[Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10

Jenny Galipeau jgalipea at redhat.com
Mon Jul 27 15:41:03 UTC 2009 

Rob Crittenden wrote:
> Jeff Moody wrote:
>> I’m trying to set up password/identity sync to the FreeIPA server 
>> from a Windows 2003R2 SP2 server to a Fedora 10 VM.
>>
>> I have installed the FreeIPA software and can load its configuration 
>> page on the IPA server – so the service appears to be running.
>>
>> I have our Windows DC running the Windows 2003 Enterprise Certificate 
>> Authority service and have exported its root certificate and SCP’ed 
>> that to the IPA server.
>>
>> Following the instructions from TFM, I run the following command:
>>
>>
>>
>> [root at ipamem1 ~]# ipa-replica-manage add --winsync --binddn 
>> CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw 
>> WindowsAccountPassword --cacert /root/dc1-base64-x509.cer 
>> dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync
>>
>>
>>
>> This is the output from that command:
>>
>>
>>
>> Directory Manager password:
>>
>> INFO:root:Shutting down dirsrv:
>>
>> EVSCORPORATION-COM... [ OK ]
>>
>>
>>
>> INFO:root:
>>
>> INFO:root:
>>
>> INFO:root:
>>
>> INFO:root:Starting dirsrv:
>>
>> EVSCORPORATION-COM... [ OK ]
>>
>>
>>
>> INFO:root:
>>
>> INFO:root:Added CA certificate /root/dc1-base64-x509.cer to 
>> certificate database for ipamem1.evscorporation.com
>>
>> INFO:root:Restarted directory server ipamem1.evscorporation.com
>>
>> INFO:root:Could not validate connection to remote server 
>> dc1.evscorporation.com:636 - continuing
>>
>> INFO:root:The error was: {'info': 'error:14090086:SSL 
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 
>> 'desc': "Can't contact LDAP server"}
>>
>> The user for the Windows PassSync service is 
>> uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com
>>
>> Windows PassSync entry exists, not resetting password
>>
>> INFO:root:Added new sync agreement, waiting for it to become ready . . .
>>
>> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP 
>> error: Can't contact LDAP server: start: 0: end: 0
>>
>> INFO:root:Agreement is ready, starting replication . . .
>>
>> Starting replication, please wait until this has completed.
>>
>> [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - 
>> LDAP error: Can't contact LDAP server]
>>
>> INFO:root:Added agreement for other host dc1.evscorporation.com
>>
>>
>>
>> Additionally, in the /var/lib/dirsrv/ errors log, I have the 
>> following error:
>>
>>
>>
>> [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send 
>> bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] 
>> mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's 
>> Certificate issuer is not recognized.) 11 (Resource temporarily 
>> unavailable)
>>
>>
>>
>> On the Windows server, the Passsync service is running and as far as 
>> I know I installed the right certificate on the Passsync side by 
>> following the instructions at 
>> (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) 
>> and the only message in the Passsync log on the Windows side is:
>>
>>
>>
>> 07/25/09 14:32:15: PassSync service started
>>
>>
>>
>> I’m sure that I’m just missing some simple, stupid little thing…but I 
>> have no earthly idea as to what that could be. Any 
>> help/suggestions/troubleshooting anyone can help me with, I would 
>> greatly appreciate it.
>>
>
> Hmm, clearly an SSL trust issue.
>
> Lets start by making sure that DS has the CA you provided loaded and 
> trusted:
>
> # certutil -L -d /etc/dirsrv/slapd-INSTANCE
>
> It should include your CA and have a trust like CT,,C
>
> I found that I needed to reboot my AD server when installing the CA 
> service and getting PassSync installed. Have you rebooted recently?
These instructions are much more comprehensive and include that a reboot 
of the AD machine is required.
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html
Jenny
>
> rob
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Jenny Galipeau <jgalipea at redhat.com>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering

More information about the Freeipa-users mailing list