On 05/14/2015 04:58 AM, nat...@nathanpeters.com wrote: > I have tried to setup synchronization between a FreeIPA domain and an AD > domain. The certificates are in the right place. > > [root@ipadc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=sync > user,cn=Users,dc=datacenter,dc=addomain,dc=net" --bindpw secretpassword > --passsync secretpassword --cacert > /etc/openldap/cacerts/addc1-datacenter.cer addc1.datacenter.addomain.net > -v > Directory Manager password: > > Added CA certificate /etc/openldap/cacerts/addc1-datacenter.cer to > certificate database for ipadc1.ipadomain.net > ipa: INFO: AD Suffix is: DC=datacenter,DC=addomain,DC=net > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net > Windows PassSync system account exists, not resetting password > ipa: INFO: Added new sync agreement, waiting for it to become ready . . . > ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP > error: Connect error: start: 0: end: 0 > ipa: INFO: Agreement is ready, starting replication . . . > Starting replication, please wait until this has completed. > > [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP error: > Connect error] > > Failed to start replication > > > This is the system journal while the failure is happening > > May 14 02:50:39 ipadc1.ipadomain.net systemd[1]: Stopping 389 Directory > Server IPADOMAIN-NET.... > May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error: Can't > contact LDAP server: ldap_sync_poll() failed > May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: ldap_syncrepl > will reconnect in 60 seconds > May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ipa : > ERROR syncrepl_poll: LDAP error ({'desc': "Can't contact LDAP server"}) > May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: Traceback > (most recent call last): > May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File > "/usr/libexec/ipa/ipa-dnskeysyncd", line 106, in <module> > May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: while > ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): > May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File > "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 349, in > syncrepl_poll > May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: > add_intermediates=1, add_ctrls=1, all = 0 > May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File > "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 483, in > result4 > May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ldap_result = > self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) > May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File > "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 106, in > _ldap_call > May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: result = > func(*args,**kwargs) > May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: SERVER_DOWN: > {'desc': "Can't contact LDAP server"} > May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: ipa-dnskeysyncd.service: > main process exited, code=exited, status=1/FAILURE > May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Unit > ipa-dnskeysyncd.service entered failed state. > May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Stopped 389 Directory > Server IPADOMAIN-NET.. > May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Starting 389 Directory > Server IPADOMAIN-NET.... > May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Started 389 Directory > Server IPADOMAIN-NET.. > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] SSL Initialization - Configured SSL version range: min: TLS1.0, > max: TLS1.2 > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: Configured NSS Ciphers > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: > enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: > enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled > May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: [14/May/2015:02:50:41 > +0000] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled > May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: connection to the > LDAP server was lost > May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 1 > May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 1 > May 14 02:51:41 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step 1 > May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 1 > May 14 02:51:41 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step 2 > May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 2 > May 14 02:51:41 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step 3 > May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: successfully > reconnected to LDAP server > May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP instance > 'ipa' is being synchronized, please ignore message 'all zones loaded' > May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error: Can't > contact LDAP server: while modifying(replace) entry > 'idnsname=ipadomain.net.,cn=dns,dc=ipadomain,dc=net' > May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: retrying LDAP > operation (modifying(replace)) on entry > 'idnsname=ipadomain.net.,cn=dns,dc=ipadomain,dc=net' > May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error: Can't > contact LDAP server: connection error > May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 1 > May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 1 > May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: ipa-dnskeysyncd.service > holdoff time over, scheduling restart. > May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: Stopping IPA key daemon... > May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: Starting IPA key daemon... > May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: Started IPA key daemon. > May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step 1 > May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 1 > May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step 2 > May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client step 2 > May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step 3 > May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: successfully > reconnected to LDAP server > May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: zone > 19.21.10.in-addr.arpa/IN: loaded serial 1431571902 > May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: zone > ipadomain.net/IN: loaded serial 1431571901 > May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: 2 master zones > from LDAP instance 'ipa' loaded (2 zones defined, 0 inactive, 0 failed to > load) > May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1 > May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1 > May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step 1 > May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1 > May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step 2 > May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 2 > May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step 3 > May 14 02:51:43 ipadc1.ipadomain.net ipa-dnskeysyncd[3318]: ipa : > INFO LDAP bind...
CCing Alexander. I wonder if it is related to https://bugzilla.redhat.com/show_bug.cgi?id=1215010 If your AD has the MS update mentioned in the bug and has a CA cert with SHA-512 signing, then may be hitting this bug. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project