I believe they are. so here is the out put of the log. it was showing those errors, I deleted the wynsync agreement and then restarted ipa and then readded the winsync and the errors returned. could this be a cert issue?
[13/Mar/2014:19:48:20 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:48:44 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:49:32 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:51:08 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) here I removed the winsync agreement :ipa-replica-manage del adc13-els.bwinc.local then restartd ipa ipactl restart [13/Mar/2014:19:51:50 +0000] NSMMReplicationPlugin - agmt_delete: begin [13/Mar/2014:19:51:59 +0000] - slapd shutting down - signaling operation threads [13/Mar/2014:19:51:59 +0000] - slapd shutting down - waiting for 29 threads to terminate [13/Mar/2014:19:51:59 +0000] - slapd shutting down - closing down internal subsystems and plugins [13/Mar/2014:19:51:59 +0000] - Waiting for 4 database threads to stop [13/Mar/2014:19:51:59 +0000] - All database threads now stopped [13/Mar/2014:19:51:59 +0000] - slapd stopped. [13/Mar/2014:19:52:14 +0000] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [13/Mar/2014:19:52:14 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ops,dc=boingo,dc=com [13/Mar/2014:19:52:14 +0000] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=ops,dc=boingo,dc=com [13/Mar/2014:19:52:14 +0000] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=ops,dc=boingo,dc=com [13/Mar/2014:19:52:14 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [13/Mar/2014:19:52:14 +0000] set_krb5_creds - Could not get initial credentials for principal [ldap/[email protected]] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [13/Mar/2014:19:52:14 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [13/Mar/2014:19:52:14 +0000] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [13/Mar/2014:19:52:14 +0000] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [13/Mar/2014:19:52:14 +0000] NSMMReplicationPlugin - agmt="cn=meToidm-rep01-els.ops.boingo.com" (idm-rep01-els:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [13/Mar/2014:19:52:14 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [13/Mar/2014:19:52:14 +0000] - Listening on All Interfaces port 636 for LDAPS requests [13/Mar/2014:19:52:14 +0000] - Listening on /var/run/slapd-OPS-BOINGO-COM.socket for LDAPI requests [13/Mar/2014:19:52:18 +0000] NSMMReplicationPlugin - agmt="cn=meToidm-rep01-els.ops.boingo.com" (idm-rep01-els:389): Replication bind with GSSAPI auth resumed here i added the winsync agreement again [13/Mar/2014:19:53:16 +0000] - slapd shutting down - signaling operation threads [13/Mar/2014:19:53:16 +0000] - slapd shutting down - waiting for 30 threads to terminate [13/Mar/2014:19:53:16 +0000] - slapd shutting down - closing down internal subsystems and plugins [13/Mar/2014:19:53:16 +0000] - Waiting for 4 database threads to stop [13/Mar/2014:19:53:16 +0000] - All database threads now stopped [13/Mar/2014:19:53:16 +0000] - slapd stopped. [13/Mar/2014:19:53:20 +0000] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [13/Mar/2014:19:53:20 +0000] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ops,dc=boingo,dc=com [13/Mar/2014:19:53:20 +0000] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=ops,dc=boingo,dc=com [13/Mar/2014:19:53:20 +0000] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=ops,dc=boingo,dc=com [13/Mar/2014:19:53:20 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [13/Mar/2014:19:53:20 +0000] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [13/Mar/2014:19:53:20 +0000] - slapd started. Listening on All Interfaces port 389 for LDAP requests [13/Mar/2014:19:53:20 +0000] - Listening on All Interfaces port 636 for LDAPS requests [13/Mar/2014:19:53:20 +0000] - Listening on /var/run/slapd-OPS-BOINGO-COM.socket for LDAPI requests [13/Mar/2014:19:53:22 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:53:22 +0000] NSMMReplicationPlugin - agmt="cn=meToadc13-els.bwinc.local" (adc13-els:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8179:Peer's Certificate issuer is not recognized.) [13/Mar/2014:19:53:22 +0000] - Entry "cn=meToadc13-els.bwinc.local,cn=replica,cn=dc\3Dops\2Cdc\3Dboingo\2Cdc\3Dcom,cn=mapping tree,cn=config" -- attribute "nsDS5ReplicatedAttributeListTotal" not allowed [13/Mar/2014:19:53:22 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:53:22 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:53:24 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:53:24 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:53:25 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) ________________________________ From: Rich Megginson [[email protected]] Sent: Thursday, March 13, 2014 12:05 PM To: Todd Maugh; [email protected] Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/13/2014 12:50 PM, Todd Maugh wrote: Ok the error I see repeated in the log is [13/Mar/2014:18:41:21 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:11 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:14 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:20 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:32 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:56 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:44:30 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [13/Mar/2014:18:44:33 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:44:44 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:46:20 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:47:29 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:47:32 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:47:38 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:47:50 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:11 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:14 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:20 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:32 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:56 +0000] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [[email protected]<mailto:[email protected]> cacerts]$ Are all of these associated with the winsync agreement? ________________________________ From: Rich Megginson [[email protected]<mailto:[email protected]>] Sent: Thursday, March 13, 2014 11:43 AM To: Todd Maugh; [email protected]<mailto:[email protected]> Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/13/2014 12:29 PM, Todd Maugh wrote: ok so I ran that and Get this output Ok. Next, take a look at /var/log/dirsrv/slapd-OPS-BOINGO-COM/errors [[email protected]<mailto:[email protected]> cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" -s base -b "cn=Users,dc=bwinc,dc=local" dn: cn=Users,dc=bwinc,dc=local objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=BWINC,DC=local instanceType: 4 whenCreated: 20060824234034.0Z whenChanged: 20140306190741.0Z uSNCreated: 17702 uSNChanged: 17702 showInAdvancedViewOnly: FALSE name: Users objectGUID:: kCZ7CbnIZk+0GpmCr3PCfw== systemFlags: -1946157056 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=BWINC,DC=local isCriticalSystemObject: TRUE dSCorePropagationData: 20140306234416.0Z dSCorePropagationData: 20140306234348.0Z dSCorePropagationData: 20140306225101.0Z dSCorePropagationData: 20140306225055.0Z dSCorePropagationData: 16010101000000.0Z ________________________________ From: Rich Megginson [[email protected]<mailto:[email protected]>] Sent: Wednesday, March 12, 2014 3:47 PM To: Todd Maugh; [email protected]<mailto:[email protected]> Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/12/2014 04:39 PM, Todd Maugh wrote: thanks Rich, when I run that I get the following: [[email protected]<mailto:[email protected]> ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" s base -b "cn=Users,dc=bwinc,dc=local" ldap_bind: Invalid credentials (49) Invalid credentials almost always means your password "XXXXXX" is not correct for user "cn=idmadmin,cn=Users,dc=bwinc,dc=local" additional info: 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580 ________________________________ From: Rich Megginson [[email protected]<mailto:[email protected]>] Sent: Wednesday, March 12, 2014 3:30 PM To: Todd Maugh; [email protected]<mailto:[email protected]> Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/12/2014 04:18 PM, Todd Maugh wrote: Hello. I'm using latest IPA build on red hat 6.5 I retrieved my CA cert from the AD Domain controller I try to set up my winsyncagreement and I am getting this [[email protected]<mailto:[email protected]> ipa]$ ipa-replica-manage connect --winsync --binddn "cn=idmadmin, cn=Users, dc=bwinc, dc=local" --bindpw "XXXXXX" --passsync "XXXXXX" --cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local Directory Manager password: Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to certificate database for idm-master-els.ops.boingo.com ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} Failed to setup winsync replication not sure where to look for the logs for this to see what the invalivd credentials are or wether this might still be a cert issue or a log in issue or what not? You can test with ldapsearch like this: $ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" -s base -b "cn=Users,dc=bwinc,dc=local" Thanks in advance for the help -Todd _______________________________________________ Freeipa-users mailing list [email protected]<mailto:[email protected]> https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
