[Freeipa-users] cant create winsync reolication

Rich Megginson rmeggins at redhat.com
Fri Jan 31 21:07:17 UTC 2014 

On 01/31/2014 01:55 PM, Todd Maugh wrote:
>
>
> [root at se-idm-01.boingo.com cacerts]$ 
> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ 
> -H ldap://qatestdc2.boingoqa.local -b "cn=idm 
> admin,cn=users,dc=boingoqa,dc=local" -D  "cn=idm 
> admin,cn=users,dc=boingoqa,dc=local" -W
> Enter LDAP Password:
> dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: IDM ADMIN
> givenName: IDMADMIN
> distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
> instanceType: 4
> whenCreated: 20140128182537.0Z
> whenChanged: 20140131014315.0Z
> displayName: IDMADMIN
> uSNCreated: 31968
> memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local
> memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local
> memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local
> uSNChanged: 38786
> name: IDM ADMIN
> objectGUID:: jai63JfDvUuOGcURntA7hg==
> userAccountControl: 66048
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 130356008006093750
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAA0+/GU55mz3h0hQ48RwYAAA==
> adminCount: 1
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: idmadmin
> sAMAccountType: 805306368
> userPrincipalName: idmadmin at boingoqa.local
> lockoutTime: 0
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local
> dSCorePropagationData: 20140129224024.0Z
> dSCorePropagationData: 16010101000000.0Z
> lastLogonTimestamp: 130356060672110578

I'd like to look at the debug output, so try this:

LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx 
-ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm 
admin,cn=users,dc=boingoqa,dc=local" -D  "cn=idm 
admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn

The 389 errors log indicates "cannot connect" which usually means some 
sort of SSL error.  Unfortunately the logging leaves something to be 
desired in the way of information necessary to diagnose and fix the problem.

If that doesn't help, let's take a look at your winsync agreement 
configuration:

ldapsearch -LLLx -b "cn=config" -D  "cn=directory manager" -W 
'objectclass=nsdswindowsreplicationagreement' dn

>
>
> ------------------------------------------------------------------------
> *From:* Rich Megginson [rmeggins at redhat.com]
> *Sent:* Friday, January 31, 2014 12:39 PM
> *To:* Todd Maugh; dpal at redhat.com
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] cant create winsync reolication
>
> On 01/31/2014 12:16 PM, Todd Maugh wrote:
>> RE:
>>
>> I am not sure I was clear. It seems that you provided the LDAP trace 
>> for the ldapsearch commands you executed above. I was talking about 
>> the DS level logs for the replica management agreement establishment 
>> and the follow up replication.
>>
>> here is the log  tailed while I deleted teh replication agreement, 
>> restarted the dirsrv and tried to setup the replication agreement
>
> Note that 389 does not use /etc/openldap/cacerts - it uses 
> /etc/dirsrv/slapd-YOUR-DOMAIN, so try this:
>
> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ 
> -H ldap://qatestdc2.boingoqa.local -b "cn=idm 
> admin,cn=users,dc=boingoqa,dc=local" -D  "cn=idm 
> admin,cn=users,dc=boingoqa,dc=local" -W
>
>>
>>
>>
>> [31/Jan/2014:19:07:37 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:08:12 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:08:13 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:08:25 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:10:01 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:11:51 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:11:54 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:12:00 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:12:12 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:12:36 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:13:12 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:13:13 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:13:24 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:13:57 +0000] NSMMReplicationPlugin - agmt_delete: begin
>> [31/Jan/2014:19:14:09 +0000] - slapd shutting down - signaling 
>> operation threads
>> [31/Jan/2014:19:14:09 +0000] - slapd shutting down - waiting for 30 
>> threads to terminate
>> [31/Jan/2014:19:14:09 +0000] - slapd shutting down - closing down 
>> internal subsystems and plugins
>> [31/Jan/2014:19:14:09 +0000] - Waiting for 4 database threads to stop
>> [31/Jan/2014:19:14:09 +0000] - All database threads now stopped
>> [31/Jan/2014:19:14:09 +0000] - slapd stopped.
>> [31/Jan/2014:19:14:12 +0000] - 389-Directory/1.2.11.15 B2013.337.1530 
>> starting up
>> [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no 
>> entries set up under cn=computers, cn=compat,dc=boingo,dc=com
>> [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no 
>> entries set up under cn=ng, cn=compat,dc=boingo,dc=com
>> [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no 
>> entries set up under ou=sudoers,dc=boingo,dc=com
>> [31/Jan/2014:19:14:12 +0000] - Skipping CoS Definition cn=Password 
>> Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which 
>> should be added before the CoS Definition.
>> [31/Jan/2014:19:14:12 +0000] set_krb5_creds - Could not get initial 
>> credentials for principal [ldap/se-idm-01.boingo.com at BOINGO.COM] in 
>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see 
>> e-text))
>> [31/Jan/2014:19:14:12 +0000] - Skipping CoS Definition cn=Password 
>> Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which 
>> should be added before the CoS Definition.
>> [31/Jan/2014:19:14:12 +0000] slapd_ldap_sasl_interactive_bind - 
>> Error: could not perform interactive bind for id [] mech [GSSAPI]: 
>> LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: 
>> Unspecified GSS failure. Minor code may provide more information 
>> (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success)
>> [31/Jan/2014:19:14:12 +0000] slapi_ldap_bind - Error: could not 
>> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>> [31/Jan/2014:19:14:12 +0000] NSMMReplicationPlugin - 
>> agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind 
>> with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): 
>> generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code 
>> may provide more information (Credentials cache file 
>> '/tmp/krb5cc_495' not found))
>> [31/Jan/2014:19:14:12 +0000] - slapd started. Listening on All 
>> Interfaces port 389 for LDAP requests
>> [31/Jan/2014:19:14:12 +0000] - Listening on All Interfaces port 636 
>> for LDAPS requests
>> [31/Jan/2014:19:14:12 +0000] - Listening on 
>> /var/run/slapd-BOINGO-COM.socket for LDAPI requests
>> [31/Jan/2014:19:14:16 +0000] NSMMReplicationPlugin - 
>> agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind 
>> with GSSAPI auth resumed
>> [31/Jan/2014:19:15:18 +0000] - slapd shutting down - signaling 
>> operation threads
>> [31/Jan/2014:19:15:18 +0000] - slapd shutting down - waiting for 30 
>> threads to terminate
>> [31/Jan/2014:19:15:18 +0000] - slapd shutting down - closing down 
>> internal subsystems and plugins
>> [31/Jan/2014:19:15:18 +0000] - Waiting for 4 database threads to stop
>> [31/Jan/2014:19:15:18 +0000] - All database threads now stopped
>> [31/Jan/2014:19:15:18 +0000] - slapd stopped.
>> [31/Jan/2014:19:15:23 +0000] - 389-Directory/1.2.11.15 B2013.337.1530 
>> starting up
>> [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no 
>> entries set up under cn=computers, cn=compat,dc=boingo,dc=com
>> [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no 
>> entries set up under cn=ng, cn=compat,dc=boingo,dc=com
>> [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no 
>> entries set up under ou=sudoers,dc=boingo,dc=com
>> [31/Jan/2014:19:15:23 +0000] - Skipping CoS Definition cn=Password 
>> Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which 
>> should be added before the CoS Definition.
>> [31/Jan/2014:19:15:23 +0000] set_krb5_creds - Could not get initial 
>> credentials for principal [ldap/se-idm-01.boingo.com at BOINGO.COM] in 
>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see 
>> e-text))
>> [31/Jan/2014:19:15:23 +0000] - Skipping CoS Definition cn=Password 
>> Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which 
>> should be added before the CoS Definition.
>> [31/Jan/2014:19:15:23 +0000] slapd_ldap_sasl_interactive_bind - 
>> Error: could not perform interactive bind for id [] mech [GSSAPI]: 
>> LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: 
>> Unspecified GSS failure. Minor code may provide more information 
>> (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success)
>> [31/Jan/2014:19:15:23 +0000] slapi_ldap_bind - Error: could not 
>> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>> [31/Jan/2014:19:15:23 +0000] NSMMReplicationPlugin - 
>> agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind 
>> with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): 
>> generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code 
>> may provide more information (Credentials cache file 
>> '/tmp/krb5cc_495' not found))
>> [31/Jan/2014:19:15:23 +0000] - slapd started. Listening on All 
>> Interfaces port 389 for LDAP requests
>> [31/Jan/2014:19:15:23 +0000] - Listening on All Interfaces port 636 
>> for LDAPS requests
>> [31/Jan/2014:19:15:23 +0000] - Listening on 
>> /var/run/slapd-BOINGO-COM.socket for LDAPI requests
>> [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:15:25 +0000] NSMMReplicationPlugin - 
>> agmt="cn=meToqatestdc2.boingoqa.local" (qatestdc2:389): Replication 
>> bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS 
>> error -8179:Peer's Certificate issuer is not recognized.)
>> [31/Jan/2014:19:15:25 +0000] - Entry 
>> "cn=meToqatestdc2.boingoqa.local,cn=replica,cn=dc\3Dboingo\2Cdc\3Dcom,cn=mapping 
>> tree,cn=config" -- attribute "nsDS5ReplicatedAttributeListTotal" not 
>> allowed
>> [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:15:26 +0000] NSMMReplicationPlugin - 
>> agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind 
>> with GSSAPI auth resumed
>> [31/Jan/2014:19:15:27 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:15:27 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:15:28 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:15:30 +0000] slapi_ldap_bind - Error: could not send 
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140131/fbd190c8/attachment.htm>

More information about the Freeipa-users mailing list