On 29/05/2012 23:15, Rob Crittenden wrote:
Rob Crittenden wrote:
Matt wrote:
Hi,
Any ideas on where to look for more information? I have been unable to
make any progress on this.
Thanks
On 22/05/2012 10:18, Matt wrote:
Hi,
I am attempting to run replication between Windows AD (2008R2) and a
FreeIPA (2.2.0) server (fc-17) in a test setup.
I have bound FreeIPA to the AD server 'sucessfully'
[root@ipa2 cacerts]# ipa-replica-manage connect --winsync --binddn
"CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw <Password>
--passsync <Password> --cacert /etc/openldap/cacerts/AD.cer -v
ipa.100it.net -p <Password>
Added CA certificate /etc/openldap/cacerts/AD.cer to certificate
database for ipa2.100it.net
ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready .
. .
ipa: INFO: Replication Update in progress: FALSE: status: -11 - System
error: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
Failed to start replication
The server now shows in the replica list:
[root@ipa2 ~]# ipa-replica-manage list -p <password>
ipa.100it.net: winsync
ipa2.100it.net: master
But any attemps to re-initialise the connection result in the same
"[-11 - System error]" message:
[root@ipa2 ~]# ipa-replica-manage re-initialize --from ipa.100it.net
-p <password>
[ipa2.100it.net] reports: Update failed! Status: [-11 - System error]
There are no messages that relate to the connection in event viewer
and nothing other then "[-11 - System error]" in any of the freeIPA
log files.
Thanks
Matt
This is a new one to me. I think we need to try to gather more
information on it. Can you enable replication debugging then try to
re-initialize it again?
$ ldapmodify -x -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 8192
Then to turn it off do basically the same thing:
$ ldapmodify -x -D "cn=directory manager" -W
dn: cn=config
changetype: modify
replace: nsslapd-errorlog-level
nsslapd-errorlog-level: 0
The log output should go to the 389-ds error log.
rob
Turns out the code is an LDAP return code which in this case means
connection error. Still not a lot to go on but it's something.
Can you see if there is a firewall in between? You might also want to
to try ldapsearch to see if you can connect to the AD server.
We test the connection early on. I'm not sure why it would fail in the
middle like this.
rob
Hi Rob,
Thanks for the info. Once debugging was turned on it was obvious to me.
[30/May/2012:08:54:38 +0100] slapi_ldap_bind - Error: could not send
startTLS request: error -11 (Connect error) errno 0 (Success)
[30/May/2012:08:54:38 +0100] NSMMReplicationPlugin -
agmt="cn=meToipa.100it.net" (ipa:389): Replication bind with SIMPLE auth
failed: LDAP error -11 (Connect error) (TLS: hostname does not match CN
in peer certificate)
Connecting to the host with OpenSSL gives CN=WIN-LKC2MQ44IMG.IPA.100it.net
Reconnecting to the correct hostname completed sucessfully.
[root@ipa2 ~]# ipa-replica-manage connect --winsync --binddn
"CN=Administrator,CN=Users,DC=IPA,DC=100it,DC=net" --bindpw <Password>
--passsync <Password> --cacert /etc/openldap/cacerts/AD.cer -v
WIN-LKC2MQ44IMG.IPA.100it.net -p <Password>
Added CA certificate /etc/openldap/cacerts/AD.cer to certificate
database for ipa2.100it.net
ipa: INFO: AD Suffix is: DC=IPA,DC=100it,DC=net
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=100it,dc=net
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 Replica
acquired successfully: Incremental update started: start:
20120530090434Z: end: 20120530090434Z
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
Connected 'ipa2.100it.net' to 'WIN-LKC2MQ44IMG.IPA.100it.net'
Thats what I get for trying to be quick.
Thanks
Matt
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
