On Fri, 13 Mar 2015, [email protected] wrote:
Hi I am going forward with a Password Sync AD (window 2013) ---- FreeIPA ipa-server-3.3.3-28.0.1.el7 on a Centos7 Box. I got the Password Sync Tool installed in the Windows2013 box and I have created a user with it's related password as I am trying to test the password changes... Looking at the access logs I can see the following related to the Sync Process: -------- [13/Mar/2015:09:22:02 -0700] conn=2 op=10 RESULT err=32 tag=101 nentries=0 etime=0 [13/Mar/2015:09:23:27 -0700] conn=13 fd=82 slot=82 SSL connection from AD.Server to FreeIPA.Server [13/Mar/2015:09:23:27 -0700] conn=13 op=-1 fd=82 closed - Peer reports incompatible or unsupported protocol version. [13/Mar/2015:09:23:29 -0700] conn=14 fd=82 slot=82 SSL connection from AD.Server to FreeIPA.Server [13/Mar/2015:09:23:29 -0700] conn=14 op=-1 fd=82 closed - Peer reports incompatible or unsupported protocol version. [13/Mar/2015:09:23:33 -0700] conn=15 fd=82 slot=82 SSL connection from AD.Server to FreeIPA.Server [13/Mar/2015:09:23:33 -0700] conn=15 op=-1 fd=82 closed - Peer reports incompatible or unsupported protocol version. [13/Mar/2015:09:23:41 -0700] conn=16 fd=82 slot=82 SSL connection from AD.Server to FreeIPA.Server [13/Mar/2015:09:23:41 -0700] conn=16 op=-1 fd=82 closed - Peer reports incompatible or unsupported protocol version. [13/Mar/2015:09:23:57 -0700] conn=17 fd=82 slot=82 SSL connection from AD.Server to FreeIPA.Server [13/Mar/2015:09:23:57 -0700] conn=17 op=-1 fd=82 closed - Peer reports incompatible or unsupported protocol version. [13/Mar/2015:09:24:29 -0700] conn=18 fd=82 slot=82 SSL connection from AD.Server to FreeIPA.Server [13/Mar/2015:09:24:29 -0700] conn=18 op=-1 fd=82 closed - Peer reports incompatible or unsupported protocol version. [13/Mar/2015:09:25:34 -0700] conn=19 fd=91 slot=91 SSL connection from AD.Server to FreeIPA.Server [13/Mar/2015:09:25:34 -0700] conn=19 op=-1 fd=91 closed - Peer reports incompatible or unsupported protocol version. -------- So the passwords do not seem to be copied across. Any idea why is this happening and how to troubleshoot it?
389-ds has disabled SSL3 and only allows TLS1.x connections. You need to configure passsync on AD side to use TLS1.1 or newer instead of SSL3. http://directory.fedoraproject.org/docs/389ds/download.html#windows-password-synchronization says that passsync 1.1.5 has no support for TLS1.1 or newer, while 1.1.6 has it. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
