[Freeipa-users] cant create winsync reolication
Rich Megginson
rmeggins at redhat.com
Fri Jan 31 21:30:43 UTC 2014
On 01/31/2014 02:14 PM, Todd Maugh wrote:
> I used the IPA directory manager password and got no output
>
> [root at se-idm-01.boingo.com cacerts]$ ldapsearch -LLLx -b "cn=config"
> -D "cn=directory manager" -W
> 'objectclass=nsdswindowsreplicationagreement' dn
> Enter LDAP Password:
Very strange. Try this:
ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W
'objectclass=nsds5replicationagreement'
>
>
>
> ------------------------------------------------------------------------
> *From:* Todd Maugh
> *Sent:* Friday, January 31, 2014 1:11 PM
> *To:* Rich Megginson; dpal at redhat.com
> *Cc:* freeipa-users at redhat.com
> *Subject:* RE: [Freeipa-users] cant create winsync reolication
>
> For the second Command I do not have an account called directory
> manager, so I do not have a password
>
> ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W
> 'objectclass=nsdswindowsreplicationagreement' dn
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
>
>
> ------------------------------------------------------------------------
> *From:* freeipa-users-bounces at redhat.com
> [freeipa-users-bounces at redhat.com] on behalf of Todd Maugh
> [tmaugh at boingo.com]
> *Sent:* Friday, January 31, 2014 12:55 PM
> *To:* Rich Megginson; dpal at redhat.com
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] cant create winsync reolication
>
>
>
> [root at se-idm-01.boingo.com cacerts]$
> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ
> -H ldap://qatestdc2.boingoqa.local -b "cn=idm
> admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm
> admin,cn=users,dc=boingoqa,dc=local" -W
> Enter LDAP Password:
> dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: IDM ADMIN
> givenName: IDMADMIN
> distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
> instanceType: 4
> whenCreated: 20140128182537.0Z
> whenChanged: 20140131014315.0Z
> displayName: IDMADMIN
> uSNCreated: 31968
> memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local
> memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local
> memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local
> uSNChanged: 38786
> name: IDM ADMIN
> objectGUID:: jai63JfDvUuOGcURntA7hg==
> userAccountControl: 66048
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 130356008006093750
> primaryGroupID: 513
> objectSid:: AQUAAAAAAAUVAAAA0+/GU55mz3h0hQ48RwYAAA==
> adminCount: 1
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: idmadmin
> sAMAccountType: 805306368
> userPrincipalName: idmadmin at boingoqa.local
> lockoutTime: 0
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local
> dSCorePropagationData: 20140129224024.0Z
> dSCorePropagationData: 16010101000000.0Z
> lastLogonTimestamp: 130356060672110578
>
>
> ------------------------------------------------------------------------
> *From:* Rich Megginson [rmeggins at redhat.com]
> *Sent:* Friday, January 31, 2014 12:39 PM
> *To:* Todd Maugh; dpal at redhat.com
> *Cc:* freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] cant create winsync reolication
>
> On 01/31/2014 12:16 PM, Todd Maugh wrote:
>> RE:
>>
>> I am not sure I was clear. It seems that you provided the LDAP trace
>> for the ldapsearch commands you executed above. I was talking about
>> the DS level logs for the replica management agreement establishment
>> and the follow up replication.
>>
>> here is the log tailed while I deleted teh replication agreement,
>> restarted the dirsrv and tried to setup the replication agreement
>
> Note that 389 does not use /etc/openldap/cacerts - it uses
> /etc/dirsrv/slapd-YOUR-DOMAIN, so try this:
>
> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ
> -H ldap://qatestdc2.boingoqa.local -b "cn=idm
> admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm
> admin,cn=users,dc=boingoqa,dc=local" -W
>
>>
>>
>>
>> [31/Jan/2014:19:07:37 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:08:12 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:08:13 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:08:25 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:10:01 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:11:51 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:11:54 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:12:00 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:12:12 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:12:36 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:13:12 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:13:13 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:13:24 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:13:57 +0000] NSMMReplicationPlugin - agmt_delete: begin
>> [31/Jan/2014:19:14:09 +0000] - slapd shutting down - signaling
>> operation threads
>> [31/Jan/2014:19:14:09 +0000] - slapd shutting down - waiting for 30
>> threads to terminate
>> [31/Jan/2014:19:14:09 +0000] - slapd shutting down - closing down
>> internal subsystems and plugins
>> [31/Jan/2014:19:14:09 +0000] - Waiting for 4 database threads to stop
>> [31/Jan/2014:19:14:09 +0000] - All database threads now stopped
>> [31/Jan/2014:19:14:09 +0000] - slapd stopped.
>> [31/Jan/2014:19:14:12 +0000] - 389-Directory/1.2.11.15 B2013.337.1530
>> starting up
>> [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no
>> entries set up under cn=computers, cn=compat,dc=boingo,dc=com
>> [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no
>> entries set up under cn=ng, cn=compat,dc=boingo,dc=com
>> [31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no
>> entries set up under ou=sudoers,dc=boingo,dc=com
>> [31/Jan/2014:19:14:12 +0000] - Skipping CoS Definition cn=Password
>> Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which
>> should be added before the CoS Definition.
>> [31/Jan/2014:19:14:12 +0000] set_krb5_creds - Could not get initial
>> credentials for principal [ldap/se-idm-01.boingo.com at BOINGO.COM] in
>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see
>> e-text))
>> [31/Jan/2014:19:14:12 +0000] - Skipping CoS Definition cn=Password
>> Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which
>> should be added before the CoS Definition.
>> [31/Jan/2014:19:14:12 +0000] slapd_ldap_sasl_interactive_bind -
>> Error: could not perform interactive bind for id [] mech [GSSAPI]:
>> LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure. Minor code may provide more information
>> (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success)
>> [31/Jan/2014:19:14:12 +0000] slapi_ldap_bind - Error: could not
>> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>> [31/Jan/2014:19:14:12 +0000] NSMMReplicationPlugin -
>> agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind
>> with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1):
>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code
>> may provide more information (Credentials cache file
>> '/tmp/krb5cc_495' not found))
>> [31/Jan/2014:19:14:12 +0000] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [31/Jan/2014:19:14:12 +0000] - Listening on All Interfaces port 636
>> for LDAPS requests
>> [31/Jan/2014:19:14:12 +0000] - Listening on
>> /var/run/slapd-BOINGO-COM.socket for LDAPI requests
>> [31/Jan/2014:19:14:16 +0000] NSMMReplicationPlugin -
>> agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind
>> with GSSAPI auth resumed
>> [31/Jan/2014:19:15:18 +0000] - slapd shutting down - signaling
>> operation threads
>> [31/Jan/2014:19:15:18 +0000] - slapd shutting down - waiting for 30
>> threads to terminate
>> [31/Jan/2014:19:15:18 +0000] - slapd shutting down - closing down
>> internal subsystems and plugins
>> [31/Jan/2014:19:15:18 +0000] - Waiting for 4 database threads to stop
>> [31/Jan/2014:19:15:18 +0000] - All database threads now stopped
>> [31/Jan/2014:19:15:18 +0000] - slapd stopped.
>> [31/Jan/2014:19:15:23 +0000] - 389-Directory/1.2.11.15 B2013.337.1530
>> starting up
>> [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no
>> entries set up under cn=computers, cn=compat,dc=boingo,dc=com
>> [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no
>> entries set up under cn=ng, cn=compat,dc=boingo,dc=com
>> [31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no
>> entries set up under ou=sudoers,dc=boingo,dc=com
>> [31/Jan/2014:19:15:23 +0000] - Skipping CoS Definition cn=Password
>> Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which
>> should be added before the CoS Definition.
>> [31/Jan/2014:19:15:23 +0000] set_krb5_creds - Could not get initial
>> credentials for principal [ldap/se-idm-01.boingo.com at BOINGO.COM] in
>> keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see
>> e-text))
>> [31/Jan/2014:19:15:23 +0000] - Skipping CoS Definition cn=Password
>> Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which
>> should be added before the CoS Definition.
>> [31/Jan/2014:19:15:23 +0000] slapd_ldap_sasl_interactive_bind -
>> Error: could not perform interactive bind for id [] mech [GSSAPI]:
>> LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error:
>> Unspecified GSS failure. Minor code may provide more information
>> (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success)
>> [31/Jan/2014:19:15:23 +0000] slapi_ldap_bind - Error: could not
>> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
>> [31/Jan/2014:19:15:23 +0000] NSMMReplicationPlugin -
>> agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind
>> with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1):
>> generic failure: GSSAPI Error: Unspecified GSS failure. Minor code
>> may provide more information (Credentials cache file
>> '/tmp/krb5cc_495' not found))
>> [31/Jan/2014:19:15:23 +0000] - slapd started. Listening on All
>> Interfaces port 389 for LDAP requests
>> [31/Jan/2014:19:15:23 +0000] - Listening on All Interfaces port 636
>> for LDAPS requests
>> [31/Jan/2014:19:15:23 +0000] - Listening on
>> /var/run/slapd-BOINGO-COM.socket for LDAPI requests
>> [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:15:25 +0000] NSMMReplicationPlugin -
>> agmt="cn=meToqatestdc2.boingoqa.local" (qatestdc2:389): Replication
>> bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS
>> error -8179:Peer's Certificate issuer is not recognized.)
>> [31/Jan/2014:19:15:25 +0000] - Entry
>> "cn=meToqatestdc2.boingoqa.local,cn=replica,cn=dc\3Dboingo\2Cdc\3Dcom,cn=mapping
>> tree,cn=config" -- attribute "nsDS5ReplicatedAttributeListTotal" not
>> allowed
>> [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:15:26 +0000] NSMMReplicationPlugin -
>> agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind
>> with GSSAPI auth resumed
>> [31/Jan/2014:19:15:27 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:15:27 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:15:28 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [31/Jan/2014:19:15:30 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140131/6c551426/attachment.htm>
More information about the Freeipa-users
mailing list