[Freeipa-users] Insufficient access during winsync agreement

Rich Megginson rmeggins at redhat.com
Mon Jun 20 16:42:25 UTC 2011 

On 06/20/2011 09:37 AM, Attila Bogár wrote:
> Hi,
>
> I'm trying to set up the AD-FreeIPA sync agreement and I'm always 
> getting this error:
>
> # ipa-replica-manage connect --winsync --binddn cn="IPA 
> Sync",cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert 
> /root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v
>
> Added CA certificate /root/dc1.cer to certificate database for 
> ipa1.example.com
> ipa: INFO: AD Suffix is: DC=win,DC=example,DC=com
> *Insufficient access*
>
> Where does this insufficient access come from?
> Can you please provide some guidance with this issue?
Not sure.  First check the directory server access log - look for err=50 
around the time of your command - /var/log/dirsrv/slapd-YOUR-INSTANCE/access
>
>
> IPA Sync user on the AD side has Domain Admins, Enterprise Admins, 
> Schema Admins group memberships.
>
> I'm able to query the AD using ldapsearch and binding with the 
> credentials and have an also an admin kerberos ticket.
>
> On the other hand the documentation in the freeipa enterprise guide is 
> rather succint than adequate as it doesn't provide at least one 
> working example.
>
> I've read all the corresponding documentation and it's still unclear 
> what password do I have to specify with the --passsync to 
> ipa-replica-manage?
>
> "the password for the Windows PassSync user, and a required argument 
> to |ipa-replica-manage| when creating winsync agreements."  I can't 
> see any documentation mentioning that a passync user has to (or being) 
> created in the AD.
> The bindpw already gives read/write permission to the AD tree, so I'm 
> wondering why is this --passync required?
>
> It's rather annoying to set up the passync on the Windows side.
> The only documentation for this (what FreeIPA refers to) I can see is:
> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html
>
> However, "cn=sync,cn=config" on the screenshot for the user name is 
> misleading as full dn was working only for us.  I assume instead of 
> ou=People,dc=example,dc=com cn=user,cn=accounts,dc=example,dc=com has 
> to be substituted (or it has to be cn=compat?)
>
> Thanks for any help in advance,
>   Attila
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110620/ffd82efd/attachment.htm>

More information about the Freeipa-users mailing list