[Freeipa-users] Need help with AD 2012 and FreeIPA 4.2 sync

Fri Mar 4 17:16:38 UTC 2016

Hi Everybody,

We are trying to create sync between Windows 2012 r2 AD and FreeIPA 4.2.0
(CentOS 7) and we run into an issue.

We are following this documentation:
https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory.html

I know it is a little bit old and now the preferred method is trust and not
sync. But if my understanding is correct in trust you has to use 2
different domain like company.net <--> company.com and can not be user as
company.com <--> company.com

So anyway we are struggling with the full sync. Currently username sync is
working, but their password are not.

Replication was specified:
ipa-replica-manage connect --winsync --binddn
cn=Syncadmin,cn=users,dc=company,dc=com --bindpw ad_password --passsync
syncpassword --cacert /etc/openldap/certs/company.cer
companypdc.company.com

On the Windows we installed and configured 389-PassSync-1.1.5-x86_64 and it
was configured as a following:

Hostname: name_of_centos_server
Password: syncpassword
Password field: userpassword
Port Number: 636
Search base cn=users,cn=compat,dc=company,dc=com
User Name uid/passync,cn=sysaccounts,cn=etc,dc=company,dc=com
User Name Field: ntuserdomainid

Log from passwordsync on windows:
03/04/16 16:45:07: Attempting to sync password for test.user
03/04/16 16:45:07: Searching for (ntuserdomainid=test.user)
03/04/16 16:45:07: There are no entries that match: test.user
03/04/16 16:45:07: Deferring password change for test.user
03/04/16 16:45:07: Backing off for 1024000ms

Trying user on CentOS:
kinit test.user -V
Using new cache: persistent:0:krb_ccache_wyIa8Nj
Using principal: test.user at COMPANY.COM
kinit: Generic preauthentication failure while getting initial credentials

log from /var/log/dirsrv/slapd-COMPANY-COM/access

[04/Mar/2016:17:10:08 +0000] conn=4 op=677 SRCH base="dc=jighi,dc=com"
scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName=
test.user at JIGHI.COM))" attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[04/Mar/2016:17:10:08 +0000] conn=4 op=677 RESULT err=0 tag=101 nentries=1
etime=0
[04/Mar/2016:17:10:08 +0000] conn=4 op=678 SRCH
base="cn=JIGHI.COM,cn=kerberos,dc=jighi,dc=com"
scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[04/Mar/2016:17:10:08 +0000] conn=4 op=678 RESULT err=0 tag=101 nentries=1
etime=0

Can somebody help in what we are missing?

Regards,
Csaba Patyi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160304/eee93251/attachment.htm>