[Freeipa-users] Problems replicating with Windows 2008 AD
Rob Crittenden
rcritten at redhat.com
Thu May 17 13:17:26 UTC 2012
Kline, Sara wrote:
> I found the issue, it had to do with what Windows set the cn to, as
> opposed to what I thought the CN was. Once I figured out where that was
> set at I was able to fix it. Cn’s for us are usually the user id so that
> was where the disconnect was. Once I fixed that issue however I got
> another error. I am logged in as root on the FreeIPA server. When I run
> the ipa-manage-replica command I get:
>
> Added CA certificate /etc/openldap/cacerts/winadcert.cer to certificate
> database for oly-infra-ldap1.prod.tnsi.com
>
> INFO:root:AD Suffix is: DC=prod,DC=example,DC=com
>
> Insufficient access
>
> I am not sure I understand why this is not working.
Hmm, can you try this:
# kdestroy
# ipa-replica-manage ...
It should prompt you for the Directory Manager password. My guess is
that this isn't working with a delegated user over GSSAPI. What version
of freeIPA are you running?
rob
>
> Thanks,
>
> Sara Kline
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Wednesday, May 16, 2012 4:12 PM
> *To:* Kline, Sara
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] Problems replicating with Windows 2008 AD
>
> On 05/16/2012 04:33 PM, Kline, Sara wrote:
>
> Hey all,
>
> FreeIPA has been very simple to setup so far, I have been able to follow
> along with the documentation every step of the way. I am running into an
> issue however when trying to set up replication between the Red Hat 6.2
> server running FreeIPA and the Win 2008 R2 server running Active
> Directory. I created the replication user like the instructions say and
> gave it the necessary permissions, however when I try to set up the
> agreement, it tells me I am using invalid credentials. I am unsure of
> what I should do at this point? SSL Certs are installed on both and
> trusted on both, the servers are connected and both are synced to the
> same time source. Can anyone think of anything else?
>
> I am using the command as follows:
>
> Ipa-replica-manage connect –winsync
>
> --binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com
>
> --bindpw mypassword
>
> --passsync mypassword
>
> --cacert /etc/openldap/cacerts/winadcert.cer
>
> oly-infra-ldap2.prod.example.com
>
>
> You can use ldapsearch to test the connection with AD:
>
> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -H
> ldap://oly-infra-ldap2.prod.example.com -ZZ -D
> "cn=freeipa,cn=users,dc=prod,dc=example,dc=com" -w mypassword -s base -b
> "" 'objectclass=*' namingcontexts
>
> This assumes
> 1) oly-infra-ldap2.prod.example.com is the correct FQDN of your AD machine
> 2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid AD user in AD
> 3) mypassword is the correct password and doesn't need to be quoted for
> the shell
>
>
> Sara Kline
>
> System Administrator
>
> Transaction Network Services, Inc
>
> 4501 Intelco Loop, Lacey WA 98503
>
> Wk: (360) 493-6736
>
> Cell: (360) 280-2495
>
> ------------------------------------------------------------------------
>
> This e-mail message is for the sole use of the intended recipient(s)and may
> contain confidential and privileged information of Transaction Network
> Services.
> Any unauthorised review, use, disclosure or distribution is prohibited.
> If you
> are not the intended recipient, please contact the sender by reply
> e-mail and destroy all copies of the original message.
>
>
>
>
> _______________________________________________
>
> Freeipa-users mailing list
>
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> ------------------------------------------------------------------------
> This e-mail message is for the sole use of the intended recipient(s)and may
> contain confidential and privileged information of Transaction Network
> Services.
> Any unauthorised review, use, disclosure or distribution is prohibited.
> If you
> are not the intended recipient, please contact the sender by reply
> e-mail and destroy all copies of the original message.
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list