[Freeipa-users] Fwd: Re: AD --> FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol
Dmitri Pal
dpal at redhat.com
Thu Mar 19 18:39:45 UTC 2015
On 03/19/2015 05:10 AM, Gonzalo Fernandez Ordas wrote:
> Hi
>
> I have completed changed the scenario and I managed to install
> freeipa-server 4.1 (Somebody publish the right repo for Centos and it
> worked really well)
>
> --Let me double check a couple of things. You wrote you installed
> PassSync on Windows 2013 (which could be a typo?) We support Windows
> Server 2008 R2 and 2012 R2. We also confirmed it works on Windows
> Server 2003 R2.
>
> Yes, sorry, that was a typo.
>
> So, starting again from scratch, new machine, the whole installation
> process went well, not issues there but:
>
> * FreeIPA is supposed to generate a PassSync user by running
> ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also
> man ipa-replica-manage).
>
> I tried 5 times, the user was never created on the ipa server, I had
> to create it manually (I gave it admin permissions so it could
> create/delete/update users).
> Doing that, the password sync worked all right. We submit a password
> reset in AD and that propagated all right, tested and it worked fine.
> /
> * In one scenario I uninstalled freeipa (still kept the packages),
> installed again and something went wrong with the kerberos keys.
> After creating the AD --> LDAP certs and successfully syncing the
> passwords, I could read in the /var/log/messages a password decryption
> issue (kerberos related) everytime I tried to log as any user.
> I have tried uninstalling freeipa and also uninstalling removing the
> product completely and re-installing. it did not matter if I tried to
> rebuild the kerberos keys, the issue was always there, so I have to
> start afresh with a new box.
>
Something is really messed up with the system.
Do you have some kind of backup and restore running in the background?
It seems that for some reason a kerberos (probably master) key was
rewritten in some way.
> So.. that has been all so far
>
> Thanks
>
> Gonzalo
>
>
> On 16/03/2015 20:05, Noriko Hosoi wrote:
>> Hello, Gonzalo,
>>
>> Any progress on your Password Synchronization?
>>
>> Let me double check a couple of things. You wrote you installed
>> PassSync on Windows 2013 (which could be a typo?) We support Windows
>> Server 2008 R2 and 2012 R2. We also confirmed it works on Windows
>> Server 2003 R2.
>> > On 03/13/2015 12:45 PM,g.fer.ordas at unicyber.co.uk wrote:
>> >> I got the Password Sync Tool installed in the Windows2013 box
>> You can find the doc on PassSync here.
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#windows-pass-sync
>> The doc is on PassSync 1.1.5, but 1.1.6 remains intact except the
>> default SSL version to connect to the 389 Directory Server (as we
>> discussed before).
>>
>> We had a dicussion regarding the PassSync user you had to create:
>> uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
>> FreeIPA is supposed to generate a PassSync user by running
>> ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also
>> man ipa-replica-manage)./
>> > there must some problem as FreeIPA
>> > creates own Passsync user in "cn=sysaccounts,cn=etc,<SUFFIX>" also sets it's DN
>> > as passSyncManagersDNs in ipa_pwd_extop plugin to avoid it creating expired
>> > passwords. So there is no need to create
>> > "uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" manually.
>> Please see the above doc regarding the user creation.
>>
>> *
>> The username of the system user which Active Directory uses to
>> connect to the IdM machine. This account is configured
>> automatically when sync is configured on the IdM server. The
>> default account is
>> |uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com|.
>> *
>> The password set in the |--passsync| option when the sync
>> agreement was created.
>>
>> I'm sending this response to freeipa-users to share the info and
>> request for more suggestions.
>>
>> Thanks,
>> --noriko
>>
>> On 03/13/2015 02:48 PM, g.fer.ordas at unicyber.co.uk wrote:
>>> I forgot to attach the search command now:
>>> # passsync, users, accounts, corp.company.com
>>> dn: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
>>> cn: passsync
>>> displayName: passsync
>>> krbLastFailedAuth: 20150313211546Z
>>> krbLoginFailedCount: 1
>>> krbExtraData:: AALUUQNVcm9vdC9hZG1pbkBDT1JQLkhPT1RTVUlURU1FRElBLkNPTQA=
>>> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=corp,dc=company,dc=com
>>> krbLastPwdChange: 20150313210836Z
>>> krbPasswordExpiration: 20150611210836Z
>>> mepManagedEntry: cn=passsync,cn=groups,cn=accounts,dc=corp,dc=company,d
>>> c=com
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalperson
>>> objectClass: inetorgperson
>>> objectClass: inetuser
>>> objectClass: posixaccount
>>> objectClass: krbprincipalaux
>>> objectClass: krbticketpolicyaux
>>> objectClass: ipaobject
>>> objectClass: ipasshuser
>>> objectClass: ipaSshGroupOfPubKeys
>>> objectClass: mepOriginEntry
>>> loginShell: /bin/bash
>>> gecos: pass sync
>>> sn: sync
>>> homeDirectory: /home/passsync
>>> uid: passsync
>>> mail: passsync at corp.company.com
>>> krbPrincipalName: passsync at CORP.company.COM
>>> givenName: pass
>>> initials: ps
>>> userPassword:: zxxxxxxxx=
>>> =
>>> ipaUniqueID: 1d76b14a-c9c5-11e4-93f4-12d2e19d1e3c
>>> uidNumber: 1481000829
>>> gidNumber: 1481000829
>>> krbPrincipalKey:: dfrerererer
>>>
>>> # search result
>>> search: 2
>>>
>>>
>>> On 2015-03-13 21:39, g.fer.ordas at unicyber.co.uk wrote:
>>>> Hi
>>>>
>>>> I had to manually create the user!! For some reason I thought the sync
>>>> Agreement task was also creating that entry for the DS!
>>>>
>>>> So now I got:
>>>>
>>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=4 SRCH
>>>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>> scope=0 filter="(objectClass=*)" attrs="telephoneNumber uid title
>>>> loginShell uidNumber gidNumber sn homeDirectory mail ou givenName
>>>> nsAccountLock"
>>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=4 RESULT err=0 tag=101
>>>> nentries=1 etime=0
>>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=5 SRCH
>>>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>> scope=0 filter="(userPassword=*)" attrs="userPassword"
>>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=5 RESULT err=0 tag=101
>>>> nentries=1 etime=0
>>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=6 SRCH
>>>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>> scope=0 filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
>>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=6 RESULT err=0 tag=101
>>>> nentries=1 etime=0
>>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=7 SRCH
>>>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>> scope=0 filter="(objectClass=*)" attrs="ipaSshPubKey"
>>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=7 RESULT err=0 tag=101
>>>> nentries=1 etime=0
>>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=8 UNBIND
>>>> [13/Mar/2015:14:27:30 -0700] conn=66 op=8 fd=103 closed - U1
>>>> [13/Mar/2015:14:27:33 -0700] conn=48 op=20 RESULT err=0 tag=101
>>>> nentries=828 etime=90 notes=U
>>>> [13/Mar/2015:14:27:33 -0700] conn=48 op=21 ABANDON
>>>> targetop=NOTFOUND msgid=16
>>>> [13/Mar/2015:14:27:33 -0700] conn=48 op=22 SRCH
>>>> base="cn=users,cn=accounts,dc=corp,dc=company,dc=com" scope=0
>>>> filter="(objectClass=*)" attrs="* aci"
>>>> [13/Mar/2015:14:27:33 -0700] conn=48 op=22 RESULT err=0 tag=101
>>>> nentries=1 etime=0
>>>> [13/Mar/2015:14:27:33 -0700] conn=48 op=23 ABANDON
>>>> targetop=NOTFOUND msgid=18
>>>> [13/Mar/2015:14:27:42 -0700] conn=67 fd=103 slot=103 connection
>>>> from ::1 to ::1
>>>> [13/Mar/2015:14:27:42 -0700] conn=67 op=0 BIND dn="cn=directory
>>>> manager" method=128 version=3
>>>> [13/Mar/2015:14:27:42 -0700] conn=67 op=0 RESULT err=0 tag=97
>>>> nentries=0 etime=0 dn="cn=directory manager"
>>>> [13/Mar/2015:14:27:42 -0700] conn=67 op=1 SRCH
>>>> base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>> scope=2 filter="(objectClass=*)" attrs=ALL
>>>> [13/Mar/2015:14:27:42 -0700] conn=67 op=1 RESULT err=0 tag=101
>>>> nentries=1 etime=0 notes=U
>>>> [13/Mar/2015:14:27:42 -0700] conn=67 op=2 UNBIND
>>>> [13/Mar/2015:14:27:42 -0700] conn=67 op=2 fd=103 closed - U1
>>>>
>>>> And target not found??? what else I might be missing ?
>>>>
>>>> Thanks!
>>>>
>>>>
>>>> On 2015-03-13 21:01, Noriko Hosoi wrote:
>>>>> On 03/13/2015 01:49 PM, g.fer.ordas at unicyber.co.uk wrote:
>>>>>> Hi
>>>>>>
>>>>>> Restarted... And I also have re-initiated the replica just in
>>>>>> case....
>>>>>>
>>>>>> I can see the following:
>>>>>> ---
>>>>>> 3/Mar/2015:13:41:35 -0700] conn=34 op=329 RESULT err=0 tag=101
>>>>>> nentries=1 etime=0
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 fd=84 slot=84 SSL connection
>>>>>> from AD.SERVER to IPA.SERVER
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 SSL 128-bit AES
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=0 BIND
>>>>>> dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>>>> method=128 version=3
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32 tag=97
>>>>>> nentries=0 etime=0
>>>>> Error 32 is LDAP_NO_SUCH_OBJECT.
>>>>> Do you have a user
>>>>> "uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" in your
>>>>> Directory Server?
>>>>>
>>>>> On the host/VM where your Direcotry Server is running, please run
>>>>> this
>>>>> command line search. Does it return the entry?
>>>>> ldapsearch -x -h localhost -p 389 -D 'cn=directory manager' -W -b
>>>>> "uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=1 SRCH
>>>>>> base="cn=users,cn=accounts,dc=corp,dc=company,dc=com" scope=2
>>>>>> filter="(ntUserDomainId=john.test)" attrs=ALL
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=1 RESULT err=0 tag=101
>>>>>> nentries=1 etime=0
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=34 op=330 SRCH
>>>>>> base="cn=meTohqdc1.corp.company.com,cn=replica,cn=dc\3Dcorp\2Cdc\3Dcompany\2Cdc\3Dcom,cn=mapping
>>>>>> tree,cn=config" scope=0 filter="(objectClass=*)"
>>>>>> attrs="nsds5replicaLastInitStart nsds5replicaUpdateInProgress
>>>>>> nsds5replicaLastInitStatus cn nsds5BeginReplicaRefresh
>>>>>> nsds5replicaLastInitEnd"
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=34 op=330 RESULT err=0 tag=101
>>>>>> nentries=1 etime=0
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=36 fd=101 slot=101 SSL
>>>>>> connection from AD.SERVER to IPA.SERVER
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=36 SSL 128-bit AES
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=36 op=0 BIND
>>>>>> dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>>>> method=128 version=3
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=36 op=0 RESULT err=48 tag=97
>>>>>> nentries=0 etime=0
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=36 op=1 UNBIND
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=36 op=1 fd=101 closed - U1
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=2 MOD
>>>>>> dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=2 RESULT err=50 tag=103
>>>>>> nentries=0 etime=0
>>>>> Since the above bind failed, your PassSync has no right to update the
>>>>> password on the Directory Server and the modify attempt failed with
>>>>> LDAP_INSUFFICIENT_ACCESS.
>>>>>
>>>>> Thanks,
>>>>> --noriko
>>>>>> [13/Mar/2015:13:41:37 -0700] conn=35 op=3 UNBIND
>>>>>> [13/Mar/2015:13:41:37 -0700] conn=35 op=3 fd=84 closed - U1
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Note there are 2 errors there:
>>>>>> dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>>>> method=128 version=3
>>>>>> [13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32 tag=97
>>>>>> nentries=0 etime=0
>>>>>> dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
>>>>>> method=128 version=3
>>>>>>
>>>>>> ipa user-show John.Test
>>>>>>
>>>>>> User login: john.test
>>>>>>
>>>>>> First name: John
>>>>>>
>>>>>> Last name: Test
>>>>>>
>>>>>> Home directory: /home/john.test
>>>>>>
>>>>>> Login shell: /bin/bash
>>>>>>
>>>>>> UID: 1481000790
>>>>>>
>>>>>> GID: 1481000790
>>>>>>
>>>>>> Account disabled: False
>>>>>>
>>>>>> Password: False
>>>>>>
>>>>>> Kerberos keys available: False
>>>>>>
>>>>>>
>>>>>> the password is still set as False
>>>>>> The PassSync Tool got defined as base search:
>>>>>>
>>>>>> cn=users,cn=accounts,dc=corp,dc=company,dc=com .. Which should be
>>>>>> all right
>>>>>>
>>>>>> Thanks for all your help!
>>>>>>
>>>
>>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150319/b5ddf5dc/attachment.htm>
More information about the Freeipa-users
mailing list