[Freeipa-users] FreeIPA & Windows AD Replication

Rob Crittenden rcritten at redhat.com
Tue May 29 22:15:03 UTC 2012 

Rob Crittenden wrote:
> Matt wrote:
>> Hi,
>>
>> Any ideas on where to look for more information? I have been unable to
>> make any progress on this.
>>
>> Thanks
>>
>> On 22/05/2012 10:18, Matt wrote:
>>> Hi,
>>>
>>> I am attempting to run replication between Windows AD (2008R2) and a
>>> FreeIPA (2.2.0) server (fc-17) in a test setup.
>>>
>>> I have bound FreeIPA to the AD server 'sucessfully'
>>>
>>> [root at ipa2 cacerts]# ipa-replica-manage connect --winsync --binddn
>>> "CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw <Password>
>>> --passsync <Password> --cacert /etc/openldap/cacerts/AD.cer -v
>>> ipa.100it.net -p <Password>
>>> Added CA certificate /etc/openldap/cacerts/AD.cer to certificate
>>> database for ipa2.100it.net
>>> ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
>>> The user for the Windows PassSync service is
>>> uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
>>> Windows PassSync entry exists, not resetting password
>>> ipa: INFO: Added new sync agreement, waiting for it to become ready .
>>> . .
>>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - System
>>> error: start: 0: end: 0
>>> ipa: INFO: Agreement is ready, starting replication . . .
>>> Starting replication, please wait until this has completed.
>>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>> Failed to start replication
>>>
>>>
>>>
>>> The server now shows in the replica list:
>>>
>>> [root at ipa2 ~]# ipa-replica-manage list -p <password>
>>> ipa.100it.net: winsync
>>> ipa2.100it.net: master
>>>
>>>
>>> But any attemps to re-initialise the connection result in the same
>>> "[-11 - System error]" message:
>>>
>>> [root at ipa2 ~]# ipa-replica-manage re-initialize --from ipa.100it.net
>>> -p <password>
>>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>>
>>>
>>> There are no messages that relate to the connection in event viewer
>>> and nothing other then "[-11 - System error]" in any of the freeIPA
>>> log files.
>>>
>>> Thanks
>>> Matt
>
> This is a new one to me. I think we need to try to gather more
> information on it. Can you enable replication debugging then try to
> re-initialize it again?
>
> $ ldapmodify -x -D "cn=directory manager" -W
> dn: cn=config
> changetype: modify
> replace: nsslapd-errorlog-level
> nsslapd-errorlog-level: 8192
>
> Then to turn it off do basically the same thing:
>
> $ ldapmodify -x -D "cn=directory manager" -W
> dn: cn=config
> changetype: modify
> replace: nsslapd-errorlog-level
> nsslapd-errorlog-level: 0
>
> The log output should go to the 389-ds error log.
>
> rob

Turns out the code is an LDAP return code which in this case means 
connection error. Still not a lot to go on but it's something.

Can you see if there is a firewall in between? You might also want to to 
try ldapsearch to see if you can connect to the AD server.

We test the connection early on. I'm not sure why it would fail in the 
middle like this.

rob

More information about the Freeipa-users mailing list