[Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
Rob Crittenden
rcritten at redhat.com
Mon Jul 27 14:05:19 UTC 2009
Jeff Moody wrote:
> I’m trying to set up password/identity sync to the FreeIPA server from a
> Windows 2003R2 SP2 server to a Fedora 10 VM.
>
> I have installed the FreeIPA software and can load its configuration
> page on the IPA server – so the service appears to be running.
>
> I have our Windows DC running the Windows 2003 Enterprise Certificate
> Authority service and have exported its root certificate and SCP’ed that
> to the IPA server.
>
> Following the instructions from TFM, I run the following command:
>
>
>
> [root at ipamem1 ~]# ipa-replica-manage add --winsync --binddn
> CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw
> WindowsAccountPassword --cacert /root/dc1-base64-x509.cer
> dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync
>
>
>
> This is the output from that command:
>
>
>
> Directory Manager password:
>
> INFO:root:Shutting down dirsrv:
>
> EVSCORPORATION-COM... [ OK ]
>
>
>
> INFO:root:
>
> INFO:root:
>
> INFO:root:
>
> INFO:root:Starting dirsrv:
>
> EVSCORPORATION-COM... [ OK ]
>
>
>
> INFO:root:
>
> INFO:root:Added CA certificate /root/dc1-base64-x509.cer to certificate
> database for ipamem1.evscorporation.com
>
> INFO:root:Restarted directory server ipamem1.evscorporation.com
>
> INFO:root:Could not validate connection to remote server
> dc1.evscorporation.com:636 - continuing
>
> INFO:root:The error was: {'info': 'error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
> "Can't contact LDAP server"}
>
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com
>
> Windows PassSync entry exists, not resetting password
>
> INFO:root:Added new sync agreement, waiting for it to become ready . . .
>
> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP
> error: Can't contact LDAP server: start: 0: end: 0
>
> INFO:root:Agreement is ready, starting replication . . .
>
> Starting replication, please wait until this has completed.
>
> [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - LDAP
> error: Can't contact LDAP server]
>
> INFO:root:Added agreement for other host dc1.evscorporation.com
>
>
>
> Additionally, in the /var/lib/dirsrv/ errors log, I have the following
> error:
>
>
>
> [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send
> bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com]
> mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's
> Certificate issuer is not recognized.) 11 (Resource temporarily unavailable)
>
>
>
> On the Windows server, the Passsync service is running and as far as I
> know I installed the right certificate on the Passsync side by following
> the instructions at
> (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service)
> and the only message in the Passsync log on the Windows side is:
>
>
>
> 07/25/09 14:32:15: PassSync service started
>
>
>
> I’m sure that I’m just missing some simple, stupid little thing…but I
> have no earthly idea as to what that could be. Any
> help/suggestions/troubleshooting anyone can help me with, I would
> greatly appreciate it.
>
Hmm, clearly an SSL trust issue.
Lets start by making sure that DS has the CA you provided loaded and
trusted:
# certutil -L -d /etc/dirsrv/slapd-INSTANCE
It should include your CA and have a trust like CT,,C
I found that I needed to reboot my AD server when installing the CA
service and getting PassSync installed. Have you rebooted recently?
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090727/76bc5577/attachment.bin>
More information about the Freeipa-users
mailing list