Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

[Rich Megginson]

On 03/13/2014 12:01 PM, Todd Maugh wrote:
Ok I got the credentials error worked out, my ad admin had the 
IDMadmin account in the wrong OU

but now i get this


Added CA certificate ADC13-ELS.CA.cer to certificate database for 
idm-master-els.ops.boingo.com
ipa: INFO: AD Suffix is: DC=BWINC,DC=local
The user for the Windows PassSync service is 
uid=passsync,cn=sysaccounts,cn=etc,dc=ops,dc=boingo,dc=com
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: -11  - LDAP 
error: Connect error: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[idm-master-els.ops.boingo.com] reports: Update failed! Status: [-11  
- LDAP error: Connect error]
Failed to start replication

Ok.  First step is to use ldapsearch to check connection, certs, 
passwords, etc.

[r...@idm-master-els.ops.boingo.com ipa]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w 
"XXXXXX" -s base -b "cn=Users,dc=bwinc,dc=local"

Or whatever your actual idmadmin DN is.




not sure where to look for more errors about this


------------------------------------------------------------------------
*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Wednesday, March 12, 2014 4:23 PM
*To:* Todd Maugh; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 05:07 PM, Todd Maugh wrote:
so to verify this

I am able to log in to the AD server as idmadmin with the password 
I'm using in the winsync agreement.

I guess you mean that login to Windows using the standard Windows 
login dialog is working correctly?  And that this is still not working 
correctly:

[r...@idm-master-els.ops.boingo.com ipa]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ 
-h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" 
-w "XXXXXX" s base -b "cn=Users,dc=bwinc,dc=local"

Do you have the Windows administrator password?  If so, can you try 
something like this:

[r...@idm-master-els.ops.boingo.com ipa]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ 
-h adc13-els.bwinc.local -D 
"cn=administrator,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" s base -b 
"cn=Users,dc=bwinc,dc=local"

Is AD configured to allow external LDAP binds?

is there a log I can look at to see what it is getting tripped up on.

I suppose you could try somewhere in the Windows Event Viewer . . .


I double checked all the security groups  for the AD user and they 
all look good


------------------------------------------------------------------------
*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Wednesday, March 12, 2014 3:47 PM
*To:* Todd Maugh; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 04:39 PM, Todd Maugh wrote:
thanks Rich,

when I run that  I get the following:


*[r...@idm-master-els.ops.boingo.com ipa]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch 
-xLLLZZ -h adc13-els.bwinc.local -D 
"cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" s base -b 
"cn=Users,dc=bwinc,dc=local"
ldap_bind: Invalid credentials (49)
*

*Invalid credentials almost always means your password "XXXXXX" is 
not correct for user "**cn=idmadmin,cn=Users,dc=bwinc,dc=local"

*
*    additional info: 80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580
*


------------------------------------------------------------------------
*From:* Rich Megginson [rmegg...@redhat.com]
*Sent:* Wednesday, March 12, 2014 3:30 PM
*To:* Todd Maugh; freeipa-users@redhat.com
*Subject:* Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 04:18 PM, Todd Maugh wrote:
Hello.

I'm using latest IPA build on red hat 6.5

I retrieved my CA cert from the AD Domain controller

I try to set up my winsyncagreement and I am getting this



[r...@idm-master-els.ops.boingo.com ipa]$ ipa-replica-manage 
connect --winsync --binddn "cn=idmadmin, cn=Users, dc=bwinc, 
dc=local" --bindpw "XXXXXX" --passsync "XXXXXX" 
--cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local
Directory Manager password:

Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to 
certificate database for idm-master-els.ops.boingo.com
ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local
ipa: INFO: The error was: {'info': '80090308: LdapErr: 
DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, 
v2580', 'desc': 'Invalid credentials'}
Failed to setup winsync replication


not sure where to look for the logs for this to see what the 
invalivd credentials are or wether this might still be a cert issue 
or a log in issue or what not?

You can test with ldapsearch like this:

$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ 
-h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" 
-w "XXXXXX" -s base -b "cn=Users,dc=bwinc,dc=local"



Thanks in advance for the help

-Todd




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users




_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users