[Freeipa-users] [freeipa] Issues with Winsync agreement
Rich Megginson
rmeggins at redhat.com
Thu Mar 13 18:22:49 UTC 2014
On 03/13/2014 12:01 PM, Todd Maugh wrote:
> Ok I got the credentials error worked out, my ad admin had the
> IDMadmin account in the wrong OU
>
> but now i get this
>
>
> Added CA certificate ADC13-ELS.CA.cer to certificate database for
> idm-master-els.ops.boingo.com
> ipa: INFO: AD Suffix is: DC=BWINC,DC=local
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=ops,dc=boingo,dc=com
> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
> ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP
> error: Connect error: start: 0: end: 0
> ipa: INFO: Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> [idm-master-els.ops.boingo.com] reports: Update failed! Status: [-11
> - LDAP error: Connect error]
> Failed to start replication
Ok. First step is to use ldapsearch to check connection, certs,
passwords, etc.
[root at idm-master-els.ops.boingo.com ipa]$
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h
adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w
"XXXXXX" -s base -b "cn=Users,dc=bwinc,dc=local"
Or whatever your actual idmadmin DN is.
>
>
>
> not sure where to look for more errors about this
>
>
> ------------------------------------------------------------------------
> *From:* Rich Megginson [rmeggins at redhat.com]
> *Sent:* Wednesday, March 12, 2014 4:23 PM
> *To:* Todd Maugh; freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
>
> On 03/12/2014 05:07 PM, Todd Maugh wrote:
>> so to verify this
>>
>> I am able to log in to the AD server as idmadmin with the password
>> I'm using in the winsync agreement.
>
> I guess you mean that login to Windows using the standard Windows
> login dialog is working correctly? And that this is still not working
> correctly:
>
> [root at idm-master-els.ops.boingo.com ipa]$
> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ
> -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local"
> -w "XXXXXX" s base -b "cn=Users,dc=bwinc,dc=local"
>
> Do you have the Windows administrator password? If so, can you try
> something like this:
>
> [root at idm-master-els.ops.boingo.com ipa]$
> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ
> -h adc13-els.bwinc.local -D
> "cn=administrator,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" s base -b
> "cn=Users,dc=bwinc,dc=local"
>
> Is AD configured to allow external LDAP binds?
>
>> is there a log I can look at to see what it is getting tripped up on.
>
> I suppose you could try somewhere in the Windows Event Viewer . . .
>
>>
>> I double checked all the security groups for the AD user and they
>> all look good
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Rich Megginson [rmeggins at redhat.com]
>> *Sent:* Wednesday, March 12, 2014 3:47 PM
>> *To:* Todd Maugh; freeipa-users at redhat.com
>> *Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
>>
>> On 03/12/2014 04:39 PM, Todd Maugh wrote:
>>> thanks Rich,
>>>
>>> when I run that I get the following:
>>>
>>>
>>> *[root at idm-master-els.ops.boingo.com ipa]$
>>> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch
>>> -xLLLZZ -h adc13-els.bwinc.local -D
>>> "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" s base -b
>>> "cn=Users,dc=bwinc,dc=local"
>>> ldap_bind: Invalid credentials (49)
>>> *
>>
>> *Invalid credentials almost always means your password "XXXXXX" is
>> not correct for user "**cn=idmadmin,cn=Users,dc=bwinc,dc=local"
>>
>> *
>>> * additional info: 80090308: LdapErr: DSID-0C0903C5, comment:
>>> AcceptSecurityContext error, data 52e, v2580
>>> *
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>> *Sent:* Wednesday, March 12, 2014 3:30 PM
>>> *To:* Todd Maugh; freeipa-users at redhat.com
>>> *Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
>>>
>>> On 03/12/2014 04:18 PM, Todd Maugh wrote:
>>>> Hello.
>>>>
>>>> I'm using latest IPA build on red hat 6.5
>>>>
>>>> I retrieved my CA cert from the AD Domain controller
>>>>
>>>> I try to set up my winsyncagreement and I am getting this
>>>>
>>>>
>>>>
>>>> [root at idm-master-els.ops.boingo.com ipa]$ ipa-replica-manage
>>>> connect --winsync --binddn "cn=idmadmin, cn=Users, dc=bwinc,
>>>> dc=local" --bindpw "XXXXXX" --passsync "XXXXXX"
>>>> --cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local
>>>> Directory Manager password:
>>>>
>>>> Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to
>>>> certificate database for idm-master-els.ops.boingo.com
>>>> ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local
>>>> ipa: INFO: The error was: {'info': '80090308: LdapErr:
>>>> DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e,
>>>> v2580', 'desc': 'Invalid credentials'}
>>>> Failed to setup winsync replication
>>>>
>>>>
>>>> not sure where to look for the logs for this to see what the
>>>> invalivd credentials are or wether this might still be a cert issue
>>>> or a log in issue or what not?
>>>
>>> You can test with ldapsearch like this:
>>>
>>> $ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ
>>> -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local"
>>> -w "XXXXXX" -s base -b "cn=Users,dc=bwinc,dc=local"
>>>
>>>>
>>>>
>>>> Thanks in advance for the help
>>>>
>>>> -Todd
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140313/f165f1a8/attachment.htm>
More information about the Freeipa-users
mailing list