[Freeipa-users] Problems replicating with Windows 2008 AD
Rich Megginson
rmeggins at redhat.com
Thu May 17 01:15:22 UTC 2012
On 05/16/2012 06:04 PM, Kline, Sara wrote:
>
> I found the issue, it had to do with what Windows set the cn to, as
> opposed to what I thought the CN was. Once I figured out where that
> was set at I was able to fix it. Cn's for us are usually the user id
> so that was where the disconnect was. Once I fixed that issue however
> I got another error. I am logged in as root on the FreeIPA server.
> When I run the ipa-manage-replica command I get:
>
> Added CA certificate /etc/openldap/cacerts/winadcert.cer to
> certificate database for oly-infra-ldap1.prod.tnsi.com
>
> INFO:root:AD Suffix is: DC=prod,DC=example,DC=com
>
> Insufficient access
>
> I am not sure I understand why this is not working.
>
You have to set permissions for your AD user in order to use the DirSync
control.
See http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx
> To use the DirSync control, caller must have the "directory get
> changes" right assigned on the root of the partition being monitored.
> By default, this right is assigned to the Administrator and
> LocalSystem accounts on domain controllers. The caller must also have
> the *DS-Replication-Get-Changes*
> <http://msdn.microsoft.com/en-us/library/ms684354%28v=vs.85%29.aspx>
> extended control access right. For more information about implementing
> a change-tracking mechanism for applications that must run under an
> account that does not have this right, see Polling for Changes Using
> USNChanged
> <http://msdn.microsoft.com/en-us/library/ms677627%28v=vs.85%29.aspx>.
> For more information about privileges, see Privileges
> <http://msdn.microsoft.com/en-us/library/aa379306%28v=vs.85%29.aspx>.
>
> Thanks,
>
> Sara Kline
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Wednesday, May 16, 2012 4:12 PM
> *To:* Kline, Sara
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Problems replicating with Windows 2008 AD
>
> On 05/16/2012 04:33 PM, Kline, Sara wrote:
>
> Hey all,
>
> FreeIPA has been very simple to setup so far, I have been able to
> follow along with the documentation every step of the way. I am
> running into an issue however when trying to set up replication
> between the Red Hat 6.2 server running FreeIPA and the Win 2008 R2
> server running Active Directory. I created the replication user like
> the instructions say and gave it the necessary permissions, however
> when I try to set up the agreement, it tells me I am using invalid
> credentials. I am unsure of what I should do at this point? SSL Certs
> are installed on both and trusted on both, the servers are connected
> and both are synced to the same time source. Can anyone think of
> anything else?
>
> I am using the command as follows:
>
> Ipa-replica-manage connect --winsync
>
> --binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com
>
> --bindpw mypassword
>
> --passsync mypassword
>
> --cacert /etc/openldap/cacerts/winadcert.cer
>
> oly-infra-ldap2.prod.example.com
>
>
> You can use ldapsearch to test the connection with AD:
>
> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -H
> ldap://oly-infra-ldap2.prod.example.com -ZZ -D
> "cn=freeipa,cn=users,dc=prod,dc=example,dc=com" -w mypassword -s base
> -b "" 'objectclass=*' namingcontexts
>
> This assumes
> 1) oly-infra-ldap2.prod.example.com is the correct FQDN of your AD machine
> 2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid AD user in AD
> 3) mypassword is the correct password and doesn't need to be quoted
> for the shell
>
>
> Sara Kline
>
> System Administrator
>
> Transaction Network Services, Inc
>
> 4501 Intelco Loop, Lacey WA 98503
>
> Wk: (360) 493-6736
>
> Cell: (360) 280-2495
>
> ------------------------------------------------------------------------
>
> This e-mail message is for the sole use of the intended
> recipient(s)and may
> contain confidential and privileged information of Transaction Network
> Services.
> Any unauthorised review, use, disclosure or distribution is
> prohibited. If you
> are not the intended recipient, please contact the sender by reply
> e-mail and destroy all copies of the original message.
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> ------------------------------------------------------------------------
> This e-mail message is for the sole use of the intended
> recipient(s)and may
> contain confidential and privileged information of Transaction Network
> Services.
> Any unauthorised review, use, disclosure or distribution is
> prohibited. If you
> are not the intended recipient, please contact the sender by reply
> e-mail and destroy all copies of the original message.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120516/2d44f8dc/attachment.htm>
More information about the Freeipa-users
mailing list