[Freeipa-users] Fwd: Re: AD --> FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol
Noriko Hosoi
nhosoi at redhat.com
Mon Mar 16 20:05:54 UTC 2015
Hello, Gonzalo,
Any progress on your Password Synchronization?
Let me double check a couple of things. You wrote you installed
PassSync on Windows 2013 (which could be a typo?) We support Windows
Server 2008 R2 and 2012 R2. We also confirmed it works on Windows
Server 2003 R2.
> On 03/13/2015 12:45 PM,g.fer.ordas at unicyber.co.uk wrote:
>> I got the Password Sync Tool installed in the Windows2013 box
You can find the doc on PassSync here.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#windows-pass-sync
The doc is on PassSync 1.1.5, but 1.1.6 remains intact except the
default SSL version to connect to the 389 Directory Server (as we
discussed before).
We had a dicussion regarding the PassSync user you had to create:
uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
FreeIPA is supposed to generate a PassSync user by running
ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man
ipa-replica-manage)./
> there must some problem as FreeIPA
> creates own Passsync user in "cn=sysaccounts,cn=etc,<SUFFIX>" also sets it's DN
> as passSyncManagersDNs in ipa_pwd_extop plugin to avoid it creating expired
> passwords. So there is no need to create
> "uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" manually.
Please see the above doc regarding the user creation.
*
The username of the system user which Active Directory uses to
connect to the IdM machine. This account is configured automatically
when sync is configured on the IdM server. The default account is
|uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com|.
*
The password set in the |--passsync| option when the sync agreement
was created.
I'm sending this response to freeipa-users to share the info and request
for more suggestions.
Thanks,
--noriko
On 03/13/2015 02:48 PM, g.fer.ordas at unicyber.co.uk wrote:
> I forgot to attach the search command now:
> # passsync, users, accounts, corp.company.com
> dn: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
> cn: passsync
> displayName: passsync
> krbLastFailedAuth: 20150313211546Z
> krbLoginFailedCount: 1
> krbExtraData:: AALUUQNVcm9vdC9hZG1pbkBDT1JQLkhPT1RTVUlURU1FRElBLkNPTQA=
> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=corp,dc=company,dc=com
> krbLastPwdChange: 20150313210836Z
> krbPasswordExpiration: 20150611210836Z
> mepManagedEntry: cn=passsync,cn=groups,cn=accounts,dc=corp,dc=company,d
> c=com
> objectClass: top
> objectClass: person
> objectClass: organizationalperson
> objectClass: inetorgperson
> objectClass: inetuser
> objectClass: posixaccount
> objectClass: krbprincipalaux
> objectClass: krbticketpolicyaux
> objectClass: ipaobject
> objectClass: ipasshuser
> objectClass: ipaSshGroupOfPubKeys
> objectClass: mepOriginEntry
> loginShell: /bin/bash
> gecos: pass sync
> sn: sync
> homeDirectory: /home/passsync
> uid: passsync
> mail: passsync at corp.company.com
> krbPrincipalName: passsync at CORP.company.COM
> givenName: pass
> initials: ps
> userPassword:: zxxxxxxxx=
> =
> ipaUniqueID: 1d76b14a-c9c5-11e4-93f4-12d2e19d1e3c
> uidNumber: 1481000829
> gidNumber: 1481000829
> krbPrincipalKey:: dfrerererer
>
> # search result
> search: 2
>
>
> On 2015-03-13 21:39, g.fer.ordas at unicyber.co.uk wrote:
>> Hi
>>
>> I had to manually create the user!! For some reason I thought the sync
>> Agreement task was also creating that entry for the DS!
>>
>> So now I got:
>>
>> [13/Mar/2015:14:27:30 -0700] conn=66 op=4 SRCH
>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>> scope=0 filter="(objectClass=*)" attrs="telephoneNumber uid title
>> loginShell uidNumber gidNumber sn homeDirectory mail ou givenName
>> nsAccountLock"
>> [13/Mar/2015:14:27:30 -0700] conn=66 op=4 RESULT err=0 tag=101
>> nentries=1 etime=0
>> [13/Mar/2015:14:27:30 -0700] conn=66 op=5 SRCH
>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>> scope=0 filter="(userPassword=*)" attrs="userPassword"
>> [13/Mar/2015:14:27:30 -0700] conn=66 op=5 RESULT err=0 tag=101
>> nentries=1 etime=0
>> [13/Mar/2015:14:27:30 -0700] conn=66 op=6 SRCH
>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>> scope=0 filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
>> [13/Mar/2015:14:27:30 -0700] conn=66 op=6 RESULT err=0 tag=101
>> nentries=1 etime=0
>> [13/Mar/2015:14:27:30 -0700] conn=66 op=7 SRCH
>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>> scope=0 filter="(objectClass=*)" attrs="ipaSshPubKey"
>> [13/Mar/2015:14:27:30 -0700] conn=66 op=7 RESULT err=0 tag=101
>> nentries=1 etime=0
>> [13/Mar/2015:14:27:30 -0700] conn=66 op=8 UNBIND
>> [13/Mar/2015:14:27:30 -0700] conn=66 op=8 fd=103 closed - U1
>> [13/Mar/2015:14:27:33 -0700] conn=48 op=20 RESULT err=0 tag=101
>> nentries=828 etime=90 notes=U
>> [13/Mar/2015:14:27:33 -0700] conn=48 op=21 ABANDON targetop=NOTFOUND
>> msgid=16
>> [13/Mar/2015:14:27:33 -0700] conn=48 op=22 SRCH
>> base="cn=users,cn=accounts,dc=corp,dc=company,dc=com" scope=0
>> filter="(objectClass=*)" attrs="* aci"
>> [13/Mar/2015:14:27:33 -0700] conn=48 op=22 RESULT err=0 tag=101
>> nentries=1 etime=0
>> [13/Mar/2015:14:27:33 -0700] conn=48 op=23 ABANDON targetop=NOTFOUND
>> msgid=18
>> [13/Mar/2015:14:27:42 -0700] conn=67 fd=103 slot=103 connection from
>> ::1 to ::1
>> [13/Mar/2015:14:27:42 -0700] conn=67 op=0 BIND dn="cn=directory
>> manager" method=128 version=3
>> [13/Mar/2015:14:27:42 -0700] conn=67 op=0 RESULT err=0 tag=97
>> nentries=0 etime=0 dn="cn=directory manager"
>> [13/Mar/2015:14:27:42 -0700] conn=67 op=1 SRCH
>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>> scope=2 filter="(objectClass=*)" attrs=ALL
>> [13/Mar/2015:14:27:42 -0700] conn=67 op=1 RESULT err=0 tag=101
>> nentries=1 etime=0 notes=U
>> [13/Mar/2015:14:27:42 -0700] conn=67 op=2 UNBIND
>> [13/Mar/2015:14:27:42 -0700] conn=67 op=2 fd=103 closed - U1
>>
>> And target not found??? what else I might be missing ?
>>
>> Thanks!
>>
>>
>> On 2015-03-13 21:01, Noriko Hosoi wrote:
>>> On 03/13/2015 01:49 PM, g.fer.ordas at unicyber.co.uk wrote:
>>>> Hi
>>>>
>>>> Restarted... And I also have re-initiated the replica just in case....
>>>>
>>>> I can see the following:
>>>> ---
>>>> 3/Mar/2015:13:41:35 -0700] conn=34 op=329 RESULT err=0 tag=101
>>>> nentries=1 etime=0
>>>> [13/Mar/2015:13:41:36 -0700] conn=35 fd=84 slot=84 SSL connection
>>>> from AD.SERVER to IPA.SERVER
>>>> [13/Mar/2015:13:41:36 -0700] conn=35 SSL 128-bit AES
>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=0 BIND
>>>> dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>> method=128 version=3
>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32 tag=97
>>>> nentries=0 etime=0
>>> Error 32 is LDAP_NO_SUCH_OBJECT.
>>> Do you have a user
>>> "uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" in your
>>> Directory Server?
>>>
>>> On the host/VM where your Direcotry Server is running, please run this
>>> command line search. Does it return the entry?
>>> ldapsearch -x -h localhost -p 389 -D 'cn=directory manager' -W -b
>>> "uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=1 SRCH
>>>> base="cn=users,cn=accounts,dc=corp,dc=company,dc=com" scope=2
>>>> filter="(ntUserDomainId=john.test)" attrs=ALL
>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=1 RESULT err=0 tag=101
>>>> nentries=1 etime=0
>>>> [13/Mar/2015:13:41:36 -0700] conn=34 op=330 SRCH
>>>> base="cn=meTohqdc1.corp.company.com,cn=replica,cn=dc\3Dcorp\2Cdc\3Dcompany\2Cdc\3Dcom,cn=mapping
>>>> tree,cn=config" scope=0 filter="(objectClass=*)"
>>>> attrs="nsds5replicaLastInitStart nsds5replicaUpdateInProgress
>>>> nsds5replicaLastInitStatus cn nsds5BeginReplicaRefresh
>>>> nsds5replicaLastInitEnd"
>>>> [13/Mar/2015:13:41:36 -0700] conn=34 op=330 RESULT err=0 tag=101
>>>> nentries=1 etime=0
>>>> [13/Mar/2015:13:41:36 -0700] conn=36 fd=101 slot=101 SSL connection
>>>> from AD.SERVER to IPA.SERVER
>>>> [13/Mar/2015:13:41:36 -0700] conn=36 SSL 128-bit AES
>>>> [13/Mar/2015:13:41:36 -0700] conn=36 op=0 BIND
>>>> dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>> method=128 version=3
>>>> [13/Mar/2015:13:41:36 -0700] conn=36 op=0 RESULT err=48 tag=97
>>>> nentries=0 etime=0
>>>> [13/Mar/2015:13:41:36 -0700] conn=36 op=1 UNBIND
>>>> [13/Mar/2015:13:41:36 -0700] conn=36 op=1 fd=101 closed - U1
>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=2 MOD
>>>> dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=2 RESULT err=50 tag=103
>>>> nentries=0 etime=0
>>> Since the above bind failed, your PassSync has no right to update the
>>> password on the Directory Server and the modify attempt failed with
>>> LDAP_INSUFFICIENT_ACCESS.
>>>
>>> Thanks,
>>> --noriko
>>>> [13/Mar/2015:13:41:37 -0700] conn=35 op=3 UNBIND
>>>> [13/Mar/2015:13:41:37 -0700] conn=35 op=3 fd=84 closed - U1
>>>>
>>>> --
>>>>
>>>> Note there are 2 errors there:
>>>> dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>> method=128 version=3
>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32 tag=97
>>>> nentries=0 etime=0
>>>> dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>> method=128 version=3
>>>>
>>>> ipa user-show John.Test
>>>>
>>>> User login: john.test
>>>>
>>>> First name: John
>>>>
>>>> Last name: Test
>>>>
>>>> Home directory: /home/john.test
>>>>
>>>> Login shell: /bin/bash
>>>>
>>>> UID: 1481000790
>>>>
>>>> GID: 1481000790
>>>>
>>>> Account disabled: False
>>>>
>>>> Password: False
>>>>
>>>> Kerberos keys available: False
>>>>
>>>>
>>>> the password is still set as False
>>>> The PassSync Tool got defined as base search:
>>>>
>>>> cn=users,cn=accounts,dc=corp,dc=company,dc=com .. Which should be
>>>> all right
>>>>
>>>> Thanks for all your help!
>>>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150316/b1855a99/attachment.htm>
More information about the Freeipa-users
mailing list