[Freeipa-users] Problems replicating with Windows 2008 AD

Rich Megginson rmeggins at redhat.com
Thu May 17 01:15:22 UTC 2012 

On 05/16/2012 06:04 PM, Kline, Sara wrote:
>
> I found the issue, it had to do with what Windows set the cn to, as 
> opposed to what I thought the CN was. Once I figured out where that 
> was set at I was able to fix it. Cn's for us are usually the user id 
> so that was where the disconnect was. Once I fixed that issue however 
> I got another error. I am logged in as root on the FreeIPA server. 
> When I run the ipa-manage-replica command I get:
>
> Added CA certificate /etc/openldap/cacerts/winadcert.cer to 
> certificate database for oly-infra-ldap1.prod.tnsi.com
>
> INFO:root:AD Suffix is: DC=prod,DC=example,DC=com
>
> Insufficient access
>
> I am not sure I understand why this is not working.
>

You have to set permissions for your AD user in order to use the DirSync 
control.
See http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx

> To use the DirSync control, caller must have the "directory get 
> changes" right assigned on the root of the partition being monitored. 
> By default, this right is assigned to the Administrator and 
> LocalSystem accounts on domain controllers. The caller must also have 
> the *DS-Replication-Get-Changes* 
> <http://msdn.microsoft.com/en-us/library/ms684354%28v=vs.85%29.aspx> 
> extended control access right. For more information about implementing 
> a change-tracking mechanism for applications that must run under an 
> account that does not have this right, see Polling for Changes Using 
> USNChanged 
> <http://msdn.microsoft.com/en-us/library/ms677627%28v=vs.85%29.aspx>. 
> For more information about privileges, see Privileges 
> <http://msdn.microsoft.com/en-us/library/aa379306%28v=vs.85%29.aspx>.
>

> Thanks,
>
> Sara Kline
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Wednesday, May 16, 2012 4:12 PM
> *To:* Kline, Sara
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Problems replicating with Windows 2008 AD
>
> On 05/16/2012 04:33 PM, Kline, Sara wrote:
>
> Hey all,
>
> FreeIPA has been very simple to setup so far, I have been able to 
> follow along with the documentation every step of the way. I am 
> running into an issue however when trying to set up replication 
> between the Red Hat 6.2 server running FreeIPA and the Win 2008 R2 
> server running Active Directory. I created the replication user like 
> the instructions say and gave it the necessary permissions, however 
> when I try to set up the agreement, it tells me I am using invalid 
> credentials. I am unsure of what I should do at this point? SSL Certs 
> are installed on both and trusted on both, the servers are connected 
> and both are synced to the same time source. Can anyone think of 
> anything else?
>
> I am using the command as follows:
>
> Ipa-replica-manage connect --winsync
>
> --binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com
>
> --bindpw mypassword
>
> --passsync mypassword
>
> --cacert /etc/openldap/cacerts/winadcert.cer
>
> oly-infra-ldap2.prod.example.com
>
>
> You can use ldapsearch to test the connection with AD:
>
> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -H 
> ldap://oly-infra-ldap2.prod.example.com -ZZ -D 
> "cn=freeipa,cn=users,dc=prod,dc=example,dc=com" -w mypassword -s base 
> -b "" 'objectclass=*' namingcontexts
>
> This assumes
> 1) oly-infra-ldap2.prod.example.com is the correct FQDN of your AD machine
> 2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid AD user in AD
> 3) mypassword is the correct password and doesn't need to be quoted 
> for the shell
>
>
> Sara Kline
>
> System Administrator
>
> Transaction Network Services, Inc
>
> 4501 Intelco Loop, Lacey WA 98503
>
> Wk: (360) 493-6736
>
> Cell: (360) 280-2495
>
> ------------------------------------------------------------------------
>
> This e-mail message is for the sole use of the intended 
> recipient(s)and may
> contain confidential and privileged information of Transaction Network 
> Services.
> Any unauthorised review, use, disclosure or distribution is 
> prohibited. If you
> are not the intended recipient, please contact the sender by reply 
> e-mail and destroy all copies of the original message.
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> ------------------------------------------------------------------------
> This e-mail message is for the sole use of the intended 
> recipient(s)and may
> contain confidential and privileged information of Transaction Network 
> Services.
> Any unauthorised review, use, disclosure or distribution is 
> prohibited. If you
> are not the intended recipient, please contact the sender by reply 
> e-mail and destroy all copies of the original message.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120516/2d44f8dc/attachment.htm>

More information about the Freeipa-users mailing list