[Freeipa-users] AD - Freeipa trust confusion
Andrew Holway
andrew.holway at gmail.com
Thu Jan 2 17:07:27 UTC 2014
I have taken out the winsync.
[root at ipa.wibble.com ~]# ipa-replica-manage connect --binddn
cn=administrator,cn=users,dc=prattle,dc=com --bindpw pa$$ --passsync
pa$$ --cacert /etc/openldap/cacerts/prattle.crt
win-5uglhak7rin.prattle.com. -vvv
Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate
database for ipa.wibble.com
You cannot connect to a previously deleted master
I cant find anything useful in the server2008 AD logs....I am seeing
If I can make them more sensitive.
/var/log/messages
Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904045, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register:
interface 'lsarpc' already registered on endpoint
Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904642, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register:
interface 'samr' already registered on endpoint
Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.905147, 0]
../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register:
interface 'netlogon' already registered on endpoint
Jan 2 16:53:47 ipa named[11459]: LDAP error: Can't contact LDAP server
Jan 2 16:53:47 ipa named[11459]: connection to the LDAP server was lost
Jan 2 16:53:47 ipa named[11459]: bind to LDAP server failed: Can't
contact LDAP server
Jan 2 16:53:47 ipa named[11459]: ldap_psearch_watcher failed to
handle LDAP connection error. Reconnection in 60s
Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299083, 0]
ipa_sam.c:3689(bind_callback_cleanup)
Jan 2 16:53:49 ipa winbindd[12071]: kerberos error:
code=-1765328324, message=Generic error (see e-text)
Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299320, 0]
../source3/lib/smbldap.c:998(smbldap_connect_system)
Jan 2 16:53:49 ipa winbindd[12071]: failed to bind to server
ldapi://%2fvar%2frun%2fslapd-WIBBLE-COM.socket with dn="[Anonymous
bind]" Error: Local error
Jan 2 16:53:49 ipa winbindd[12071]: #011(unknown)
Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.909746, 0]
../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many
handles (2049) on this pipe.
Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910126, 0]
../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many
handles (2049) on this pipe.
Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910427, 0]
../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many
handles (2049) on this pipe.
On 2 January 2014 13:41, Dmitri Pal <dpal at redhat.com> wrote:
> On 01/02/2014 07:38 AM, Andrew Holway wrote:
>> I have gotten a little further along with this but am having problems
>> connecting to the AD LDAP.
>>
>> [root at ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync
>> --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw
>> X9deiX9dei --passsync X9deiX9dei --cacert
>> /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv
>>
>> Directory Manager password:
>>
>> Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate
>> database for ipa.wibble.com
>>
>> ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com.
>>
>> ipa: INFO: The error was: {'info': '00000000: LdapErr: DSID-0C090E17,
>> comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server
>> is unavailable'}
>>
>> Failed to setup winsync replication
>
> Hello,
>
> Trusts and winsync are mutually exclusive.
> You either do one or another. We do not have a way to move from one
> configuration to another yet and the decision should be made at the
> deployment time.
>
> Which one do you prefer?
> If you prefer trusts please follow the instructions on the wiki. The
> guide is not updated yet, sorry.
> http://www.freeipa.org/page/Trusts
> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>
> It seems that after the trust is established you try to login and fail.
> Can you provide more details about those attempts?
> http://www.freeipa.org/page/Troubleshooting#Reporting_bugs
> also see other sections on the same page.
>
> HTH
> Thanks
> Dmitri
>
>
>>
>> On 1 January 2014 22:27, Andrew Holway <andrew.holway at gmail.com> wrote:
>>> Hello,
>>>
>>> I am attempting to set up trust between my test freeipa server at
>>> ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com.
>>>
>>> In the GUI I can see the following in "Trusts » prattle.com".
>>>
>>> Realm name: prattle.com
>>> Domain NetBIOS name: PRATTLE
>>> Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436
>>> Trust direction: Two-way trust
>>> Trust type: Active Directory domain
>>>
>>> However I cant see any of the AD users that I have created nor can I
>>> log on to any of the systems under my freeipa realm.
>>>
>>> Jan 1 20:50:30 host002 sshd[9959]: Failed password for invalid user
>>> bob from 10.51.120.1 port 55101 ssh2
>>>
>>> I haven't actually done anything to AD to facilitate this trust. Its
>>> not particularly clear what should be done.
>>>
>>> Many thanks,
>>>
>>> Andrew
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list