Hi
I have completed changed the scenario and I managed to install
freeipa-server 4.1 (Somebody publish the right repo for Centos and it
worked really well)
--Let me double check a couple of things. You wrote you installed
PassSync on Windows 2013 (which could be a typo?) We support Windows
Server 2008 R2 and 2012 R2. We also confirmed it works on Windows
Server 2003 R2.
Yes, sorry, that was a typo.
So, starting again from scratch, new machine, the whole installation
process went well, not issues there but:
* FreeIPA is supposed to generate a PassSync user by running
ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man
ipa-replica-manage).
I tried 5 times, the user was never created on the ipa server, I had to
create it manually (I gave it admin permissions so it could
create/delete/update users).
Doing that, the password sync worked all right. We submit a password
reset in AD and that propagated all right, tested and it worked fine.
/
* In one scenario I uninstalled freeipa (still kept the packages),
installed again and something went wrong with the kerberos keys.
After creating the AD --> LDAP certs and successfully syncing the
passwords, I could read in the /var/log/messages a password decryption
issue (kerberos related) everytime I tried to log as any user.
I have tried uninstalling freeipa and also uninstalling removing the
product completely and re-installing. it did not matter if I tried to
rebuild the kerberos keys, the issue was always there, so I have to
start afresh with a new box.
So.. that has been all so far
Thanks
Gonzalo
On 16/03/2015 20:05, Noriko Hosoi wrote:
Hello, Gonzalo,
Any progress on your Password Synchronization?
Let me double check a couple of things. You wrote you installed
PassSync on Windows 2013 (which could be a typo?) We support Windows
Server 2008 R2 and 2012 R2. We also confirmed it works on Windows
Server 2003 R2.
> On 03/13/2015 12:45 PM,[email protected] wrote:
>> I got the Password Sync Tool installed in the Windows2013 box
You can find the doc on PassSync here.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#windows-pass-sync
The doc is on PassSync 1.1.5, but 1.1.6 remains intact except the
default SSL version to connect to the 389 Directory Server (as we
discussed before).
We had a dicussion regarding the PassSync user you had to create:
uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
FreeIPA is supposed to generate a PassSync user by running
ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also
man ipa-replica-manage)./
> there must some problem as FreeIPA
> creates own Passsync user in "cn=sysaccounts,cn=etc,<SUFFIX>" also sets it's
DN
> as passSyncManagersDNs in ipa_pwd_extop plugin to avoid it creating expired
> passwords. So there is no need to create
> "uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" manually.
Please see the above doc regarding the user creation.
*
The username of the system user which Active Directory uses to
connect to the IdM machine. This account is configured
automatically when sync is configured on the IdM server. The
default account is
|uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com|.
*
The password set in the |--passsync| option when the sync
agreement was created.
I'm sending this response to freeipa-users to share the info and
request for more suggestions.
Thanks,
--noriko
On 03/13/2015 02:48 PM, [email protected] wrote:
I forgot to attach the search command now:
# passsync, users, accounts, corp.company.com
dn: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
cn: passsync
displayName: passsync
krbLastFailedAuth: 20150313211546Z
krbLoginFailedCount: 1
krbExtraData:: AALUUQNVcm9vdC9hZG1pbkBDT1JQLkhPT1RTVUlURU1FRElBLkNPTQA=
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=corp,dc=company,dc=com
krbLastPwdChange: 20150313210836Z
krbPasswordExpiration: 20150611210836Z
mepManagedEntry: cn=passsync,cn=groups,cn=accounts,dc=corp,dc=company,d
c=com
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/bash
gecos: pass sync
sn: sync
homeDirectory: /home/passsync
uid: passsync
mail: [email protected]
krbPrincipalName: [email protected]
givenName: pass
initials: ps
userPassword:: zxxxxxxxx=
=
ipaUniqueID: 1d76b14a-c9c5-11e4-93f4-12d2e19d1e3c
uidNumber: 1481000829
gidNumber: 1481000829
krbPrincipalKey:: dfrerererer
# search result
search: 2
On 2015-03-13 21:39, [email protected] wrote:
Hi
I had to manually create the user!! For some reason I thought the sync
Agreement task was also creating that entry for the DS!
So now I got:
[13/Mar/2015:14:27:30 -0700] conn=66 op=4 SRCH
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
scope=0 filter="(objectClass=*)" attrs="telephoneNumber uid title
loginShell uidNumber gidNumber sn homeDirectory mail ou givenName
nsAccountLock"
[13/Mar/2015:14:27:30 -0700] conn=66 op=4 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=5 SRCH
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
scope=0 filter="(userPassword=*)" attrs="userPassword"
[13/Mar/2015:14:27:30 -0700] conn=66 op=5 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=6 SRCH
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
scope=0 filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
[13/Mar/2015:14:27:30 -0700] conn=66 op=6 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=7 SRCH
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
scope=0 filter="(objectClass=*)" attrs="ipaSshPubKey"
[13/Mar/2015:14:27:30 -0700] conn=66 op=7 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=8 UNBIND
[13/Mar/2015:14:27:30 -0700] conn=66 op=8 fd=103 closed - U1
[13/Mar/2015:14:27:33 -0700] conn=48 op=20 RESULT err=0 tag=101
nentries=828 etime=90 notes=U
[13/Mar/2015:14:27:33 -0700] conn=48 op=21 ABANDON targetop=NOTFOUND
msgid=16
[13/Mar/2015:14:27:33 -0700] conn=48 op=22 SRCH
base="cn=users,cn=accounts,dc=corp,dc=company,dc=com" scope=0
filter="(objectClass=*)" attrs="* aci"
[13/Mar/2015:14:27:33 -0700] conn=48 op=22 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:33 -0700] conn=48 op=23 ABANDON targetop=NOTFOUND
msgid=18
[13/Mar/2015:14:27:42 -0700] conn=67 fd=103 slot=103 connection from
::1 to ::1
[13/Mar/2015:14:27:42 -0700] conn=67 op=0 BIND dn="cn=directory
manager" method=128 version=3
[13/Mar/2015:14:27:42 -0700] conn=67 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"
[13/Mar/2015:14:27:42 -0700] conn=67 op=1 SRCH
base="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
scope=2 filter="(objectClass=*)" attrs=ALL
[13/Mar/2015:14:27:42 -0700] conn=67 op=1 RESULT err=0 tag=101
nentries=1 etime=0 notes=U
[13/Mar/2015:14:27:42 -0700] conn=67 op=2 UNBIND
[13/Mar/2015:14:27:42 -0700] conn=67 op=2 fd=103 closed - U1
And target not found??? what else I might be missing ?
Thanks!
On 2015-03-13 21:01, Noriko Hosoi wrote:
On 03/13/2015 01:49 PM, [email protected] wrote:
Hi
Restarted... And I also have re-initiated the replica just in
case....
I can see the following:
---
3/Mar/2015:13:41:35 -0700] conn=34 op=329 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:13:41:36 -0700] conn=35 fd=84 slot=84 SSL connection
from AD.SERVER to IPA.SERVER
[13/Mar/2015:13:41:36 -0700] conn=35 SSL 128-bit AES
[13/Mar/2015:13:41:36 -0700] conn=35 op=0 BIND
dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
method=128 version=3
[13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32 tag=97
nentries=0 etime=0
Error 32 is LDAP_NO_SUCH_OBJECT.
Do you have a user
"uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" in your
Directory Server?
On the host/VM where your Direcotry Server is running, please run this
command line search. Does it return the entry?
ldapsearch -x -h localhost -p 389 -D 'cn=directory manager' -W -b
"uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
[13/Mar/2015:13:41:36 -0700] conn=35 op=1 SRCH
base="cn=users,cn=accounts,dc=corp,dc=company,dc=com" scope=2
filter="(ntUserDomainId=john.test)" attrs=ALL
[13/Mar/2015:13:41:36 -0700] conn=35 op=1 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:13:41:36 -0700] conn=34 op=330 SRCH
base="cn=meTohqdc1.corp.company.com,cn=replica,cn=dc\3Dcorp\2Cdc\3Dcompany\2Cdc\3Dcom,cn=mapping
tree,cn=config" scope=0 filter="(objectClass=*)"
attrs="nsds5replicaLastInitStart nsds5replicaUpdateInProgress
nsds5replicaLastInitStatus cn nsds5BeginReplicaRefresh
nsds5replicaLastInitEnd"
[13/Mar/2015:13:41:36 -0700] conn=34 op=330 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:13:41:36 -0700] conn=36 fd=101 slot=101 SSL
connection from AD.SERVER to IPA.SERVER
[13/Mar/2015:13:41:36 -0700] conn=36 SSL 128-bit AES
[13/Mar/2015:13:41:36 -0700] conn=36 op=0 BIND
dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
method=128 version=3
[13/Mar/2015:13:41:36 -0700] conn=36 op=0 RESULT err=48 tag=97
nentries=0 etime=0
[13/Mar/2015:13:41:36 -0700] conn=36 op=1 UNBIND
[13/Mar/2015:13:41:36 -0700] conn=36 op=1 fd=101 closed - U1
[13/Mar/2015:13:41:36 -0700] conn=35 op=2 MOD
dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
[13/Mar/2015:13:41:36 -0700] conn=35 op=2 RESULT err=50 tag=103
nentries=0 etime=0
Since the above bind failed, your PassSync has no right to update the
password on the Directory Server and the modify attempt failed with
LDAP_INSUFFICIENT_ACCESS.
Thanks,
--noriko
[13/Mar/2015:13:41:37 -0700] conn=35 op=3 UNBIND
[13/Mar/2015:13:41:37 -0700] conn=35 op=3 fd=84 closed - U1
--
Note there are 2 errors there:
dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
method=128 version=3
[13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32 tag=97
nentries=0 etime=0
dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com"
method=128 version=3
ipa user-show John.Test
User login: john.test
First name: John
Last name: Test
Home directory: /home/john.test
Login shell: /bin/bash
UID: 1481000790
GID: 1481000790
Account disabled: False
Password: False
Kerberos keys available: False
the password is still set as False
The PassSync Tool got defined as base search:
cn=users,cn=accounts,dc=corp,dc=company,dc=com .. Which should be
all right
Thanks for all your help!
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
