[Freeipa-users] FreeIPA & Windows AD Replication

Matt ops at 100percentit.com
Wed May 30 09:22:48 UTC 2012 

On 29/05/2012 23:15, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Matt wrote:
>>> Hi,
>>>
>>> Any ideas on where to look for more information? I have been unable to
>>> make any progress on this.
>>>
>>> Thanks
>>>
>>> On 22/05/2012 10:18, Matt wrote:
>>>> Hi,
>>>>
>>>> I am attempting to run replication between Windows AD (2008R2) and a
>>>> FreeIPA (2.2.0) server (fc-17) in a test setup.
>>>>
>>>> I have bound FreeIPA to the AD server 'sucessfully'
>>>>
>>>> [root at ipa2 cacerts]# ipa-replica-manage connect --winsync --binddn
>>>> "CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw <Password>
>>>> --passsync <Password> --cacert /etc/openldap/cacerts/AD.cer -v
>>>> ipa.100it.net -p <Password>
>>>> Added CA certificate /etc/openldap/cacerts/AD.cer to certificate
>>>> database for ipa2.100it.net
>>>> ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
>>>> The user for the Windows PassSync service is
>>>> uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
>>>> Windows PassSync entry exists, not resetting password
>>>> ipa: INFO: Added new sync agreement, waiting for it to become ready .
>>>> . .
>>>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - System
>>>> error: start: 0: end: 0
>>>> ipa: INFO: Agreement is ready, starting replication . . .
>>>> Starting replication, please wait until this has completed.
>>>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>>> Failed to start replication
>>>>
>>>>
>>>>
>>>> The server now shows in the replica list:
>>>>
>>>> [root at ipa2 ~]# ipa-replica-manage list -p <password>
>>>> ipa.100it.net: winsync
>>>> ipa2.100it.net: master
>>>>
>>>>
>>>> But any attemps to re-initialise the connection result in the same
>>>> "[-11 - System error]" message:
>>>>
>>>> [root at ipa2 ~]# ipa-replica-manage re-initialize --from ipa.100it.net
>>>> -p <password>
>>>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>>>
>>>>
>>>> There are no messages that relate to the connection in event viewer
>>>> and nothing other then "[-11 - System error]" in any of the freeIPA
>>>> log files.
>>>>
>>>> Thanks
>>>> Matt
>>
>> This is a new one to me. I think we need to try to gather more
>> information on it. Can you enable replication debugging then try to
>> re-initialize it again?
>>
>> $ ldapmodify -x -D "cn=directory manager" -W
>> dn: cn=config
>> changetype: modify
>> replace: nsslapd-errorlog-level
>> nsslapd-errorlog-level: 8192
>>
>> Then to turn it off do basically the same thing:
>>
>> $ ldapmodify -x -D "cn=directory manager" -W
>> dn: cn=config
>> changetype: modify
>> replace: nsslapd-errorlog-level
>> nsslapd-errorlog-level: 0
>>
>> The log output should go to the 389-ds error log.
>>
>> rob
>
> Turns out the code is an LDAP return code which in this case means 
> connection error. Still not a lot to go on but it's something.
>
> Can you see if there is a firewall in between? You might also want to 
> to try ldapsearch to see if you can connect to the AD server.
>
> We test the connection early on. I'm not sure why it would fail in the 
> middle like this.
>
> rob

Hi Rob,

Thanks for the info. Once debugging was turned on it was obvious to me.

[30/May/2012:08:54:38 +0100] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin - 
agmt="cn=meToipa.100it.net" (ipa:389): Replication bind with SIMPLE auth 
failed: LDAP error -11 (Connect error) (TLS: hostname does not match CN 
in peer certificate)

Connecting to the host with OpenSSL gives CN=WIN-LKC2MQ44IMG.IPA.100it.net

Reconnecting to the correct hostname completed sucessfully.

[root at ipa2 ~]# ipa-replica-manage connect --winsync --binddn 
"CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw <Password> 
--passsync <Password> --cacert /etc/openldap/cacerts/AD.cer -v 
WIN-LKC2MQ44IMG.IPA.100it.net -p <Password>
Added CA certificate /etc/openldap/cacerts/AD.cer to certificate 
database for ipa2.100it.net
ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
The user for the Windows PassSync service is 
uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica 
acquired successfully: Incremental update started: start: 
20120530090434Z: end: 20120530090434Z
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
Connected 'ipa2.100it.net' to 'WIN-LKC2MQ44IMG.IPA.100it.net'

Thats what I get for trying to be quick.

Thanks
Matt

More information about the Freeipa-users mailing list