[Freeipa-users] AD - Freeipa trust confusion

Andrew Holway andrew.holway at gmail.com
Thu Jan 2 17:25:22 UTC 2014 

I turned off all the AD processed on my windows domain controller.

The error did not change.

On 2 January 2014 17:07, Andrew Holway <andrew.holway at gmail.com> wrote:
> I have taken out the winsync.
>
> [root at ipa.wibble.com ~]# ipa-replica-manage connect  --binddn
> cn=administrator,cn=users,dc=prattle,dc=com --bindpw pa$$ --passsync
> pa$$ --cacert /etc/openldap/cacerts/prattle.crt
> win-5uglhak7rin.prattle.com. -vvv
> Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate
> database for ipa.wibble.com
> You cannot connect to a previously deleted master
>
> I cant find anything useful in the server2008 AD logs....I am seeing
> If I can make them more sensitive.
>
> /var/log/messages
>
> Jan  2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904045,  0]
> ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
> Jan  2 16:53:43 ipa smbd[12033]:   dcesrv_interface_register:
> interface 'lsarpc' already registered on endpoint
> Jan  2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904642,  0]
> ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
> Jan  2 16:53:43 ipa smbd[12033]:   dcesrv_interface_register:
> interface 'samr' already registered on endpoint
> Jan  2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.905147,  0]
> ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert)
> Jan  2 16:53:43 ipa smbd[12033]:   dcesrv_interface_register:
> interface 'netlogon' already registered on endpoint
> Jan  2 16:53:47 ipa named[11459]: LDAP error: Can't contact LDAP server
> Jan  2 16:53:47 ipa named[11459]: connection to the LDAP server was lost
> Jan  2 16:53:47 ipa named[11459]: bind to LDAP server failed: Can't
> contact LDAP server
> Jan  2 16:53:47 ipa named[11459]: ldap_psearch_watcher failed to
> handle LDAP connection error. Reconnection in 60s
> Jan  2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299083,  0]
> ipa_sam.c:3689(bind_callback_cleanup)
> Jan  2 16:53:49 ipa winbindd[12071]:   kerberos error:
> code=-1765328324, message=Generic error (see e-text)
> Jan  2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299320,  0]
> ../source3/lib/smbldap.c:998(smbldap_connect_system)
> Jan  2 16:53:49 ipa winbindd[12071]:   failed to bind to server
> ldapi://%2fvar%2frun%2fslapd-WIBBLE-COM.socket with dn="[Anonymous
> bind]" Error: Local error
> Jan  2 16:53:49 ipa winbindd[12071]:   #011(unknown)
> Jan  2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.909746,  0]
> ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
> Jan  2 16:54:13 ipa smbd[12033]:   create_policy_hnd: ERROR: too many
> handles (2049) on this pipe.
> Jan  2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910126,  0]
> ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
> Jan  2 16:54:13 ipa smbd[12033]:   create_policy_hnd: ERROR: too many
> handles (2049) on this pipe.
> Jan  2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910427,  0]
> ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal)
> Jan  2 16:54:13 ipa smbd[12033]:   create_policy_hnd: ERROR: too many
> handles (2049) on this pipe.
>
>
> On 2 January 2014 13:41, Dmitri Pal <dpal at redhat.com> wrote:
>> On 01/02/2014 07:38 AM, Andrew Holway wrote:
>>> I have gotten a little further along with this but am having problems
>>> connecting to the AD LDAP.
>>>
>>> [root at ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync
>>> --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw
>>> X9deiX9dei --passsync X9deiX9dei --cacert
>>> /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv
>>>
>>> Directory Manager password:
>>>
>>> Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate
>>> database for ipa.wibble.com
>>>
>>> ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com.
>>>
>>> ipa: INFO: The error was: {'info': '00000000: LdapErr: DSID-0C090E17,
>>> comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server
>>> is unavailable'}
>>>
>>> Failed to setup winsync replication
>>
>> Hello,
>>
>> Trusts and winsync are mutually exclusive.
>> You either do one or another. We do not have a way to move from one
>> configuration to another yet and the decision should be made at the
>> deployment time.
>>
>> Which one do you prefer?
>> If you prefer trusts please follow the instructions on the wiki. The
>> guide is not updated yet, sorry.
>> http://www.freeipa.org/page/Trusts
>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup
>>
>> It seems that after the trust is established you try to login and fail.
>> Can you provide more details about those attempts?
>> http://www.freeipa.org/page/Troubleshooting#Reporting_bugs
>> also see other sections on the same page.
>>
>> HTH
>> Thanks
>> Dmitri
>>
>>
>>>
>>> On 1 January 2014 22:27, Andrew Holway <andrew.holway at gmail.com> wrote:
>>>> Hello,
>>>>
>>>> I am attempting to set up trust between my test freeipa server at
>>>> ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com.
>>>>
>>>> In the GUI I can see the following in "Trusts » prattle.com".
>>>>
>>>> Realm name: prattle.com
>>>> Domain NetBIOS name: PRATTLE
>>>> Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436
>>>> Trust direction: Two-way trust
>>>> Trust type: Active Directory domain
>>>>
>>>> However I cant see any of the AD users that I have created nor can I
>>>> log on to any of the systems under my freeipa realm.
>>>>
>>>> Jan  1 20:50:30 host002 sshd[9959]: Failed password for invalid user
>>>> bob from 10.51.120.1 port 55101 ssh2
>>>>
>>>> I haven't actually done anything to AD to facilitate this trust. Its
>>>> not particularly clear what should be done.
>>>>
>>>> Many thanks,
>>>>
>>>> Andrew
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list