<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 05/16/2012 06:04 PM, Kline, Sara wrote:
<blockquote
cite="mid:C0C9408742654B429ECD3D1FF11A118D16EB7AB826@TNS-MAIL-NA1.win2k.corp.tnsi.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--
[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Colonna MT";
panose-1:4 2 8 5 6 2 2 3 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif][if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">I found the
issue, it had to do with what Windows set the cn to, as
opposed to what I thought the CN was. Once I figured out
where that was set at I was able to fix it. Cn’s for us are
usually the user id so that was where the disconnect was.
Once I fixed that issue however I got another error. I am
logged in as root on the FreeIPA server. When I run the
ipa-manage-replica command I get:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Added CA
certificate /etc/openldap/cacerts/winadcert.cer to
certificate database for oly-infra-ldap1.prod.tnsi.com<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">INFO:root:AD
Suffix is: DC=prod,DC=example,DC=com<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Insufficient
access<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">I am
not sure I understand why this is not working.</span></p>
</div>
</blockquote>
<br>
You have to set permissions for your AD user in order to use the
DirSync control.<br>
See <a class="moz-txt-link-freetext" href="http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx">http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx</a><br>
<br>
<blockquote type="cite">
<p>To use the DirSync control, caller must have the "directory get
changes" right assigned on the root of the partition being
monitored. By default, this right is assigned to the
Administrator and LocalSystem accounts on domain controllers.
The caller must also have the <a
href="http://msdn.microsoft.com/en-us/library/ms684354%28v=vs.85%29.aspx"><strong
xmlns="http://www.w3.org/1999/xhtml">DS-Replication-Get-Changes</strong></a>
extended control access right. For more information about
implementing a change-tracking mechanism for applications that
must run under an account that does not have this right, see <a
href="http://msdn.microsoft.com/en-us/library/ms677627%28v=vs.85%29.aspx">Polling
for Changes Using USNChanged</a>. For more information about
privileges, see <a
href="http://msdn.microsoft.com/en-us/library/aa379306%28v=vs.85%29.aspx">Privileges</a>.</p>
</blockquote>
<br>
<blockquote
cite="mid:C0C9408742654B429ECD3D1FF11A118D16EB7AB826@TNS-MAIL-NA1.win2k.corp.tnsi.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Colonna
MT";color:#1F497D">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Colonna
MT";color:#1F497D">Sara Kline<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
Rich Megginson [<a class="moz-txt-link-freetext" href="mailto:rmeggins@redhat.com">mailto:rmeggins@redhat.com</a>]
<br>
<b>Sent:</b> Wednesday, May 16, 2012 4:12 PM<br>
<b>To:</b> Kline, Sara<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a><br>
<b>Subject:</b> Re: [Freeipa-users] Problems replicating
with Windows 2008 AD<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On 05/16/2012 04:33 PM, Kline, Sara wrote:
<o:p></o:p></p>
<p class="MsoNormal">Hey all,<o:p></o:p></p>
<p class="MsoNormal">FreeIPA has been very simple to setup so
far, I have been able to follow along with the documentation
every step of the way. I am running into an issue however when
trying to set up replication between the Red Hat 6.2 server
running FreeIPA and the Win 2008 R2 server running Active
Directory. I created the replication user like the
instructions say and gave it the necessary permissions,
however when I try to set up the agreement, it tells me I am
using invalid credentials. I am unsure of what I should do at
this point? SSL Certs are installed on both and trusted on
both, the servers are connected and both are synced to the
same time source. Can anyone think of anything else?<o:p></o:p></p>
<p class="MsoNormal">I am using the command as follows:<o:p></o:p></p>
<p class="MsoNormal">Ipa-replica-manage connect –winsync<o:p></o:p></p>
<p class="MsoNormal">--binddn
cn=freeipa,cn=users,dc=prod,dc=example,dc=com<o:p></o:p></p>
<p class="MsoNormal">--bindpw mypassword<o:p></o:p></p>
<p class="MsoNormal">--passsync mypassword<o:p></o:p></p>
<p class="MsoNormal">--cacert
/etc/openldap/cacerts/winadcert.cer<o:p></o:p></p>
<p class="MsoNormal">oly-infra-ldap2.prod.example.com<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><br>
You can use ldapsearch to test the connection with AD:<br>
<br>
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch
-xLLL -H <a moz-do-not-send="true"
href="ldap://oly-infra-ldap2.prod.example.com">
ldap://oly-infra-ldap2.prod.example.com</a> -ZZ -D
"cn=freeipa,cn=users,dc=prod,dc=example,dc=com" -w
mypassword -s base -b "" 'objectclass=*' namingcontexts<br>
<br>
This assumes<br>
1) oly-infra-ldap2.prod.example.com is the correct FQDN of
your AD machine<br>
2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid
AD user in AD<br>
3) mypassword is the correct password and doesn't need to be
quoted for the shell<br>
<br>
<br>
<o:p></o:p></span></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Colonna MT"">Sara
Kline</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Colonna MT"">System
Administrator</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Colonna MT"">Transaction
Network Services, Inc</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Colonna MT"">4501
Intelco Loop, Lacey WA 98503</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Colonna MT"">Wk:
(360) 493-6736</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:14.0pt;font-family:"Colonna MT"">Cell:
(360) 280-2495</span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
<div class="MsoNormal" style="text-align:center" align="center"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif"">
<hr align="center" size="2" width="100%">
</span></div>
<p class="MsoNormal"><span
style="font-size:7.5pt;font-family:"Arial","sans-serif";color:gray">This
e-mail message is for the sole use of the intended
recipient(s)and may<br>
contain confidential and privileged information of
Transaction Network Services.<br>
Any unauthorised review, use, disclosure or distribution is
prohibited. If you<br>
are not the intended recipient, please contact the sender by
reply e-mail and destroy all copies of the original message.<br>
<br>
</span><span style="font-size:12.0pt;font-family:"Times
New Roman","serif""><br>
<br>
<br>
<o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Freeipa-users mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><o:p></o:p></pre>
<p class="MsoNormal"><span
style="font-size:12.0pt;font-family:"Times New
Roman","serif""><o:p> </o:p></span></p>
</div>
<br>
<hr>
<font color="Gray" face="Arial" size="1">This e-mail message is
for the sole use of the intended recipient(s)and may<br>
contain confidential and privileged information of Transaction
Network Services.<br>
Any unauthorised review, use, disclosure or distribution is
prohibited. If you<br>
are not the intended recipient, please contact the sender by
reply e-mail and destroy all copies of the original message.<br>
<br>
</font>
</blockquote>
<br>
</body>
</html>