTQA= <br>
memberOf:
cn=ipausers,cn=groups,cn=accounts,dc=corp,dc=company,dc=com <br>
krbLastPwdChange: 20150313210836Z <br>
krbPasswordExpiration: 20150611210836Z <br>
mepManagedEntry:
cn=passsync,cn=groups,cn=accounts,dc=corp,dc=company,d <br>
c=com <br>
objectClass: top <br>
objectClass: person <br>
objectClass: organizationalperson <br>
objectClass: inetorgperson <br>
objectClass: inetuser <br>
objectClass: posixaccount <br>
objectClass: krbprincipalaux <br>
objectClass: krbticketpolicyaux <br>
objectClass: ipaobject <br>
objectClass: ipasshuser <br>
objectClass: ipaSshGroupOfPubKeys <br>
objectClass: mepOriginEntry <br>
loginShell: /bin/bash <br>
gecos: pass sync <br>
sn: sync <br>
homeDirectory: /home/passsync <br>
uid: passsync <br>
mail: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:passsync@corp.company.com">passsync@corp.company.com</a>
<br>
krbPrincipalName: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:passsync@CORP.company.COM">passsync@CORP.company.COM</a>
<br>
givenName: pass <br>
initials: ps <br>
userPassword:: zxxxxxxxx= <br>
= <br>
ipaUniqueID: 1d76b14a-c9c5-11e4-93f4-12d2e19d1e3c <br>
uidNumber: 1481000829 <br>
gidNumber: 1481000829 <br>
krbPrincipalKey:: dfrerererer <br>
<br>
# search result <br>
search: 2 <br>
<br>
<br>
On 2015-03-13 21:39, <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:g.fer.ordas@unicyber.co.uk">g.fer.ordas@unicyber.co.uk</a>
wrote: <br>
<blockquote type="cite">Hi <br>
<br>
I had to manually create the user!! For some reason I
thought the sync <br>
Agreement task was also creating that entry for the DS! <br>
<br>
So now I got: <br>
<br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=4 SRCH <br>
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
<br>
scope=0 filter="(objectClass=*)" attrs="telephoneNumber uid
title <br>
loginShell uidNumber gidNumber sn homeDirectory mail ou
givenName <br>
nsAccountLock" <br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=4 RESULT err=0
tag=101 <br>
nentries=1 etime=0 <br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=5 SRCH <br>
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
<br>
scope=0 filter="(userPassword=*)" attrs="userPassword" <br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=5 RESULT err=0
tag=101 <br>
nentries=1 etime=0 <br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=6 SRCH <br>
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
<br>
scope=0 filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
<br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=6 RESULT err=0
tag=101 <br>
nentries=1 etime=0 <br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=7 SRCH <br>
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
<br>
scope=0 filter="(objectClass=*)" attrs="ipaSshPubKey" <br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=7 RESULT err=0
tag=101 <br>
nentries=1 etime=0 <br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=8 UNBIND <br>
[13/Mar/2015:14:27:30 -0700] conn=66 op=8 fd=103 closed - U1
<br>
[13/Mar/2015:14:27:33 -0700] conn=48 op=20 RESULT err=0
tag=101 <br>
nentries=828 etime=90 notes=U <br>
[13/Mar/2015:14:27:33 -0700] conn=48 op=21 ABANDON
targetop=NOTFOUND msgid=16 <br>
[13/Mar/2015:14:27:33 -0700] conn=48 op=22 SRCH <br>
base="cn=users,cn=accounts,dc=corp,dc=company,dc=com"
scope=0 <br>
filter="(objectClass=*)" attrs="* aci" <br>
[13/Mar/2015:14:27:33 -0700] conn=48 op=22 RESULT err=0
tag=101 <br>
nentries=1 etime=0 <br>
[13/Mar/2015:14:27:33 -0700] conn=48 op=23 ABANDON
targetop=NOTFOUND msgid=18 <br>
[13/Mar/2015:14:27:42 -0700] conn=67 fd=103 slot=103
connection from ::1 to ::1 <br>
[13/Mar/2015:14:27:42 -0700] conn=67 op=0 BIND
dn="cn=directory <br>
manager" method=128 version=3 <br>
[13/Mar/2015:14:27:42 -0700] conn=67 op=0 RESULT err=0
tag=97 <br>
nentries=0 etime=0 dn="cn=directory manager" <br>
[13/Mar/2015:14:27:42 -0700] conn=67 op=1 SRCH <br>
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
<br>
scope=2 filter="(objectClass=*)" attrs=ALL <br>
[13/Mar/2015:14:27:42 -0700] conn=67 op=1 RESULT err=0
tag=101 <br>
nentries=1 etime=0 notes=U <br>
[13/Mar/2015:14:27:42 -0700] conn=67 op=2 UNBIND <br>
[13/Mar/2015:14:27:42 -0700] conn=67 op=2 fd=103 closed - U1
<br>
<br>
And target not found??? what else I might be missing ? <br>
<br>
Thanks! <br>
<br>
<br>
On 2015-03-13 21:01, Noriko Hosoi wrote: <br>
<blockquote type="cite">On 03/13/2015 01:49 PM, <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:g.fer.ordas@unicyber.co.uk">g.fer.ordas@unicyber.co.uk</a>
wrote: <br>
<blockquote type="cite">Hi <br>
<br>
Restarted... And I also have re-initiated the replica
just in case.... <br>
<br>
I can see the following: <br>
--- <br>
3/Mar/2015:13:41:35 -0700] conn=34 op=329 RESULT err=0
tag=101 nentries=1 etime=0 <br>
[13/Mar/2015:13:41:36 -0700] conn=35 fd=84 slot=84 SSL
connection from AD.SERVER to IPA.SERVER <br>
[13/Mar/2015:13:41:36 -0700] conn=35 SSL 128-bit AES <br>
[13/Mar/2015:13:41:36 -0700] conn=35 op=0 BIND
dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
method=128 version=3 <br>
[13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32
tag=97 nentries=0 etime=0 <br>
</blockquote>
Error 32 is LDAP_NO_SUCH_OBJECT. <br>
Do you have a user <br>
"uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
in your <br>
Directory Server? <br>
<br>
On the host/VM where your Direcotry Server is running,
please run this <br>
command line search. Does it return the entry? <br>
ldapsearch -x -h localhost -p 389 -D 'cn=directory
manager' -W -b <br>
"uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
<br>
<blockquote type="cite">[13/Mar/2015:13:41:36 -0700]
conn=35 op=1 SRCH
base="cn=users,cn=accounts,dc=corp,dc=company,dc=com"
scope=2 filter="(ntUserDomainId=john.test)" attrs=ALL <br>
[13/Mar/2015:13:41:36 -0700] conn=35 op=1 RESULT err=0
tag=101 nentries=1 etime=0 <br>
[13/Mar/2015:13:41:36 -0700] conn=34 op=330 SRCH
base="cn=meTohqdc1.corp.company.com,cn=replica,cn=dc\3Dcorp\2Cdc\3Dcompany\2Cdc\3Dcom,cn=mapping
tree,cn=config" scope=0 filter="(objectClass=*)"
attrs="nsds5replicaLastInitStart
nsds5replicaUpdateInProgress nsds5replicaLastInitStatus
cn nsds5BeginReplicaRefresh nsds5replicaLastInitEnd" <br>
[13/Mar/2015:13:41:36 -0700] conn=34 op=330 RESULT err=0
tag=101 nentries=1 etime=0 <br>
[13/Mar/2015:13:41:36 -0700] conn=36 fd=101 slot=101 SSL
connection from AD.SERVER to IPA.SERVER <br>
[13/Mar/2015:13:41:36 -0700] conn=36 SSL 128-bit AES <br>
[13/Mar/2015:13:41:36 -0700] conn=36 op=0 BIND
dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
method=128 version=3 <br>
[13/Mar/2015:13:41:36 -0700] conn=36 op=0 RESULT err=48
tag=97 nentries=0 etime=0 <br>
[13/Mar/2015:13:41:36 -0700] conn=36 op=1 UNBIND <br>
[13/Mar/2015:13:41:36 -0700] conn=36 op=1 fd=101 closed
- U1 <br>
[13/Mar/2015:13:41:36 -0700] conn=35 op=2 MOD
dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
<br>
[13/Mar/2015:13:41:36 -0700] conn=35 op=2 RESULT err=50
tag=103 nentries=0 etime=0 <br>
</blockquote>
Since the above bind failed, your PassSync has no right to
update the <br>
password on the Directory Server and the modify attempt
failed with <br>
LDAP_INSUFFICIENT_ACCESS. <br>
<br>
Thanks, <br>
--noriko <br>
<blockquote type="cite">[13/Mar/2015:13:41:37 -0700]
conn=35 op=3 UNBIND <br>
[13/Mar/2015:13:41:37 -0700] conn=35 op=3 fd=84 closed -
U1 <br>
<br>
-- <br>
<br>
Note there are 2 errors there: <br>
dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
method=128 version=3 <br>
[13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32
tag=97 nentries=0 etime=0 <br>
dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
method=128 version=3 <br>
<br>
ipa user-show John.Test <br>
<br>
User login: john.test <br>
<br>
First name: John <br>
<br>
Last name: Test <br>
<br>
Home directory: /home/john.test <br>
<br>
Login shell: /bin/bash <br>
<br>
UID: 1481000790 <br>
<br>
GID: 1481000790 <br>
<br>
Account disabled: False <br>
<br>
Password: False <br>
<br>
Kerberos keys available: False <br>
<br>
<br>
the password is still set as False <br>
The PassSync Tool got defined as base search: <br>
<br>
cn=users,cn=accounts,dc=corp,dc=company,dc=com .. Which
should be all right <br>
<br>
Thanks for all your help! <br>
<br>
</blockquote>
</blockquote>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>