[Freeipa-users] [freeipa] Issues with Winsync agreement
Rich Megginson
rmeggins at redhat.com
Thu Mar 13 20:29:15 UTC 2014
On 03/13/2014 01:58 PM, Todd Maugh wrote:
> I believe they are.
>
> so here is the out put of the log. it was showing those errors, I
> deleted the wynsync agreement and then restarted ipa and then readded
> the winsync and the errors returned. could this be a cert issue?
>
> [13/Mar/2014:19:48:20 +0000] slapi_ldap_bind - Error: could not send
> startTLS request: error -11 (Connect error) errno 0 (Success)
> [13/Mar/2014:19:48:44 +0000] slapi_ldap_bind - Error: could not send
> startTLS request: error -11 (Connect error) errno 0 (Success)
> [13/Mar/2014:19:49:32 +0000] slapi_ldap_bind - Error: could not send
> startTLS request: error -11 (Connect error) errno 0 (Success)
> [13/Mar/2014:19:51:08 +0000] slapi_ldap_bind - Error: could not send
> startTLS request: error -11 (Connect error) errno 0 (Success)
>
> here I removed the winsync agreement :ipa-replica-manage del
> adc13-els.bwinc.local
> then restartd ipa
>
> ipactl restart
>
> [13/Mar/2014:19:51:50 +0000] NSMMReplicationPlugin - agmt_delete: begin
> [13/Mar/2014:19:51:59 +0000] - slapd shutting down - signaling
> operation threads
> [13/Mar/2014:19:51:59 +0000] - slapd shutting down - waiting for 29
> threads to terminate
> [13/Mar/2014:19:51:59 +0000] - slapd shutting down - closing down
> internal subsystems and plugins
> [13/Mar/2014:19:51:59 +0000] - Waiting for 4 database threads to stop
> [13/Mar/2014:19:51:59 +0000] - All database threads now stopped
> [13/Mar/2014:19:51:59 +0000] - slapd stopped.
> [13/Mar/2014:19:52:14 +0000] - 389-Directory/1.2.11.15 B2013.337.1530
> starting up
> [13/Mar/2014:19:52:14 +0000] schema-compat-plugin - warning: no
> entries set up under cn=computers, cn=compat,dc=ops,dc=boingo,dc=com
> [13/Mar/2014:19:52:14 +0000] schema-compat-plugin - warning: no
> entries set up under cn=ng, cn=compat,dc=ops,dc=boingo,dc=com
> [13/Mar/2014:19:52:14 +0000] schema-compat-plugin - warning: no
> entries set up under ou=sudoers,dc=ops,dc=boingo,dc=com
> [13/Mar/2014:19:52:14 +0000] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found,
> which should be added before the CoS Definition.
> [13/Mar/2014:19:52:14 +0000] set_krb5_creds - Could not get initial
> credentials for principal
> [ldap/idm-master-els.ops.boingo.com at OPS.BOINGO.COM] in keytab
> [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
> [13/Mar/2014:19:52:14 +0000] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found,
> which should be added before the CoS Definition.
> [13/Mar/2014:19:52:14 +0000] slapd_ldap_sasl_interactive_bind - Error:
> could not perform interactive bind for id [] mech [GSSAPI]: LDAP error
> -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified
> GSS failure. Minor code may provide more information (Credentials
> cache file '/tmp/krb5cc_495' not found)) errno 0 (Success)
> [13/Mar/2014:19:52:14 +0000] slapi_ldap_bind - Error: could not
> perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
> [13/Mar/2014:19:52:14 +0000] NSMMReplicationPlugin -
> agmt="cn=meToidm-rep01-els.ops.boingo.com" (idm-rep01-els:389):
> Replication bind with GSSAPI auth failed: LDAP error -2 (Local error)
> (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (Credentials cache file
> '/tmp/krb5cc_495' not found))
> [13/Mar/2014:19:52:14 +0000] - slapd started. Listening on All
> Interfaces port 389 for LDAP requests
> [13/Mar/2014:19:52:14 +0000] - Listening on All Interfaces port 636
> for LDAPS requests
> [13/Mar/2014:19:52:14 +0000] - Listening on
> /var/run/slapd-OPS-BOINGO-COM.socket for LDAPI requests
> [13/Mar/2014:19:52:18 +0000] NSMMReplicationPlugin -
> agmt="cn=meToidm-rep01-els.ops.boingo.com" (idm-rep01-els:389):
> Replication bind with GSSAPI auth resumed
>
> here i added the winsync agreement again
>
> [13/Mar/2014:19:53:16 +0000] - slapd shutting down - signaling
> operation threads
> [13/Mar/2014:19:53:16 +0000] - slapd shutting down - waiting for 30
> threads to terminate
> [13/Mar/2014:19:53:16 +0000] - slapd shutting down - closing down
> internal subsystems and plugins
> [13/Mar/2014:19:53:16 +0000] - Waiting for 4 database threads to stop
> [13/Mar/2014:19:53:16 +0000] - All database threads now stopped
> [13/Mar/2014:19:53:16 +0000] - slapd stopped.
> [13/Mar/2014:19:53:20 +0000] - 389-Directory/1.2.11.15 B2013.337.1530
> starting up
> [13/Mar/2014:19:53:20 +0000] schema-compat-plugin - warning: no
> entries set up under cn=computers, cn=compat,dc=ops,dc=boingo,dc=com
> [13/Mar/2014:19:53:20 +0000] schema-compat-plugin - warning: no
> entries set up under cn=ng, cn=compat,dc=ops,dc=boingo,dc=com
> [13/Mar/2014:19:53:20 +0000] schema-compat-plugin - warning: no
> entries set up under ou=sudoers,dc=ops,dc=boingo,dc=com
> [13/Mar/2014:19:53:20 +0000] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found,
> which should be added before the CoS Definition.
> [13/Mar/2014:19:53:20 +0000] - Skipping CoS Definition cn=Password
> Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found,
> which should be added before the CoS Definition.
> [13/Mar/2014:19:53:20 +0000] - slapd started. Listening on All
> Interfaces port 389 for LDAP requests
> [13/Mar/2014:19:53:20 +0000] - Listening on All Interfaces port 636
> for LDAPS requests
> [13/Mar/2014:19:53:20 +0000] - Listening on
> /var/run/slapd-OPS-BOINGO-COM.socket for LDAPI requests
> [13/Mar/2014:19:53:22 +0000] slapi_ldap_bind - Error: could not send
> startTLS request: error -11 (Connect error) errno 0 (Success)
> [13/Mar/2014:19:53:22 +0000] NSMMReplicationPlugin -
> agmt="cn=meToadc13-els.bwinc.local" (adc13-els:389): Replication bind
> with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error
> -8179:Peer's Certificate issuer is not recognized.)
This is seems like a cert issue. "Peer's" the AD server "Certificate
issuer" the CA that issued the AD server cert "is not recognized" IdM
has no knowledge of the CA cert.
But you verified that ldapsearch was working? LDAPTLS_CACERTDIR tells
ldapsearch to use /etc/dirsrv/slapd-OPS-BOINGO-COM, which is the same as
winsync is using.
Try doing the ldapsearch again, like this:
[root at idm-master-els.ops.boingo.com cacerts]$
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -d 1
-xLLLZZ -h adc13-els.bwinc.local -D
"cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" -s base -b
"cn=Users,dc=bwinc,dc=local" "objectclass=*" dn
The -d 1 will make it spew debugging information. Perhaps ldapsearch is
picking up some option from /etc/openldap/ldap.conf or ~/.ldaprc which
tells it to ignore certificate verification.
> [13/Mar/2014:19:53:22 +0000] - Entry
> "cn=meToadc13-els.bwinc.local,cn=replica,cn=dc\3Dops\2Cdc\3Dboingo\2Cdc\3Dcom,cn=mapping
> tree,cn=config" -- attribute "nsDS5ReplicatedAttributeListTotal" not
> allowed
> [13/Mar/2014:19:53:22 +0000] slapi_ldap_bind - Error: could not send
> startTLS request: error -11 (Connect error) errno 0 (Success)
> [13/Mar/2014:19:53:22 +0000] slapi_ldap_bind - Error: could not send
> startTLS request: error -11 (Connect error) errno 0 (Success)
> [13/Mar/2014:19:53:24 +0000] slapi_ldap_bind - Error: could not send
> startTLS request: error -11 (Connect error) errno 0 (Success)
> [13/Mar/2014:19:53:24 +0000] slapi_ldap_bind - Error: could not send
> startTLS request: error -11 (Connect error) errno 0 (Success)
> [13/Mar/2014:19:53:25 +0000] slapi_ldap_bind - Error: could not send
> startTLS request: error -11 (Connect error) errno 0 (Success)
>
>
> ------------------------------------------------------------------------
> *From:* Rich Megginson [rmeggins at redhat.com]
> *Sent:* Thursday, March 13, 2014 12:05 PM
> *To:* Todd Maugh; freeipa-users at redhat.com
> *Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
>
> On 03/13/2014 12:50 PM, Todd Maugh wrote:
>> Ok the error I see repeated in the log is
>>
>> [13/Mar/2014:18:41:21 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:43:11 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:43:14 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:43:20 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:43:32 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:43:56 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:44:30 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success)
>> [13/Mar/2014:18:44:33 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:44:44 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:46:20 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:47:29 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:47:32 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:47:38 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:47:50 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:48:11 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:48:14 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:48:20 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:48:32 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [13/Mar/2014:18:48:56 +0000] slapi_ldap_bind - Error: could not send
>> startTLS request: error -11 (Connect error) errno 0 (Success)
>> [root at idm-master-els.ops.boingo.com cacerts]$
>
> Are all of these associated with the winsync agreement?
>
>>
>> ------------------------------------------------------------------------
>> *From:* Rich Megginson [rmeggins at redhat.com]
>> *Sent:* Thursday, March 13, 2014 11:43 AM
>> *To:* Todd Maugh; freeipa-users at redhat.com
>> *Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
>>
>> On 03/13/2014 12:29 PM, Todd Maugh wrote:
>>> ok so I ran that and Get this output
>>
>> Ok. Next, take a look at /var/log/dirsrv/slapd-OPS-BOINGO-COM/errors
>>
>>>
>>>
>>> [root at idm-master-els.ops.boingo.com cacerts]$
>>> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch
>>> -xLLLZZ -h adc13-els.bwinc.local -D
>>> "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" -s base -b
>>> "cn=Users,dc=bwinc,dc=local"
>>> dn: cn=Users,dc=bwinc,dc=local
>>> objectClass: top
>>> objectClass: container
>>> cn: Users
>>> description: Default container for upgraded user accounts
>>> distinguishedName: CN=Users,DC=BWINC,DC=local
>>> instanceType: 4
>>> whenCreated: 20060824234034.0Z
>>> whenChanged: 20140306190741.0Z
>>> uSNCreated: 17702
>>> uSNChanged: 17702
>>> showInAdvancedViewOnly: FALSE
>>> name: Users
>>> objectGUID:: kCZ7CbnIZk+0GpmCr3PCfw==
>>> systemFlags: -1946157056
>>> objectCategory:
>>> CN=Container,CN=Schema,CN=Configuration,DC=BWINC,DC=local
>>> isCriticalSystemObject: TRUE
>>> dSCorePropagationData: 20140306234416.0Z
>>> dSCorePropagationData: 20140306234348.0Z
>>> dSCorePropagationData: 20140306225101.0Z
>>> dSCorePropagationData: 20140306225055.0Z
>>> dSCorePropagationData: 16010101000000.0Z
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>> *Sent:* Wednesday, March 12, 2014 3:47 PM
>>> *To:* Todd Maugh; freeipa-users at redhat.com
>>> *Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
>>>
>>> On 03/12/2014 04:39 PM, Todd Maugh wrote:
>>>> thanks Rich,
>>>>
>>>> when I run that I get the following:
>>>>
>>>>
>>>> *[root at idm-master-els.ops.boingo.com ipa]$
>>>> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch
>>>> -xLLLZZ -h adc13-els.bwinc.local -D
>>>> "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" s base -b
>>>> "cn=Users,dc=bwinc,dc=local"
>>>> ldap_bind: Invalid credentials (49)
>>>> *
>>>
>>> *Invalid credentials almost always means your password "XXXXXX" is
>>> not correct for user "**cn=idmadmin,cn=Users,dc=bwinc,dc=local"
>>>
>>> *
>>>> *additional info: 80090308: LdapErr: DSID-0C0903C5, comment:
>>>> AcceptSecurityContext error, data 52e, v2580
>>>> *
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>> *From:* Rich Megginson [rmeggins at redhat.com]
>>>> *Sent:* Wednesday, March 12, 2014 3:30 PM
>>>> *To:* Todd Maugh; freeipa-users at redhat.com
>>>> *Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
>>>>
>>>> On 03/12/2014 04:18 PM, Todd Maugh wrote:
>>>>> Hello.
>>>>>
>>>>> I'm using latest IPA build on red hat 6.5
>>>>>
>>>>> I retrieved my CA cert from the AD Domain controller
>>>>>
>>>>> I try to set up my winsyncagreement and I am getting this
>>>>>
>>>>>
>>>>>
>>>>> [root at idm-master-els.ops.boingo.com ipa]$ ipa-replica-manage
>>>>> connect --winsync --binddn "cn=idmadmin, cn=Users, dc=bwinc,
>>>>> dc=local" --bindpw "XXXXXX" --passsync "XXXXXX"
>>>>> --cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local
>>>>> Directory Manager password:
>>>>>
>>>>> Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to
>>>>> certificate database for idm-master-els.ops.boingo.com
>>>>> ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local
>>>>> ipa: INFO: The error was: {'info': '80090308: LdapErr:
>>>>> DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e,
>>>>> v2580', 'desc': 'Invalid credentials'}
>>>>> Failed to setup winsync replication
>>>>>
>>>>>
>>>>> not sure where to look for the logs for this to see what the
>>>>> invalivd credentials are or wether this might still be a cert
>>>>> issue or a log in issue or what not?
>>>>
>>>> You can test with ldapsearch like this:
>>>>
>>>> $ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ
>>>> -h adc13-els.bwinc.local -D
>>>> "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" -s base -b
>>>> "cn=Users,dc=bwinc,dc=local"
>>>>
>>>>>
>>>>>
>>>>> Thanks in advance for the help
>>>>>
>>>>> -Todd
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140313/c77411e9/attachment.htm>
More information about the Freeipa-users
mailing list