[Freeipa-users] EXTERNAL: Re: Winsync Issues
Rich Megginson
rmeggins at redhat.com
Thu Mar 21 19:59:36 UTC 2013
On 03/21/2013 01:45 PM, Joseph, Matthew (EXP) wrote:
>
> Hey Rich,
>
> I've changed the password multiple times now and it's still not
> accepting the password. I've even set it as simple as password.
>
> I forgot to mention in my initial post that my domain looks more like
> this.
>
> Domain1.domain2.ca
>
> So my command looks like
> cn=idmpasssync,cn=users,dc=domain1,dc=domain2,dc=ca
>
> That shouldn't make a difference should it?
>
As long as that is the DN you are using with ldapsearch -D, and the same
as the DN you are passing to ipa-manage-replica, that should be fine.
Let's take a step back. Do you know the windows admin password? If so,
try this:
ldapsearch -xLLL -ZZ -h adserver.domain.ca -D
"cn=administrator,cn=idmpasssync,cn=users,dc=domain1,dc=domain2,dc=ca"
-w 'admin password' -s base -b
"cn=idmpasssync,cn=users,dc=domain1,dc=domain2,dc=ca"
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Thursday, March 21, 2013 4:31 PM
> *To:* Joseph, Matthew (EXP)
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: EXTERNAL: Re: [Freeipa-users] Winsync Issues
>
> On 03/21/2013 01:26 PM, Joseph, Matthew (EXP) wrote:
>
> Hey Rich,
>
> Tried the command you listed below and it says ldap_bind: Invalid
> Credentials (49)
>
>
> This means you have the wrong password.
>
>
> If I take away the --w 'WindowsIDMPassSyncPW' then it will bring back
> the results of the LDAP search.
>
>
> This means it is doing an anonymous search of "" which AD allows.
>
> Try this:
> ldapsearch -xLLL -ZZ -h adserver.domain.ca -D
> "cn=idmpasssync,cn=users,dc=domain,dc=ca" -w 'WindowsIDMPassSyncPW' -s
> base -b "cn=users,dc=domain,dc=ca"
>
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Thursday, March 21, 2013 4:12 PM
> *To:* Joseph, Matthew (EXP)
> *Cc:* freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> *Subject:* EXTERNAL: Re: [Freeipa-users] Winsync Issues
>
> On 03/21/2013 12:37 PM, Joseph, Matthew (EXP) wrote:
>
> Hello,
>
> I'm currently in the processing of installing/configuring IPA
> 2.2.0-16 on a Red Hat 6.4 Server and I'm running into some issues
> trying to get IPA to replicate to a Windows 2003 SP2 DC.
>
> Here is the steps I took (I used the Red Hat Identity Management
> Guide)
>
> 1)Create idmpasssync user under AD and give him the permissions
> requested
>
> 2)Download IPA cert from web gui
>
> 3)Installed IPA cert under Trusted Root Certificates Authorities
>
> 4)Exported Windows cert to Red Hat Server
>
> 5)Copied both IPA and Windows certs to /etc/openldap/cacerts
>
> 6)Run the following command
>
> a.Ipa-replica-manage connect --winsync --binddn
> cn=idmpasssync,cn=users,dc=domain,dc=ca --bindpw
> WindowsIDMPassSyncPW -- passsync WindowsIDMPassSyncPW --cacert
> /etc/openldap/cacerts/windows.cer adserver.domain.ca --v
>
> 7)After running that command I get the following error;
>
> a.Added CA Certificate /etc/openldap/cacerts/windows.cer to
> certificate database for IPAserver.domain.ca
> ipa: INFO: Failed to connect to AD server adserver.domain.ca
> ipa: INFO: The error was: {'info': 80090308: LdapErr:
> DSID-0C090334, comment: AcceptSecurityContext error, data 525,
> vece', 'desc': 'Invalid Credentials'}
> Failed to setup winsync replication
>
> I checked the IPA logs and it says the same thing above, no new
> information
>
> I know I entered the password correctly and I even changed it on
> the Active Directory side just to make sure.
>
> Can anyone see what I am doing wrong on this configuration?
>
>
> Try this:
>
> ldapsearch -xLLL -ZZ -h adserver.domain.ca -D
> "cn=idmpasssync,cn=users,dc=domain,dc=ca" -w 'WindowsIDMPassSyncPW' -s
> base -b ""
>
>
>
> Matt
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130321/05fb7bfa/attachment.htm>
More information about the Freeipa-users
mailing list