[Freeipa-users] EXTERNAL: Re: Winsync Issues

Rich Megginson rmeggins at redhat.com
Thu Mar 21 19:59:36 UTC 2013 

On 03/21/2013 01:45 PM, Joseph, Matthew (EXP) wrote:
>
> Hey Rich,
>
> I've changed the password multiple times now and it's still not 
> accepting the password. I've even set it as simple as password.
>
> I forgot to mention in my initial post that my domain looks more like 
> this.
>
> Domain1.domain2.ca
>
> So my command looks like 
> cn=idmpasssync,cn=users,dc=domain1,dc=domain2,dc=ca
>
> That shouldn't make a difference should it?
>

As long as that is the DN you are using with ldapsearch -D, and the same 
as the DN you are passing to ipa-manage-replica, that should be fine.

Let's take a step back.  Do you know the windows admin password?  If so, 
try this:

ldapsearch -xLLL -ZZ -h adserver.domain.ca -D 
"cn=administrator,cn=idmpasssync,cn=users,dc=domain1,dc=domain2,dc=ca" 
-w 'admin password' -s base -b 
"cn=idmpasssync,cn=users,dc=domain1,dc=domain2,dc=ca"

> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Thursday, March 21, 2013 4:31 PM
> *To:* Joseph, Matthew (EXP)
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: EXTERNAL: Re: [Freeipa-users] Winsync Issues
>
> On 03/21/2013 01:26 PM, Joseph, Matthew (EXP) wrote:
>
>     Hey Rich,
>
>     Tried the command you listed below and it says ldap_bind: Invalid
>     Credentials (49)
>
>
> This means you have the wrong password.
>
>
> If I take away the --w 'WindowsIDMPassSyncPW' then it will bring back 
> the results of the LDAP search.
>
>
> This means it is doing an anonymous search of "" which AD allows.
>
> Try this:
> ldapsearch -xLLL -ZZ -h adserver.domain.ca -D 
> "cn=idmpasssync,cn=users,dc=domain,dc=ca" -w 'WindowsIDMPassSyncPW' -s 
> base -b "cn=users,dc=domain,dc=ca"
>
>
> *From:*Rich Megginson [mailto:rmeggins at redhat.com]
> *Sent:* Thursday, March 21, 2013 4:12 PM
> *To:* Joseph, Matthew (EXP)
> *Cc:* freeipa-users at redhat.com <mailto:freeipa-users at redhat.com>
> *Subject:* EXTERNAL: Re: [Freeipa-users] Winsync Issues
>
> On 03/21/2013 12:37 PM, Joseph, Matthew (EXP) wrote:
>
>     Hello,
>
>     I'm currently in the processing of installing/configuring IPA
>     2.2.0-16  on a Red Hat 6.4 Server and I'm running into some issues
>     trying to get IPA to replicate to a Windows 2003 SP2 DC.
>
>     Here is the steps I took (I used the Red Hat Identity Management
>     Guide)
>
>     1)Create idmpasssync user under AD and give him the permissions
>     requested
>
>     2)Download IPA cert from web gui
>
>     3)Installed IPA cert under Trusted Root Certificates Authorities
>
>     4)Exported Windows cert to Red Hat Server
>
>     5)Copied both IPA and Windows certs to /etc/openldap/cacerts
>
>     6)Run the following command
>
>     a.Ipa-replica-manage connect --winsync --binddn
>     cn=idmpasssync,cn=users,dc=domain,dc=ca --bindpw
>     WindowsIDMPassSyncPW     -- passsync WindowsIDMPassSyncPW --cacert
>     /etc/openldap/cacerts/windows.cer adserver.domain.ca --v
>
>     7)After running that command I get the following error;
>
>     a.Added CA Certificate /etc/openldap/cacerts/windows.cer to
>     certificate database for IPAserver.domain.ca
>     ipa: INFO: Failed to connect to AD server adserver.domain.ca
>     ipa: INFO: The error was: {'info': 80090308: LdapErr:
>     DSID-0C090334, comment: AcceptSecurityContext error, data 525,
>     vece', 'desc': 'Invalid Credentials'}
>     Failed to setup winsync replication
>
>     I checked the IPA logs and it says the same thing above, no new
>     information
>
>     I know I entered the password correctly and I even changed it on
>     the Active Directory side just to make sure.
>
>     Can anyone see what I am doing wrong on this configuration?
>
>
> Try this:
>
> ldapsearch -xLLL -ZZ -h adserver.domain.ca -D 
> "cn=idmpasssync,cn=users,dc=domain,dc=ca" -w 'WindowsIDMPassSyncPW' -s 
> base -b ""
>
>
>
> Matt
>
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130321/05fb7bfa/attachment.htm>

More information about the Freeipa-users mailing list