[Freeipa-users] FreeIPA & Windows AD Replication
Rob Crittenden
rcritten at redhat.com
Tue May 29 17:37:02 UTC 2012
Matt wrote:
> Hi,
>
> Any ideas on where to look for more information? I have been unable to
> make any progress on this.
>
> Thanks
>
> On 22/05/2012 10:18, Matt wrote:
>> Hi,
>>
>> I am attempting to run replication between Windows AD (2008R2) and a
>> FreeIPA (2.2.0) server (fc-17) in a test setup.
>>
>> I have bound FreeIPA to the AD server 'sucessfully'
>>
>> [root at ipa2 cacerts]# ipa-replica-manage connect --winsync --binddn
>> "CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw <Password>
>> --passsync <Password> --cacert /etc/openldap/cacerts/AD.cer -v
>> ipa.100it.net -p <Password>
>> Added CA certificate /etc/openldap/cacerts/AD.cer to certificate
>> database for ipa2.100it.net
>> ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
>> The user for the Windows PassSync service is
>> uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
>> Windows PassSync entry exists, not resetting password
>> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - System
>> error: start: 0: end: 0
>> ipa: INFO: Agreement is ready, starting replication . . .
>> Starting replication, please wait until this has completed.
>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>> Failed to start replication
>>
>>
>>
>> The server now shows in the replica list:
>>
>> [root at ipa2 ~]# ipa-replica-manage list -p <password>
>> ipa.100it.net: winsync
>> ipa2.100it.net: master
>>
>>
>> But any attemps to re-initialise the connection result in the same
>> "[-11 - System error]" message:
>>
>> [root at ipa2 ~]# ipa-replica-manage re-initialize --from ipa.100it.net
>> -p <password>
>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>
>>
>> There are no messages that relate to the connection in event viewer
>> and nothing other then "[-11 - System error]" in any of the freeIPA
>> log files.
>>
>> Thanks
>> Matt
This is a new one to me. I think we need to try to gather more
information on it. Can you enable replication debugging then try to
re-initialize it again?
$ ldapmodify -x -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 8192
Then to turn it off do basically the same thing:
$ ldapmodify -x -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 0
The log output should go to the 389-ds error log.
rob
More information about the Freeipa-users
mailing list