[Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10

Jeff Moody jeff.moody at evscorporation.com
Mon Jul 27 14:29:21 UTC 2009 

Pardon my ignorance, but are there any special steps outside of the ipa-replica-manage command with the Root Cert from the AD server needed to get the certificate installed? 
I had some other issues with the VM over the weekend and am rebuilding the VM now to reinstall the IPA server software and will be able to check and give you the output of certutil later today.
Thanks.

----

Jeff Moody
Senior Systems Engineer
 
EVS Corporation
5050 Poplar Avenue ,Suite 1600
Memphis, Tennessee 38157
(901) 259-2387 - 24x7 Helpdesk

(901) 881-0919 - Office
(901) 497-1444 - Cell
jeff.moody at evscorporation.com

-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Monday, July 27, 2009 9:05 AM
To: Jeff Moody
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10

Jeff Moody wrote:
> I'm trying to set up password/identity sync to the FreeIPA server from a 
> Windows 2003R2 SP2 server to a Fedora 10 VM.
> 
> I have installed the FreeIPA software and can load its configuration 
> page on the IPA server - so the service appears to be running.
> 
> I have our Windows DC running the Windows 2003 Enterprise Certificate 
> Authority service and have exported its root certificate and SCP'ed that 
> to the IPA server.
> 
> Following the instructions from TFM, I run the following command:
> 
>  
> 
> [root at ipamem1 ~]# ipa-replica-manage add --winsync --binddn 
> CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw 
> WindowsAccountPassword --cacert /root/dc1-base64-x509.cer 
> dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync
> 
>  
> 
> This is the output from that command:
> 
>  
> 
> Directory Manager password:
> 
> INFO:root:Shutting down dirsrv:
> 
>     EVSCORPORATION-COM...                                  [  OK  ]
> 
>  
> 
> INFO:root:
> 
> INFO:root:
> 
> INFO:root:
> 
> INFO:root:Starting dirsrv:
> 
>     EVSCORPORATION-COM...                                  [  OK  ]
> 
>  
> 
> INFO:root:
> 
> INFO:root:Added CA certificate /root/dc1-base64-x509.cer to certificate 
> database for ipamem1.evscorporation.com
> 
> INFO:root:Restarted directory server ipamem1.evscorporation.com
> 
> INFO:root:Could not validate connection to remote server 
> dc1.evscorporation.com:636 - continuing
> 
> INFO:root:The error was: {'info': 'error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': 
> "Can't contact LDAP server"}
> 
> The user for the Windows PassSync service is 
> uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com
> 
> Windows PassSync entry exists, not resetting password
> 
> INFO:root:Added new sync agreement, waiting for it to become ready . . .
> 
> INFO:root:Replication Update in progress: FALSE: status: 81  - LDAP 
> error: Can't contact LDAP server: start: 0: end: 0
> 
> INFO:root:Agreement is ready, starting replication . . .
> 
> Starting replication, please wait until this has completed.
> 
> [ipamem1.evscorporation.com] reports: Update failed! Status: [81  - LDAP 
> error: Can't contact LDAP server]
> 
> INFO:root:Added agreement for other host dc1.evscorporation.com
> 
>  
> 
> Additionally, in the /var/lib/dirsrv/ errors log, I have the following 
> error:
> 
>  
> 
> [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send 
> bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] 
> mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's 
> Certificate issuer is not recognized.) 11 (Resource temporarily unavailable)
> 
>  
> 
> On the Windows server, the Passsync service is running and as far as I 
> know I installed the right certificate on the Passsync side by following 
> the instructions at 
> (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) 
> and the only message in the Passsync log on the Windows side is:
> 
>  
> 
> 07/25/09 14:32:15: PassSync service started
> 
>  
> 
> I'm sure that I'm just missing some simple, stupid little thing.but I 
> have no earthly idea as to what that could be. Any 
> help/suggestions/troubleshooting anyone can help me with, I would 
> greatly appreciate it.
> 

Hmm, clearly an SSL trust issue.

Lets start by making sure that DS has the CA you provided loaded and 
trusted:

# certutil -L -d /etc/dirsrv/slapd-INSTANCE

It should include your CA and have a trust like CT,,C

I found that I needed to reboot my AD server when installing the CA 
service and getting PassSync installed. Have you rebooted recently?

rob

More information about the Freeipa-users mailing list