[Freeipa-users] AD --> FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol

Fri Mar 13 18:23:43 UTC 2015

I am having a look at the documentation again..

And having version 1.1.6 of the PassSync tool means:

[**] 389-PassSync-1.1.6disables SSLv3 by default.

And I can see in the LDAP Info from IPA that SSLv3 and SSLv2 as OFF..  
So, "theoretically", it should work as SSLv3 is disable on both?

thanks!

On 13/03/2015 19:04, g.fer.ordas at unicyber.co.uk wrote:
>
> Thanks to everyone for the replies.
>
> The installed version for the passsync is  1.1.6 and using the latest 
> I got in RPMs form centos7 so the following:
> 89-ds-base-1.3.1.6-26.el7_0.x86_64
> 389-ds-base-libs-1.3.1.6-26.el7_0.x86_64
> sssd-ipa-1.11.2-68.el7_0.6.x86_64
> ipa-python-3.3.3-28.0.1.el7.centos.3.x86_64
> ipa-admintools-3.3.3-28.0.1.el7.centos.3.x86_64
> libipa_hbac-1.11.2-68.el7_0.6.x86_64
> ipa-server-3.3.3-28.0.1.el7.centos.3.x86_64
> ipa-client-3.3.3-28.0.1.el7.centos.3.x86_64
> libipa_hbac-python-1.11.2-68.el7_0.6.x86_64
>
> I haven't installed anything manually but using the Centos' Repos...
>
> thanks!!!
>
>
>
>
> On 2015-03-13 17:02, Dmitri Pal wrote:
>> On 03/13/2015 12:45 PM, g.fer.ordas at unicyber.co.uk wrote:
>>
>>> Hi
>>>
>>> I am going forward with a Password Sync AD (window 2013) ----
>>> FreeIPA
>>>
>>> ipa-server-3.3.3-28.0.1.el7 on a Centos7 Box.
>>>
>>> I got the Password Sync Tool installed in the Windows2013 box and I
>>> have created a user with it's related password as I am trying to
>>> test the password changes...
>>>
>>> Looking at the access logs I can see the following related to the
>>> Sync Process:
>>>
>>> --------
>>>
>>> [13/Mar/2015:09:22:02 -0700] conn=2 op=10 RESULT err=32 tag=101
>>> nentries=0 etime=0
>>> [13/Mar/2015:09:23:27 -0700] conn=13 fd=82 slot=82 SSL connection
>>> from AD.Server to FreeIPA.Server
>>> [13/Mar/2015:09:23:27 -0700] conn=13 op=-1 fd=82 closed - Peer
>>> reports incompatible or unsupported protocol version.
>>> [13/Mar/2015:09:23:29 -0700] conn=14 fd=82 slot=82 SSL connection
>>> from AD.Server to FreeIPA.Server
>>> [13/Mar/2015:09:23:29 -0700] conn=14 op=-1 fd=82 closed - Peer
>>> reports incompatible or unsupported protocol version.
>>> [13/Mar/2015:09:23:33 -0700] conn=15 fd=82 slot=82 SSL connection
>>> from AD.Server to FreeIPA.Server
>>> [13/Mar/2015:09:23:33 -0700] conn=15 op=-1 fd=82 closed - Peer
>>> reports incompatible or unsupported protocol version.
>>> [13/Mar/2015:09:23:41 -0700] conn=16 fd=82 slot=82 SSL connection
>>> from AD.Server to FreeIPA.Server
>>> [13/Mar/2015:09:23:41 -0700] conn=16 op=-1 fd=82 closed - Peer
>>> reports incompatible or unsupported protocol version.
>>> [13/Mar/2015:09:23:57 -0700] conn=17 fd=82 slot=82 SSL connection
>>> from AD.Server to FreeIPA.Server
>>> [13/Mar/2015:09:23:57 -0700] conn=17 op=-1 fd=82 closed - Peer
>>> reports incompatible or unsupported protocol version.
>>> [13/Mar/2015:09:24:29 -0700] conn=18 fd=82 slot=82 SSL connection
>>> from AD.Server to FreeIPA.Server
>>> [13/Mar/2015:09:24:29 -0700] conn=18 op=-1 fd=82 closed - Peer
>>> reports incompatible or unsupported protocol version.
>>> [13/Mar/2015:09:25:34 -0700] conn=19 fd=91 slot=91 SSL connection
>>> from AD.Server to FreeIPA.Server
>>> [13/Mar/2015:09:25:34 -0700] conn=19 op=-1 fd=91 closed - Peer
>>> reports incompatible or unsupported protocol version.
>>> --------
>>>
>>> So the passwords do not seem to be copied across.
>>> Any idea why is this happening and how to troubleshoot it?
>>>
>>> Many Thanks
>>  This might be related to the one of the vulnerabilities that was
>> found last year. Make sure that you have the latest available versions
>> on both sides. If you have a mismatch then the client might not talk
>> the TLS version that server expects or vice verse.
>>
>> -- 
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150313/de96a18a/attachment.htm>