[Freeipa-users] Fwd: Re: AD --> FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol
Gonzalo Fernandez Ordas
g.fer.ordas at unicyber.co.uk
Thu Mar 19 09:10:14 UTC 2015
Hi
I have completed changed the scenario and I managed to install
freeipa-server 4.1 (Somebody publish the right repo for Centos and it
worked really well)
--Let me double check a couple of things. You wrote you installed
PassSync on Windows 2013 (which could be a typo?) We support Windows
Server 2008 R2 and 2012 R2. We also confirmed it works on Windows
Server 2003 R2.
Yes, sorry, that was a typo.
So, starting again from scratch, new machine, the whole installation
process went well, not issues there but:
* FreeIPA is supposed to generate a PassSync user by running
ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man
ipa-replica-manage).
I tried 5 times, the user was never created on the ipa server, I had to
create it manually (I gave it admin permissions so it could
create/delete/update users).
Doing that, the password sync worked all right. We submit a password
reset in AD and that propagated all right, tested and it worked fine.
/
* In one scenario I uninstalled freeipa (still kept the packages),
installed again and something went wrong with the kerberos keys.
After creating the AD --> LDAP certs and successfully syncing the
passwords, I could read in the /var/log/messages a password decryption
issue (kerberos related) everytime I tried to log as any user.
I have tried uninstalling freeipa and also uninstalling removing the
product completely and re-installing. it did not matter if I tried to
rebuild the kerberos keys, the issue was always there, so I have to
start afresh with a new box.
So.. that has been all so far
Thanks
Gonzalo
On 16/03/2015 20:05, Noriko Hosoi wrote:
> Hello, Gonzalo,
>
> Any progress on your Password Synchronization?
>
> Let me double check a couple of things. You wrote you installed
> PassSync on Windows 2013 (which could be a typo?) We support Windows
> Server 2008 R2 and 2012 R2. We also confirmed it works on Windows
> Server 2003 R2.
> > On 03/13/2015 12:45 PM,g.fer.ordas at unicyber.co.uk wrote:
> >> I got the Password Sync Tool installed in the Windows2013 box
> You can find the doc on PassSync here.
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#windows-pass-sync
> The doc is on PassSync 1.1.5, but 1.1.6 remains intact except the
> default SSL version to connect to the 389 Directory Server (as we
> discussed before).
>
> We had a dicussion regarding the PassSync user you had to create:
> uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
> FreeIPA is supposed to generate a PassSync user by running
> ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also
> man ipa-replica-manage)./
> > there must some problem as FreeIPA
> > creates own Passsync user in "cn=sysaccounts,cn=etc,<SUFFIX>" also sets it's DN
> > as passSyncManagersDNs in ipa_pwd_extop plugin to avoid it creating expired
> > passwords. So there is no need to create
> > "uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" manually.
> Please see the above doc regarding the user creation.
>
> *
> The username of the system user which Active Directory uses to
> connect to the IdM machine. This account is configured
> automatically when sync is configured on the IdM server. The
> default account is
> |uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com|.
> *
> The password set in the |--passsync| option when the sync
> agreement was created.
>
> I'm sending this response to freeipa-users to share the info and
> request for more suggestions.
>
> Thanks,
> --noriko
>
> On 03/13/2015 02:48 PM, g.fer.ordas at unicyber.co.uk wrote:
>> I forgot to attach the search command now:
>> # passsync, users, accounts, corp.company.com
>> dn: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
>> cn: passsync
>> displayName: passsync
>> krbLastFailedAuth: 20150313211546Z
>> krbLoginFailedCount: 1
>> krbExtraData:: AALUUQNVcm9vdC9hZG1pbkBDT1JQLkhPT1RTVUlURU1FRElBLkNPTQA=
>> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=corp,dc=company,dc=com
>> krbLastPwdChange: 20150313210836Z
>> krbPasswordExpiration: 20150611210836Z
>> mepManagedEntry: cn=passsync,cn=groups,cn=accounts,dc=corp,dc=company,d
>> c=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalperson
>> objectClass: inetorgperson
>> objectClass: inetuser
>> objectClass: posixaccount
>> objectClass: krbprincipalaux
>> objectClass: krbticketpolicyaux
>> objectClass: ipaobject
>> objectClass: ipasshuser
>> objectClass: ipaSshGroupOfPubKeys
>> objectClass: mepOriginEntry
>> loginShell: /bin/bash
>> gecos: pass sync
>> sn: sync
>> homeDirectory: /home/passsync
>> uid: passsync
>> mail: passsync at corp.company.com
>> krbPrincipalName: passsync at CORP.company.COM
>> givenName: pass
>> initials: ps
>> userPassword:: zxxxxxxxx=
>> =
>> ipaUniqueID: 1d76b14a-c9c5-11e4-93f4-12d2e19d1e3c
>> uidNumber: 1481000829
>> gidNumber: 1481000829
>> krbPrincipalKey:: dfrerererer
>>
>> # search result
>> search: 2
>>
>>
>> On 2015-03-13 21:39, g.fer.ordas at unicyber.co.uk wrote:
>>> Hi
>>>
>>> I had to manually create the user!! For some reason I thought the sync
>>> Agreement task was also creating that entry for the DS!
>>>
>>> So now I got:
>>>
>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=4 SRCH
>>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>> scope=0 filter="(objectClass=*)" attrs="telephoneNumber uid title
>>> loginShell uidNumber gidNumber sn homeDirectory mail ou givenName
>>> nsAccountLock"
>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=4 RESULT err=0 tag=101
>>> nentries=1 etime=0
>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=5 SRCH
>>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>> scope=0 filter="(userPassword=*)" attrs="userPassword"
>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=5 RESULT err=0 tag=101
>>> nentries=1 etime=0
>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=6 SRCH
>>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>> scope=0 filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=6 RESULT err=0 tag=101
>>> nentries=1 etime=0
>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=7 SRCH
>>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>> scope=0 filter="(objectClass=*)" attrs="ipaSshPubKey"
>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=7 RESULT err=0 tag=101
>>> nentries=1 etime=0
>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=8 UNBIND
>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=8 fd=103 closed - U1
>>> [13/Mar/2015:14:27:33 -0700] conn=48 op=20 RESULT err=0 tag=101
>>> nentries=828 etime=90 notes=U
>>> [13/Mar/2015:14:27:33 -0700] conn=48 op=21 ABANDON targetop=NOTFOUND
>>> msgid=16
>>> [13/Mar/2015:14:27:33 -0700] conn=48 op=22 SRCH
>>> base="cn=users,cn=accounts,dc=corp,dc=company,dc=com" scope=0
>>> filter="(objectClass=*)" attrs="* aci"
>>> [13/Mar/2015:14:27:33 -0700] conn=48 op=22 RESULT err=0 tag=101
>>> nentries=1 etime=0
>>> [13/Mar/2015:14:27:33 -0700] conn=48 op=23 ABANDON targetop=NOTFOUND
>>> msgid=18
>>> [13/Mar/2015:14:27:42 -0700] conn=67 fd=103 slot=103 connection from
>>> ::1 to ::1
>>> [13/Mar/2015:14:27:42 -0700] conn=67 op=0 BIND dn="cn=directory
>>> manager" method=128 version=3
>>> [13/Mar/2015:14:27:42 -0700] conn=67 op=0 RESULT err=0 tag=97
>>> nentries=0 etime=0 dn="cn=directory manager"
>>> [13/Mar/2015:14:27:42 -0700] conn=67 op=1 SRCH
>>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>> scope=2 filter="(objectClass=*)" attrs=ALL
>>> [13/Mar/2015:14:27:42 -0700] conn=67 op=1 RESULT err=0 tag=101
>>> nentries=1 etime=0 notes=U
>>> [13/Mar/2015:14:27:42 -0700] conn=67 op=2 UNBIND
>>> [13/Mar/2015:14:27:42 -0700] conn=67 op=2 fd=103 closed - U1
>>>
>>> And target not found??? what else I might be missing ?
>>>
>>> Thanks!
>>>
>>>
>>> On 2015-03-13 21:01, Noriko Hosoi wrote:
>>>> On 03/13/2015 01:49 PM, g.fer.ordas at unicyber.co.uk wrote:
>>>>> Hi
>>>>>
>>>>> Restarted... And I also have re-initiated the replica just in
>>>>> case....
>>>>>
>>>>> I can see the following:
>>>>> ---
>>>>> 3/Mar/2015:13:41:35 -0700] conn=34 op=329 RESULT err=0 tag=101
>>>>> nentries=1 etime=0
>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 fd=84 slot=84 SSL connection
>>>>> from AD.SERVER to IPA.SERVER
>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 SSL 128-bit AES
>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=0 BIND
>>>>> dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>>> method=128 version=3
>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32 tag=97
>>>>> nentries=0 etime=0
>>>> Error 32 is LDAP_NO_SUCH_OBJECT.
>>>> Do you have a user
>>>> "uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" in your
>>>> Directory Server?
>>>>
>>>> On the host/VM where your Direcotry Server is running, please run this
>>>> command line search. Does it return the entry?
>>>> ldapsearch -x -h localhost -p 389 -D 'cn=directory manager' -W -b
>>>> "uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=1 SRCH
>>>>> base="cn=users,cn=accounts,dc=corp,dc=company,dc=com" scope=2
>>>>> filter="(ntUserDomainId=john.test)" attrs=ALL
>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=1 RESULT err=0 tag=101
>>>>> nentries=1 etime=0
>>>>> [13/Mar/2015:13:41:36 -0700] conn=34 op=330 SRCH
>>>>> base="cn=meTohqdc1.corp.company.com,cn=replica,cn=dc\3Dcorp\2Cdc\3Dcompany\2Cdc\3Dcom,cn=mapping
>>>>> tree,cn=config" scope=0 filter="(objectClass=*)"
>>>>> attrs="nsds5replicaLastInitStart nsds5replicaUpdateInProgress
>>>>> nsds5replicaLastInitStatus cn nsds5BeginReplicaRefresh
>>>>> nsds5replicaLastInitEnd"
>>>>> [13/Mar/2015:13:41:36 -0700] conn=34 op=330 RESULT err=0 tag=101
>>>>> nentries=1 etime=0
>>>>> [13/Mar/2015:13:41:36 -0700] conn=36 fd=101 slot=101 SSL
>>>>> connection from AD.SERVER to IPA.SERVER
>>>>> [13/Mar/2015:13:41:36 -0700] conn=36 SSL 128-bit AES
>>>>> [13/Mar/2015:13:41:36 -0700] conn=36 op=0 BIND
>>>>> dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>>> method=128 version=3
>>>>> [13/Mar/2015:13:41:36 -0700] conn=36 op=0 RESULT err=48 tag=97
>>>>> nentries=0 etime=0
>>>>> [13/Mar/2015:13:41:36 -0700] conn=36 op=1 UNBIND
>>>>> [13/Mar/2015:13:41:36 -0700] conn=36 op=1 fd=101 closed - U1
>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=2 MOD
>>>>> dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=2 RESULT err=50 tag=103
>>>>> nentries=0 etime=0
>>>> Since the above bind failed, your PassSync has no right to update the
>>>> password on the Directory Server and the modify attempt failed with
>>>> LDAP_INSUFFICIENT_ACCESS.
>>>>
>>>> Thanks,
>>>> --noriko
>>>>> [13/Mar/2015:13:41:37 -0700] conn=35 op=3 UNBIND
>>>>> [13/Mar/2015:13:41:37 -0700] conn=35 op=3 fd=84 closed - U1
>>>>>
>>>>> --
>>>>>
>>>>> Note there are 2 errors there:
>>>>> dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>>> method=128 version=3
>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32 tag=97
>>>>> nentries=0 etime=0
>>>>> dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>>> method=128 version=3
>>>>>
>>>>> ipa user-show John.Test
>>>>>
>>>>> User login: john.test
>>>>>
>>>>> First name: John
>>>>>
>>>>> Last name: Test
>>>>>
>>>>> Home directory: /home/john.test
>>>>>
>>>>> Login shell: /bin/bash
>>>>>
>>>>> UID: 1481000790
>>>>>
>>>>> GID: 1481000790
>>>>>
>>>>> Account disabled: False
>>>>>
>>>>> Password: False
>>>>>
>>>>> Kerberos keys available: False
>>>>>
>>>>>
>>>>> the password is still set as False
>>>>> The PassSync Tool got defined as base search:
>>>>>
>>>>> cn=users,cn=accounts,dc=corp,dc=company,dc=com .. Which should be
>>>>> all right
>>>>>
>>>>> Thanks for all your help!
>>>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150319/0176ec69/attachment.htm>
More information about the Freeipa-users
mailing list