Re: [Freeipa-users] cant create winsync reolication

Fri, 31 Jan 2014 13:12:37 -0800 

On 01/31/2014 01:55 PM, Todd Maugh wrote:




[[email protected] cacerts]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ 
-H ldap://qatestdc2.boingoqa.local -b "cn=idm 
admin,cn=users,dc=boingoqa,dc=local" -D  "cn=idm 
admin,cn=users,dc=boingoqa,dc=local" -W

Enter LDAP Password:
dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: IDM ADMIN
givenName: IDMADMIN
distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
instanceType: 4
whenCreated: 20140128182537.0Z
whenChanged: 20140131014315.0Z
displayName: IDMADMIN
uSNCreated: 31968
memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local
memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local
memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local
uSNChanged: 38786
name: IDM ADMIN
objectGUID:: jai63JfDvUuOGcURntA7hg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130356008006093750
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA0+/GU55mz3h0hQ48RwYAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: idmadmin
sAMAccountType: 805306368
userPrincipalName: [email protected]
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local
dSCorePropagationData: 20140129224024.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130356060672110578


I'd like to look at the debug output, so try this:


LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx 
-ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm 
admin,cn=users,dc=boingoqa,dc=local" -D  "cn=idm 
admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn



The 389 errors log indicates "cannot connect" which usually means some 
sort of SSL error.  Unfortunately the logging leaves something to be 
desired in the way of information necessary to diagnose and fix the problem.



If that doesn't help, let's take a look at your winsync agreement 
configuration:



ldapsearch -LLLx -b "cn=config" -D  "cn=directory manager" -W 
'objectclass=nsdswindowsreplicationagreement' dn





------------------------------------------------------------------------
*From:* Rich Megginson [[email protected]]
*Sent:* Friday, January 31, 2014 12:39 PM
*To:* Todd Maugh; [email protected]
*Cc:* [email protected]
*Subject:* Re: [Freeipa-users] cant create winsync reolication

On 01/31/2014 12:16 PM, Todd Maugh wrote:

RE:


I am not sure I was clear. It seems that you provided the LDAP trace 
for the ldapsearch commands you executed above. I was talking about 
the DS level logs for the replica management agreement establishment 
and the follow up replication.



here is the log  tailed while I deleted teh replication agreement, 
restarted the dirsrv and tried to setup the replication agreement



Note that 389 does not use /etc/openldap/cacerts - it uses 
/etc/dirsrv/slapd-YOUR-DOMAIN, so try this:



LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ 
-H ldap://qatestdc2.boingoqa.local -b "cn=idm 
admin,cn=users,dc=boingoqa,dc=local" -D  "cn=idm 
admin,cn=users,dc=boingoqa,dc=local" -W







[31/Jan/2014:19:07:37 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:12 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:13 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:25 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:10:01 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:11:51 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:11:54 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:00 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:12 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:36 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:12 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:13 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:24 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)

[31/Jan/2014:19:13:57 +0000] NSMMReplicationPlugin - agmt_delete: begin

[31/Jan/2014:19:14:09 +0000] - slapd shutting down - signaling 
operation threads
[31/Jan/2014:19:14:09 +0000] - slapd shutting down - waiting for 30 
threads to terminate
[31/Jan/2014:19:14:09 +0000] - slapd shutting down - closing down 
internal subsystems and plugins

[31/Jan/2014:19:14:09 +0000] - Waiting for 4 database threads to stop
[31/Jan/2014:19:14:09 +0000] - All database threads now stopped
[31/Jan/2014:19:14:09 +0000] - slapd stopped.

[31/Jan/2014:19:14:12 +0000] - 389-Directory/1.2.11.15 B2013.337.1530 
starting up
[31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no 
entries set up under cn=computers, cn=compat,dc=boingo,dc=com
[31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no 
entries set up under cn=ng, cn=compat,dc=boingo,dc=com
[31/Jan/2014:19:14:12 +0000] schema-compat-plugin - warning: no 
entries set up under ou=sudoers,dc=boingo,dc=com
[31/Jan/2014:19:14:12 +0000] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which 
should be added before the CoS Definition.
[31/Jan/2014:19:14:12 +0000] set_krb5_creds - Could not get initial 
credentials for principal [ldap/[email protected]] in 
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see 
e-text))
[31/Jan/2014:19:14:12 +0000] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which 
should be added before the CoS Definition.
[31/Jan/2014:19:14:12 +0000] slapd_ldap_sasl_interactive_bind - 
Error: could not perform interactive bind for id [] mech [GSSAPI]: 
LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure. Minor code may provide more information 
(Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success)
[31/Jan/2014:19:14:12 +0000] slapi_ldap_bind - Error: could not 
perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[31/Jan/2014:19:14:12 +0000] NSMMReplicationPlugin - 
agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind 
with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): 
generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code 
may provide more information (Credentials cache file 
'/tmp/krb5cc_495' not found))
[31/Jan/2014:19:14:12 +0000] - slapd started. Listening on All 
Interfaces port 389 for LDAP requests
[31/Jan/2014:19:14:12 +0000] - Listening on All Interfaces port 636 
for LDAPS requests
[31/Jan/2014:19:14:12 +0000] - Listening on 
/var/run/slapd-BOINGO-COM.socket for LDAPI requests
[31/Jan/2014:19:14:16 +0000] NSMMReplicationPlugin - 
agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind 
with GSSAPI auth resumed
[31/Jan/2014:19:15:18 +0000] - slapd shutting down - signaling 
operation threads
[31/Jan/2014:19:15:18 +0000] - slapd shutting down - waiting for 30 
threads to terminate
[31/Jan/2014:19:15:18 +0000] - slapd shutting down - closing down 
internal subsystems and plugins

[31/Jan/2014:19:15:18 +0000] - Waiting for 4 database threads to stop
[31/Jan/2014:19:15:18 +0000] - All database threads now stopped
[31/Jan/2014:19:15:18 +0000] - slapd stopped.

[31/Jan/2014:19:15:23 +0000] - 389-Directory/1.2.11.15 B2013.337.1530 
starting up
[31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no 
entries set up under cn=computers, cn=compat,dc=boingo,dc=com
[31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no 
entries set up under cn=ng, cn=compat,dc=boingo,dc=com
[31/Jan/2014:19:15:23 +0000] schema-compat-plugin - warning: no 
entries set up under ou=sudoers,dc=boingo,dc=com
[31/Jan/2014:19:15:23 +0000] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which 
should be added before the CoS Definition.
[31/Jan/2014:19:15:23 +0000] set_krb5_creds - Could not get initial 
credentials for principal [ldap/[email protected]] in 
keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see 
e-text))
[31/Jan/2014:19:15:23 +0000] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which 
should be added before the CoS Definition.
[31/Jan/2014:19:15:23 +0000] slapd_ldap_sasl_interactive_bind - 
Error: could not perform interactive bind for id [] mech [GSSAPI]: 
LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: 
Unspecified GSS failure. Minor code may provide more information 
(Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success)
[31/Jan/2014:19:15:23 +0000] slapi_ldap_bind - Error: could not 
perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[31/Jan/2014:19:15:23 +0000] NSMMReplicationPlugin - 
agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind 
with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): 
generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code 
may provide more information (Credentials cache file 
'/tmp/krb5cc_495' not found))
[31/Jan/2014:19:15:23 +0000] - slapd started. Listening on All 
Interfaces port 389 for LDAP requests
[31/Jan/2014:19:15:23 +0000] - Listening on All Interfaces port 636 
for LDAPS requests
[31/Jan/2014:19:15:23 +0000] - Listening on 
/var/run/slapd-BOINGO-COM.socket for LDAPI requests
[31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:15:25 +0000] NSMMReplicationPlugin - 
agmt="cn=meToqatestdc2.boingoqa.local" (qatestdc2:389): Replication 
bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS 
error -8179:Peer's Certificate issuer is not recognized.)
[31/Jan/2014:19:15:25 +0000] - Entry 
"cn=meToqatestdc2.boingoqa.local,cn=replica,cn=dc\3Dboingo\2Cdc\3Dcom,cn=mapping 
tree,cn=config" -- attribute "nsDS5ReplicatedAttributeListTotal" not 
allowed
[31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:15:25 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:15:26 +0000] NSMMReplicationPlugin - 
agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind 
with GSSAPI auth resumed
[31/Jan/2014:19:15:27 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:15:27 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:15:28 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:15:30 +0000] slapi_ldap_bind - Error: could not send 
startTLS request: error -11 (Connect error) errno 0 (Success)




_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users





_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users






















					Reply via email to