[Freeipa-users] Setup windows AD Sync Failure
Rob Crittenden
rcritten at redhat.com
Thu Mar 3 04:21:52 UTC 2011
Sayid Munawar wrote:
> Dear,
>
> I have successfully installed freeipa-server 2 rc2. and create some test
> user and tested machine enrollment. now, what i want to do next is sync
> all my windows 2008r2 AD accounts. i've got already get the cert needed,
> and tested it with ldapsearch tools in the same host as the
> freeipa-server. so i assume that AD connection is ok. but when i did
> ipa-manage-replica, it complaints about "Can't connect LDAP server".
> here it is:
>
> [root at yk ~]# ipa-replica-manage connect --winsync --binddn "cn=Fedora
> DS,ou=JogjaCamp,dc=dot,dc=jc" --bindpw "somesecret" --cacert
> /root/jcamp-DC1-buat-389DirServ.cer --passsync secretagain -p
> anothersecret DC1.DOT.JC
>
> Added CA certificate /root/jcamp-DC1-buat-389DirServ.cer to certificate
> database for yk.nix.jc
> ipa: INFO: Failed to connect to AD server dc1.dot.jc
> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f
> 13', 'desc': "Can't contact LDAP server"}
> ipa: INFO: Continuning ...
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=nix,dc=jc
> Windows PassSync entry exists, not resetting password
> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
> ipa: INFO: Replication Update in progress: FALSE: status: 0 No
> replication sessions started since server startup: start: 0: end: 0
> ipa: INFO: Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> Can't contact LDAP server
> [root at yk ~]#
>
>
> - I have no idea why AD connection is fail here, while it was ok with
> ldapsearch tool. any clue ?
>
> - and one more question: what is --passsync argument for? is it for foce
> setting a "new password" for passsync user, or we have to first define a
> password for passsync user ?
>
> TIA
>
> Sayid Munawar
Passsync is a service that needs to run on all of your AD servers. It is
a windows service that intercepts password requests and sends them along
to IPA (over SSL). We need to have the password in the clear in order to
generate Kerberos key material.
A special LDAP user is used for authentication to the Passsync service,
the --passsync option sets the password for that account.
Make sure your CA was installed as an Enterprise CA (apparently it is
the only kind that sets up a pure SSL LDAP port as opposed to using TLS
over 389).
We discovered several winsync issues shortly after RC 2 was released.
They are fixed now, you can take a look at them here:
https://fedorahosted.org/freeipa/ticket/1006
https://fedorahosted.org/freeipa/ticket/1015
https://fedorahosted.org/freeipa/ticket/1020
https://fedorahosted.org/freeipa/ticket/1021
https://fedorahosted.org/freeipa/ticket/1022
We discovered these while fixing this:
https://fedorahosted.org/freeipa/ticket/266
regards
rob
More information about the Freeipa-users
mailing list