[Freeipa-users] FreeIPA & Windows AD Replication

Rob Crittenden rcritten at redhat.com
Wed May 30 13:11:14 UTC 2012 

Matt wrote:
> On 29/05/2012 23:15, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Matt wrote:
>>>> Hi,
>>>>
>>>> Any ideas on where to look for more information? I have been unable to
>>>> make any progress on this.
>>>>
>>>> Thanks
>>>>
>>>> On 22/05/2012 10:18, Matt wrote:
>>>>> Hi,
>>>>>
>>>>> I am attempting to run replication between Windows AD (2008R2) and a
>>>>> FreeIPA (2.2.0) server (fc-17) in a test setup.
>>>>>
>>>>> I have bound FreeIPA to the AD server 'sucessfully'
>>>>>
>>>>> [root at ipa2 cacerts]# ipa-replica-manage connect --winsync --binddn
>>>>> "CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw <Password>
>>>>> --passsync <Password> --cacert /etc/openldap/cacerts/AD.cer -v
>>>>> ipa.100it.net -p <Password>
>>>>> Added CA certificate /etc/openldap/cacerts/AD.cer to certificate
>>>>> database for ipa2.100it.net
>>>>> ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
>>>>> The user for the Windows PassSync service is
>>>>> uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
>>>>> Windows PassSync entry exists, not resetting password
>>>>> ipa: INFO: Added new sync agreement, waiting for it to become ready .
>>>>> . .
>>>>> ipa: INFO: Replication Update in progress: FALSE: status: -11 - System
>>>>> error: start: 0: end: 0
>>>>> ipa: INFO: Agreement is ready, starting replication . . .
>>>>> Starting replication, please wait until this has completed.
>>>>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>>>> Failed to start replication
>>>>>
>>>>>
>>>>>
>>>>> The server now shows in the replica list:
>>>>>
>>>>> [root at ipa2 ~]# ipa-replica-manage list -p <password>
>>>>> ipa.100it.net: winsync
>>>>> ipa2.100it.net: master
>>>>>
>>>>>
>>>>> But any attemps to re-initialise the connection result in the same
>>>>> "[-11 - System error]" message:
>>>>>
>>>>> [root at ipa2 ~]# ipa-replica-manage re-initialize --from ipa.100it.net
>>>>> -p <password>
>>>>> [ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
>>>>>
>>>>>
>>>>> There are no messages that relate to the connection in event viewer
>>>>> and nothing other then "[-11 - System error]" in any of the freeIPA
>>>>> log files.
>>>>>
>>>>> Thanks
>>>>> Matt
>>>
>>> This is a new one to me. I think we need to try to gather more
>>> information on it. Can you enable replication debugging then try to
>>> re-initialize it again?
>>>
>>> $ ldapmodify -x -D "cn=directory manager" -W
>>> dn: cn=config
>>> changetype: modify
>>> replace: nsslapd-errorlog-level
>>> nsslapd-errorlog-level: 8192
>>>
>>> Then to turn it off do basically the same thing:
>>>
>>> $ ldapmodify -x -D "cn=directory manager" -W
>>> dn: cn=config
>>> changetype: modify
>>> replace: nsslapd-errorlog-level
>>> nsslapd-errorlog-level: 0
>>>
>>> The log output should go to the 389-ds error log.
>>>
>>> rob
>>
>> Turns out the code is an LDAP return code which in this case means
>> connection error. Still not a lot to go on but it's something.
>>
>> Can you see if there is a firewall in between? You might also want to
>> to try ldapsearch to see if you can connect to the AD server.
>>
>> We test the connection early on. I'm not sure why it would fail in the
>> middle like this.
>>
>> rob
>
> Hi Rob,
>
> Thanks for the info. Once debugging was turned on it was obvious to me.
>
> [30/May/2012:08:54:38 +0100] slapi_ldap_bind - Error: could not send
> startTLS request: error -11 (Connect error) errno 0 (Success)
> [30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -
> agmt="cn=meToipa.100it.net" (ipa:389): Replication bind with SIMPLE auth
> failed: LDAP error -11 (Connect error) (TLS: hostname does not match CN
> in peer certificate)
>
> Connecting to the host with OpenSSL gives CN=WIN-LKC2MQ44IMG.IPA.100it.net
>
> Reconnecting to the correct hostname completed sucessfully.
>
> [root at ipa2 ~]# ipa-replica-manage connect --winsync --binddn
> "CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw <Password>
> --passsync <Password> --cacert /etc/openldap/cacerts/AD.cer -v
> WIN-LKC2MQ44IMG.IPA.100it.net -p <Password>
> Added CA certificate /etc/openldap/cacerts/AD.cer to certificate
> database for ipa2.100it.net
> ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
> ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica
> acquired successfully: Incremental update started: start:
> 20120530090434Z: end: 20120530090434Z
> ipa: INFO: Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> Update succeeded
> Connected 'ipa2.100it.net' to 'WIN-LKC2MQ44IMG.IPA.100it.net'
>
> Thats what I get for trying to be quick.
>
> Thanks
> Matt

Glad you got it working.

I asked the 389-ds team about these System errors and they determined 
that they could actually translate these into proper error messages. 
They filed ticket https://fedorahosted.org/389/ticket/388 to track this.

regards

rob

More information about the Freeipa-users mailing list