[Freeipa-users] SSSD Cacheing issues
Hello Guys, Im having a problem with a one off my clients, t seems the sssd cache keeps having a problem and is blocking users from authenticating, I am able to solve it by stopping sssd clearing out the cache in /var/lib/sss/db with a rm -rf * and then restarting the sssd. I'm not sure what logs to look at I checked out the var/log/sssd and they are all 0 file size and gave me nothing to look at. Has any one seen this before, does any one have any clues on trouble shooting. Thanks -Todd Maugh tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] force uninstall from Ubunutu 12.04
Thank you that was it!!! -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Tuesday, April 01, 2014 6:11 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] force uninstall from Ubunutu 12.04 Todd Maugh wrote: > Has any one been able to successfully uninstall a client from Ubuntu > 12.04 > > I have the install down for these boxes. But I need to transfer an > ubunutu client from our old ipa server to the new > > The error I get during uninstall is > > Failed to remove krb5/LDAP Configuration > > Even if I remove the /etc/ipa/default.conf > > When I go to renenroll client it says > > IPA client is already configured on this system. > > Run the uninstall blah blah blah > > Any suggestions? Does any one know the magic file to remove? The files in /var/lib/ipa/sysrestore rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] force uninstall from Ubunutu 12.04
Has any one been able to successfully uninstall a client from Ubuntu 12.04 I have the install down for these boxes. But I need to transfer an ubunutu client from our old ipa server to the new The error I get during uninstall is Failed to remove krb5/LDAP Configuration Even if I remove the /etc/ipa/default.conf When I go to renenroll client it says IPA client is already configured on this system. Run the uninstall blah blah blah Any suggestions? Does any one know the magic file to remove? Thanks again Your favorite questioner Todd Todd Maugh Sr System Engineer Boingo Wireless tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate
Ok so On 2 of the servers I found that UsePAM was not even in the sshd_conf when I put that in I was fine but 3 other servers that have it in the sshd_conf are exhibiting the password not accepted error then I went and cleared the sssd cache and IM back in business thank you for the help From: freeipa-users-boun...@redhat.com on behalf of Todd Maugh Sent: Tuesday, April 01, 2014 1:58 PM To: Jakub Hrozek; freeipa-users@redhat.com Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate /var/log/sssd/krb5_child.log is empty here is the sssd domain logsssd_ops.boingo.com.log 97][1][name=tmp.UiK3X6] (Tue Apr 1 19:28:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:29:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:29:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:30:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:30:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:31:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:31:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:32:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:32:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:33:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:33:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:34:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:34:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:35:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:35:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:36:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:36:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:37:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:37:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:38:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:38:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:39:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:39:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:40:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:40:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:40:10 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4099][1][name=tmaugh] (Tue Apr 1 19:40:10 2014) [sssd[be[ops.boingo.com]]] [sdap_initgr_nested_send] (4): User entry lacks original memberof ? (Tue Apr 1 19:40:10 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:41:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:41:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:42:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:42:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:43:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 19:43:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 19:44:01 2014) [sssd[be[ops.boingo.com
Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate
172.22.170.46] TTL 7200 (Tue Apr 1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/black-62.qa.boingo.com (Tue Apr 1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [child_sig_handler] (4): child [7939] finished successfully. (Tue Apr 1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [fo_set_port_status] (4): Marking port 0 of server 'idm-master-els.ops.boingo.com' as 'working' (Tue Apr 1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [set_server_common_status] (4): Marking server 'idm-master-els.ops.boingo.com' as 'working' (Tue Apr 1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [be_run_online_cb] (3): Going online. Running callbacks. (Tue Apr 1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [delayed_online_authentication_callback] (5): Backend is online, starting delayed online authentication. (Tue Apr 1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4099][1][name=csteinke] (Tue Apr 1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [sdap_initgr_nested_send] (4): User entry lacks original memberof ? (Tue Apr 1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 20:50:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Tue Apr 1 20:50:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Tue Apr 1 20:50:38 2014) [sssd[be[ops.boingo.com]]] [sbus_dispatch] (3): Connection is not open for dispatching. (Tue Apr 1 20:50:38 2014) [sssd[be[ops.boingo.com]]] [be_client_destructor] (4): Removed PAM client (Tue Apr 1 20:50:38 2014) [sssd[be[ops.boingo.com]]] [sbus_dispatch] (3): Connection is not open for dispatching. (Tue Apr 1 20:50:38 2014) [sssd[be[ops.boingo.com]]] [be_client_destructor] (4): Removed NSS client (Tue Apr 1 20:50:38 2014) [sssd[be[ops.boingo.com]]] [remove_krb5_info_files] (5): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.OPS.BOINGO.COM], [2][No such file or directory] From: freeipa-users-boun...@redhat.com on behalf of Jakub Hrozek Sent: Tuesday, April 01, 2014 1:19 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate On Tue, Apr 01, 2014 at 05:58:00PM +, Todd Maugh wrote: > I am seeing this error in /var/log/secure > > [r...@black-64.qa ~]# tail /var/log/secure > Apr 1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh > Apr 1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): received for user > tmaugh: 4 (System error) > Apr 1 17:54:07 black-64 sshd[3649]: Failed password for tmaugh from > 10.194.1.250 port 44697 ssh2 > Apr 1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh > Apr 1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): received for user > tmaugh: 4 (System error) "System Error" means something like "Unhandled exception" from pam_sss. In general, this shouldn't happen, although System Error is not always indicative of a bug in SSSD. We use System Error as the default return code if no other condition matches, so sometimes we just fail to translate the error code properly -- at one point, we used to return System Error on clock skew for instance. Could you attach or paste (to me directly if needed) the domain log file and also the krb5_child.log ? > Apr 1 17:54:14 black-64 sshd[3649]: Failed password for tmaugh from > 10.194.1.250 port 44697 ssh2 > Apr 1 17:54:15 black-64 sshd[3650]: Connection closed by 10.194.1.250 > Apr 1 17:54:15 black-64 sshd[3649]: PAM 1 more authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh > Apr 1 17:56:49 black-64 sshd[3713]: Accepted publickey for root from > 10.194.1.250 port 38249 ssh2 > Apr 1 17:56:49 black-64 sshd[3713]: pam_unix(sshd:session): session opened > for user root by (uid=0) ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate
here is my sssd.conf [r...@black-64.qa ~]# cat /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. # domains = LDAP domains = ops.boingo.com [nss] [pam] # Example LDAP domain # [domain/LDAP] # id_provider = ldap # auth_provider = ldap # ldap_schema can be set to "rfc2307", which stores group member names in the # "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in # the "member" attribute. If you do not know this value, ask your LDAP # administrator. # ldap_schema = rfc2307 # ldap_uri = ldap://ldap.mydomain.org # ldap_search_base = dc=mydomain,dc=org # Note that enabling enumeration will have a moderate performance impact. # Consequently, the default value for enumeration is FALSE. # Refer to the sssd.conf man page for full details. # enumerate = false # Allow offline logins by locally storing password hashes (default: false). # cache_credentials = true # An example Active Directory domain. Please note that this configuration # works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis # compliant attribute names. To support UNIX clients with AD 2003 or older, # you must install Microsoft Services For Unix and map LDAP attributes onto # msSFU30* attribute names. # [domain/AD] # id_provider = ldap # auth_provider = krb5 # chpass_provider = krb5 # # ldap_uri = ldap://your.ad.example.com # ldap_search_base = dc=example,dc=com # ldap_schema = rfc2307bis # ldap_sasl_mech = GSSAPI # ldap_user_object_class = user # ldap_group_object_class = group # ldap_user_home_directory = unixHomeDirectory # ldap_user_principal = userPrincipalName # ldap_account_expire_policy = ad # ldap_force_upper_case_realm = true # # krb5_server = your.ad.example.com # krb5_realm = EXAMPLE.COM [domain/ops.boingo.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ops.boingo.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, idm-master-els.ops.boingo.com ldap_tls_cacert = /etc/ipa/ca.crt ____ From: Todd Maugh Sent: Tuesday, April 01, 2014 10:58 AM To: Sumit Bose Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate I am seeing this error in /var/log/secure [r...@black-64.qa ~]# tail /var/log/secure Apr 1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh Apr 1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): received for user tmaugh: 4 (System error) Apr 1 17:54:07 black-64 sshd[3649]: Failed password for tmaugh from 10.194.1.250 port 44697 ssh2 Apr 1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh Apr 1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): received for user tmaugh: 4 (System error) Apr 1 17:54:14 black-64 sshd[3649]: Failed password for tmaugh from 10.194.1.250 port 44697 ssh2 Apr 1 17:54:15 black-64 sshd[3650]: Connection closed by 10.194.1.250 Apr 1 17:54:15 black-64 sshd[3649]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh Apr 1 17:56:49 black-64 sshd[3713]: Accepted publickey for root from 10.194.1.250 port 38249 ssh2 Apr 1 17:56:49 black-64 sshd[3713]: pam_unix(sshd:session): session opened for user root by (uid=0) From: freeipa-users-boun...@redhat.com on behalf of Todd Maugh Sent: Tuesday, April 01, 2014 7:17 AM To: Sumit Bose Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate I set my debug level to 5 and these were the messages I got. I checked the sshd_config and it seems to be using gsapi what lines should be uncommented or entered or set to true or yes for Pam. I tried the one pam line I saw to true. But it made no difference -Original Message- From: Sumit Bose [mailto:sb...@redhat.com] Sent: Tuesday, April 01, 2014 12:19 AM To: Todd Maugh Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate On Mon, Mar 31, 2014 at 11:05:18PM +, Todd Maugh wrote: > > [root@black-62 sssd]# tail -f sssd_ops.boingo.com.log (Mon Mar 31 > 22:58:01 2014) [sssd[be[ops.boingo.com]]] [be_resolve_server_done] > (4): Found address for server idm-master-els.ops.boingo.com: > [172.22.170.46] TTL 7200 (Mon Mar 31 22:58:01 2014) > [sssd[be[ops.boi
Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate
I am seeing this error in /var/log/secure [r...@black-64.qa ~]# tail /var/log/secure Apr 1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh Apr 1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): received for user tmaugh: 4 (System error) Apr 1 17:54:07 black-64 sshd[3649]: Failed password for tmaugh from 10.194.1.250 port 44697 ssh2 Apr 1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh Apr 1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): received for user tmaugh: 4 (System error) Apr 1 17:54:14 black-64 sshd[3649]: Failed password for tmaugh from 10.194.1.250 port 44697 ssh2 Apr 1 17:54:15 black-64 sshd[3650]: Connection closed by 10.194.1.250 Apr 1 17:54:15 black-64 sshd[3649]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh Apr 1 17:56:49 black-64 sshd[3713]: Accepted publickey for root from 10.194.1.250 port 38249 ssh2 Apr 1 17:56:49 black-64 sshd[3713]: pam_unix(sshd:session): session opened for user root by (uid=0) From: freeipa-users-boun...@redhat.com on behalf of Todd Maugh Sent: Tuesday, April 01, 2014 7:17 AM To: Sumit Bose Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate I set my debug level to 5 and these were the messages I got. I checked the sshd_config and it seems to be using gsapi what lines should be uncommented or entered or set to true or yes for Pam. I tried the one pam line I saw to true. But it made no difference -Original Message- From: Sumit Bose [mailto:sb...@redhat.com] Sent: Tuesday, April 01, 2014 12:19 AM To: Todd Maugh Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate On Mon, Mar 31, 2014 at 11:05:18PM +, Todd Maugh wrote: > > [root@black-62 sssd]# tail -f sssd_ops.boingo.com.log (Mon Mar 31 > 22:58:01 2014) [sssd[be[ops.boingo.com]]] [be_resolve_server_done] > (4): Found address for server idm-master-els.ops.boingo.com: > [172.22.170.46] TTL 7200 (Mon Mar 31 22:58:01 2014) > [sssd[be[ops.boingo.com]]] [sasl_bind_send] (4): Executing sasl bind mech: > GSSAPI, user: host/black-62.qa.boingo.com (Mon Mar 31 22:58:02 2014) > [sssd[be[ops.boingo.com]]] [child_sig_handler] (4): child [13134] finished > successfully. > (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [fo_set_port_status] > (4): Marking port 0 of server 'idm-master-els.ops.boingo.com' as 'working' > (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] > [set_server_common_status] (4): Marking server > 'idm-master-els.ops.boingo.com' as 'working' > (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [be_run_online_cb] (3): > Going online. Running callbacks. > (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] > [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 > 22:58:02 2014) [sssd[be[ops.boingo.com]]] > [delayed_online_authentication_callback] (5): Backend is online, starting > delayed online authentication. > (Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] > [be_get_account_info] (4): Got request for > [4097][1][name=tmp.UiK3X6] (Mon Mar 31 22:59:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success (Mon Mar 31 23:00:01 2014) > [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for > [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:00:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success (Mon Mar 31 23:01:01 2014) > [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for > [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:01:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success (Mon Mar 31 23:02:01 2014) > [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for > [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:02:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success (Mon Mar 31 23:03:01 2014) > [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for > [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:03:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success The log does not show any authentication or PAM related activities. Please increase the debug_level and check for PAM related messages like e.g. "[pam_print_data] (0x0100): command: PAM_AUTHENTICATE". If ther
Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate
I set my debug level to 5 and these were the messages I got. I checked the sshd_config and it seems to be using gsapi what lines should be uncommented or entered or set to true or yes for Pam. I tried the one pam line I saw to true. But it made no difference -Original Message- From: Sumit Bose [mailto:sb...@redhat.com] Sent: Tuesday, April 01, 2014 12:19 AM To: Todd Maugh Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate On Mon, Mar 31, 2014 at 11:05:18PM +, Todd Maugh wrote: > > [root@black-62 sssd]# tail -f sssd_ops.boingo.com.log (Mon Mar 31 > 22:58:01 2014) [sssd[be[ops.boingo.com]]] [be_resolve_server_done] > (4): Found address for server idm-master-els.ops.boingo.com: > [172.22.170.46] TTL 7200 (Mon Mar 31 22:58:01 2014) > [sssd[be[ops.boingo.com]]] [sasl_bind_send] (4): Executing sasl bind mech: > GSSAPI, user: host/black-62.qa.boingo.com (Mon Mar 31 22:58:02 2014) > [sssd[be[ops.boingo.com]]] [child_sig_handler] (4): child [13134] finished > successfully. > (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [fo_set_port_status] > (4): Marking port 0 of server 'idm-master-els.ops.boingo.com' as 'working' > (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] > [set_server_common_status] (4): Marking server > 'idm-master-els.ops.boingo.com' as 'working' > (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [be_run_online_cb] (3): > Going online. Running callbacks. > (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] > [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 > 22:58:02 2014) [sssd[be[ops.boingo.com]]] > [delayed_online_authentication_callback] (5): Backend is online, starting > delayed online authentication. > (Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] > [be_get_account_info] (4): Got request for > [4097][1][name=tmp.UiK3X6] (Mon Mar 31 22:59:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success (Mon Mar 31 23:00:01 2014) > [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for > [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:00:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success (Mon Mar 31 23:01:01 2014) > [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for > [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:01:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success (Mon Mar 31 23:02:01 2014) > [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for > [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:02:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success (Mon Mar 31 23:03:01 2014) > [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for > [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:03:01 2014) > [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. > Returned 0,0,Success The log does not show any authentication or PAM related activities. Please increase the debug_level and check for PAM related messages like e.g. "[pam_print_data] (0x0100): command: PAM_AUTHENTICATE". If there are no such messages, please check your PAM configuration as Dmitri suggested. HTH bye, Sumit > > I see this in the sssd Logs but still not authenticating > > will check out AVC and SELinux very frustrating > > > > From: Rob Crittenden > Sent: Monday, March 31, 2014 3:52 PM > To: Todd Maugh; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled > and enrolled to new server cant authenticate > > Todd Maugh wrote: > > HBAC rules are set to allow_all enabled > > Ok. I'd start with increasing the sssd log level and see what it says. > > I gather that basic nss works since you can kinit as other users. > > You may want to check for SELinux AVCs as well. > > rob > > > > > -Original Message- > > From: Rob Crittenden [mailto:rcrit...@redhat.com] > > Sent: Monday, March 31, 2014 3:44 PM > > To: Todd Maugh; freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled > > and enrolled to new server cant authenticate > > > > Todd Maugh wrote: > >> Hi, > >> > >> I have a rhel5 client I had problems with my IPA environment and > >> had to rebuild > >> > >> I'm on the latest version of IPA with a red hat 6 server > >> &g
Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate
[root@black-62 sssd]# tail -f sssd_ops.boingo.com.log (Mon Mar 31 22:58:01 2014) [sssd[be[ops.boingo.com]]] [be_resolve_server_done] (4): Found address for server idm-master-els.ops.boingo.com: [172.22.170.46] TTL 7200 (Mon Mar 31 22:58:01 2014) [sssd[be[ops.boingo.com]]] [sasl_bind_send] (4): Executing sasl bind mech: GSSAPI, user: host/black-62.qa.boingo.com (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [child_sig_handler] (4): child [13134] finished successfully. (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [fo_set_port_status] (4): Marking port 0 of server 'idm-master-els.ops.boingo.com' as 'working' (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [set_server_common_status] (4): Marking server 'idm-master-els.ops.boingo.com' as 'working' (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [be_run_online_cb] (3): Going online. Running callbacks. (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [delayed_online_authentication_callback] (5): Backend is online, starting delayed online authentication. (Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 23:00:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:00:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 23:01:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:01:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 23:02:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:02:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 23:03:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:03:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success I see this in the sssd Logs but still not authenticating will check out AVC and SELinux very frustrating From: Rob Crittenden Sent: Monday, March 31, 2014 3:52 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate Todd Maugh wrote: > HBAC rules are set to allow_all enabled Ok. I'd start with increasing the sssd log level and see what it says. I gather that basic nss works since you can kinit as other users. You may want to check for SELinux AVCs as well. rob > > -Original Message- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Monday, March 31, 2014 3:44 PM > To: Todd Maugh; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and > enrolled to new server cant authenticate > > Todd Maugh wrote: >> Hi, >> >> I have a rhel5 client I had problems with my IPA environment and had >> to rebuild >> >> I'm on the latest version of IPA with a red hat 6 server >> >> I successfully enrolled the client to the new server (same domain, >> same >> realm) I had removed all old certs, sysrestores, and ipa/default.conf >> >> I can ssh to the box as root, and then either su or kinit to any IPA >> user with out issue >> >> But when I try to ssh as the ipauser to the box it gives me permission >> denied, please try again >> >> I cleared out the sssd cache and restarted sssd >> >> Is there something I'm missing or a log to check? >> >> I need to worked this out before I move forward enrolling other >> previously enrolled clients. > > Check your HBAC rules. > > rob > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate
HBAC rules are set to allow_all enabled -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, March 31, 2014 3:44 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate Todd Maugh wrote: > Hi, > > I have a rhel5 client I had problems with my IPA environment and had > to rebuild > > I'm on the latest version of IPA with a red hat 6 server > > I successfully enrolled the client to the new server (same domain, > same > realm) I had removed all old certs, sysrestores, and ipa/default.conf > > I can ssh to the box as root, and then either su or kinit to any IPA > user with out issue > > But when I try to ssh as the ipauser to the box it gives me permission > denied, please try again > > I cleared out the sssd cache and restarted sssd > > Is there something I'm missing or a log to check? > > I need to worked this out before I move forward enrolling other > previously enrolled clients. Check your HBAC rules. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cant authenticate using freeipa userid on ubuntu12.04
I have found this to be my only way to get Ubuntu to work with ipa as clients Add the IDM servers to the hosts file echo "{ip address of idmserver} {fqdn of idm server " >> /etc/hosts Set the Hostname for the box echo "ubuntu-idm-02.boingo.com" > /etc/hostname Add ipa and sssd repos to box apt-add-repository http://ppa.launchpad.net/freeipa/ppa/ubuntu apt-add-repository 'http://ppa.launchpad.net/sssd/updates/ubuntu' apt-get update Install the Ipa Client apt-get install -y freeipa-client Realm: YOUR REALM DOMAIN: YOUR DOMAIN SERVER: FQDN OF YOUR IDMSERVER user to enroll: admin password : YOUR PASSWORD Make some modifications to ubuntu mkdir -p /etc/pki/nssdb certutil -N --empty-password -d /etc/pki/nssdb mkdir -p /var/run/ipa Clear out original install rm -f /etc/ipa/default.conf Move aside and re version the python version cp /usr/share/pyshared/ipapython/version.py /usr/share/pyshared/ipapython/version.py.bak sed -i "s/API_VERSION=.*/API_VERSION=u'2.49'/g" /usr/share/pyshared/ipapython/version.py install the ipa ipa-client-install restart sssd service sssd restart you should then have a walking talking Ubuntu client -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: Monday, March 31, 2014 1:58 PM To: Gustavo Berman; freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant authenticate using freeipa userid on ubuntu12.04 Gustavo Berman wrote: > > Sabin Ranjit writes: > >> >> >> hi, >> i followed this page for the installation of freeipa client over the >> ubuntu 12.04 > server.http://www.redhat.com/archives/freeipa-users/2013-June/msg00091 > .html >> everything seem to go as mentioned in the page. when i get at the >> freeipa server with the command ipa host-find >> i can even see my ubuntu server listed there with "Keytab: >> True". The > problem is that im not being able >>to authenticate with the username listed in the freeipa server. >>if i try to run : "su ldapuserid" ubuntu errors "unknown id: >>ldapuserid" >>i cant even ssh to the ubuntu server with the ldapuserid. >>what can be the possible solutions? >>please help. thanks. >>regards, >>sabin >> > > > Hi Sabin > Please try my howto: > http://askubuntu.com/questions/295075/freeipa-client-on-ubuntu > > I assembled it from that same mail and other sources > > Tavo. Sabin, if you can confirm these steps maybe we can add this to the Howto section on freeipa.org. Except for the localhost thing (probably unnecessary) and maybe messing with the version (we might agree to disagree on that) this looks really good. cheers rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] FW: cant authenticate using freeipa userid on ubuntu12.04
I have found this to be my only way to get Ubuntu to work with ipa as clients Add the IDM servers to the hosts file echo "{ip address of idmserver} {fqdn of idm server " >> /etc/hosts Set the Hostname for the box echo "ubuntu-idm-02.boingo.com" > /etc/hostname Add ipa and sssd repos to box apt-add-repository http://ppa.launchpad.net/freeipa/ppa/ubuntu apt-add-repository 'http://ppa.launchpad.net/sssd/updates/ubuntu' apt-get update Install the Ipa Client apt-get install -y freeipa-client Realm: YOUR REALM DOMAIN: YOUR DOMAIN SERVER: FQDN OF YOUR IDMSERVER user to enroll: admin password : YOUR PASSWORD Make some modifications to ubuntu mkdir -p /etc/pki/nssdb certutil -N --empty-password -d /etc/pki/nssdb mkdir -p /var/run/ipa Clear out original install rm -f /etc/ipa/default.conf Move aside and re version the python version cp /usr/share/pyshared/ipapython/version.py /usr/share/pyshared/ipapython/version.py.bak sed -i "s/API_VERSION=.*/API_VERSION=u'2.49'/g" /usr/share/pyshared/ipapython/version.py install the ipa ipa-client-install restart sssd service sssd restart you should then have a walking talking Ubuntu client -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden Sent: Monday, March 31, 2014 1:58 PM To: Gustavo Berman; freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant authenticate using freeipa userid on ubuntu12.04 Gustavo Berman wrote: > > Sabin Ranjit writes: > >> >> >> hi, >> i followed this page for the installation of freeipa client over the >> ubuntu 12.04 > server.http://www.redhat.com/archives/freeipa-users/2013-June/msg00091 > .html >> everything seem to go as mentioned in the page. when i get at the >> freeipa server with the command ipa host-find >> i can even see my ubuntu server listed there with "Keytab: >> True". The > problem is that im not being able >>to authenticate with the username listed in the freeipa server. >>if i try to run : "su ldapuserid" ubuntu errors "unknown id: >>ldapuserid" >>i cant even ssh to the ubuntu server with the ldapuserid. >>what can be the possible solutions? >>please help. thanks. >>regards, >>sabin >> > > > Hi Sabin > Please try my howto: > http://askubuntu.com/questions/295075/freeipa-client-on-ubuntu > > I assembled it from that same mail and other sources > > Tavo. Sabin, if you can confirm these steps maybe we can add this to the Howto section on freeipa.org. Except for the localhost thing (probably unnecessary) and maybe messing with the version (we might agree to disagree on that) this looks really good. cheers rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate
Hi, I have a rhel5 client I had problems with my IPA environment and had to rebuild I'm on the latest version of IPA with a red hat 6 server I successfully enrolled the client to the new server (same domain, same realm) I had removed all old certs, sysrestores, and ipa/default.conf I can ssh to the box as root, and then either su or kinit to any IPA user with out issue But when I try to ssh as the ipauser to the box it gives me permission denied, please try again I cleared out the sssd cache and restarted sssd Is there something I'm missing or a log to check? I need to worked this out before I move forward enrolling other previously enrolled clients. Thanks Todd Maugh Sr System Engineer Boingo Wireless tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] HELP
My Master IPA server has been lost, My replica is still up and functioning. what is the best way to proceed? Do I rebuild my master and add it has a replica? how do I get my master back in line with my IPA env? the Master needs to be rebuilt from scratch red hat 6.5 latest version of IPA ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Client enrollment failing
Hello, So I'm on some red hat clients and I have seen this a few times when attempting to enroll them as clients. Enrolled in IPA realm OPS.BOINGO.COM Failed to obtain host TGT. Installation failed. Rolling back changes. IPA client is not configured on this system. as any one seen this or know how to troubleshoot it? thanks in advance you guys are the best! -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees)
Thanks again Rich is there some good Documentation on setting up the trust? From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Monday, March 17, 2014 3:03 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees) On 03/17/2014 03:52 PM, Todd Maugh wrote: Thanks Rich, I am able to create a successful winsync agreement from the top level. Unfortunately, when I do this. I do not see any of the accounts from the sub trees populate my ipa server. Ok, so it doesn't work. Is it possible to have all the subtrees (ous) live under cn=users.If I make this change to AD would IPA then sync all the accounts from the subtrees? Yes. I cant believe I am the first person with this issue or need. You are certainly not - we have a couple of 389 to address this and similar issues with winsync. https://fedorahosted.org/389/ticket/460 Unfortunately, this fix has been targeted for F20 (389-ds-base-1.3.2), and we don't have plans to backport to EL6. Note that winsync is always going to be more or less painful - it is not, was never designed to be, and never will be a full blown meta-directory solution. For more information: https://fedorahosted.org/389/query?component=Sync+Service&status=accepted&status=assigned&status=new&status=reopened&col=id&col=summary&col=status&col=type&col=priority&col=milestone&col=component&order=priority&report=16 That's why we recommend that the best long term solution is cross domain trust - that removes winsync from the picture. Thanks again in advance. From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Monday, March 17, 2014 2:44 PM To: Todd Maugh; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees) On 03/17/2014 03:33 PM, Todd Maugh wrote: I'm trying to sync all of my AD to IPA, I don't need to retain any of the original windows directory structure once in IPA. I cannot find where to set ipaWinSyncUserFlatten to true (so I'm assuming it's on true by default) Yes, it is true by default. dn: cn=ipa-winsync,cn=plugins,cn=config I really need to be able to sync more than just the cn=users subtree There really isn't explicit support for this. If it doesn't work to set your AD subtree to your root suffix (e.g. dc=domain,dc=com), then it's simply not going to work until 389 adds support for that. And I can find no documentation or help on line. Because there probably isn't any. Has anyone had any success or practice with this? See above. Thanks -Todd Todd Maugh Sr System Engineer Boingo Wireless tma...@boingo.com<mailto:tma...@boingo.com> ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees)
Thanks Rich, I am able to create a successful winsync agreement from the top level. Unfortunately, when I do this. I do not see any of the accounts from the sub trees populate my ipa server. Is it possible to have all the subtrees (ous) live under cn=users. If I make this change to AD would IPA then sync all the accounts from the subtrees? I cant believe I am the first person with this issue or need. Thanks again in advance. From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Monday, March 17, 2014 2:44 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees) On 03/17/2014 03:33 PM, Todd Maugh wrote: I'm trying to sync all of my AD to IPA, I don't need to retain any of the original windows directory structure once in IPA. I cannot find where to set ipaWinSyncUserFlatten to true (so I'm assuming it's on true by default) Yes, it is true by default. dn: cn=ipa-winsync,cn=plugins,cn=config I really need to be able to sync more than just the cn=users subtree There really isn't explicit support for this. If it doesn't work to set your AD subtree to your root suffix (e.g. dc=domain,dc=com), then it's simply not going to work until 389 adds support for that. And I can find no documentation or help on line. Because there probably isn't any. Has anyone had any success or practice with this? See above. Thanks -Todd Todd Maugh Sr System Engineer Boingo Wireless tma...@boingo.com<mailto:tma...@boingo.com> ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees)
I'm trying to sync all of my AD to IPA, I don't need to retain any of the original windows directory structure once in IPA. I cannot find where to set ipaWinSyncUserFlatten to true (so I'm assuming it's on true by default) I really need to be able to sync more than just the cn=users subtree And I can find no documentation or help on line. Has anyone had any success or practice with this? Thanks -Todd Todd Maugh Sr System Engineer Boingo Wireless tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] IPA / AD Trust
Does IPA support a trust with AD yet. I've seen that this is coming in a future release but I havent found something that said it has been released. -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement for multiple subtrees
I actually hadnt tried yet to sync from the top level directory would I just leave the CN out to try that? From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, March 14, 2014 11:12 AM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: winsync agreement for multiple subtrees On 03/14/2014 12:06 PM, Todd Maugh wrote: > I did find this similar request that I thought looked to be owned by Rich > Megginson > > https://fedorahosted.org/389/ticket/460 > > Rich Can you shed any light on this, or the command I would use to winsync > multiple subtrees? If you can't sync from the top level entry e.g. if you can't sync using dc=bwinc,dc=local as your AD subtree, then you can't do it. It may or may not work for you, I don't know, you'll just have to try it. > > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Todd Maugh [tma...@boingo.com] > Sent: Friday, March 14, 2014 10:13 AM > To: freeipa-users@redhat.com > Subject: [Freeipa-users] winsync agreement for multiple subtrees > > good morning, every day it's something new. > > so turns out my AD admin has built ad with user accounts spread out over > multiple subtrees' and I need to handle them all. > > is there a way to sync everything under dc=bwinc,dc=local. instead of doing > cn=users,dc=bwinc,dc=local > > does this make sense? > > thank you > > -Todd Maugh > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] winsync agreement for multiple subtrees
I did find this similar request that I thought looked to be owned by Rich Megginson https://fedorahosted.org/389/ticket/460 Rich Can you shed any light on this, or the command I would use to winsync multiple subtrees? From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Friday, March 14, 2014 10:13 AM To: freeipa-users@redhat.com Subject: [Freeipa-users] winsync agreement for multiple subtrees good morning, every day it's something new. so turns out my AD admin has built ad with user accounts spread out over multiple subtrees' and I need to handle them all. is there a way to sync everything under dc=bwinc,dc=local. instead of doing cn=users,dc=bwinc,dc=local does this make sense? thank you -Todd Maugh ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] winsync agreement for multiple subtrees
good morning, every day it's something new. so turns out my AD admin has built ad with user accounts spread out over multiple subtrees' and I need to handle them all. is there a way to sync everything under dc=bwinc,dc=local. instead of doing cn=users,dc=bwinc,dc=local does this make sense? thank you -Todd Maugh ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Password sync woes
Thank you Rich, must have been a type-o in my install, I gutted it restarted it and am All good now thank you From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Thursday, March 13, 2014 4:24 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Password sync woes On 03/13/2014 05:18 PM, Todd Maugh wrote: Sorry Guys me again. So I have my winsync agreement up and I know have my password sync setup the cert has been imported SSL is configured properly, but when I go to change a password in AD I see this error in passsync.log LDAP error in QueryUsername 32: No such object It means your suffix/base DN that you used in PassSync setup is incorrect. You can check the access log to see what it is doing - /var/log/dirsrv/slapd-YOUR-DOMAIN/access - look for connections from the IP address of your AD machine. Note that the suffix/base DN that you used in PassSync setup is the suffix/base DN of your IdM server, which is not necessarily the same as your AD server. any thoughts on this? thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Password sync woes
Sorry Guys me again. So I have my winsync agreement up and I know have my password sync setup the cert has been imported SSL is configured properly, but when I go to change a password in AD I see this error in passsync.log LDAP error in QueryUsername 32: No such object any thoughts on this? thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
I'm curious if the ldap.conf is wrong: heres what it looks like #File modified by ipa-client-install URI ldaps://idm-master-els.ops.boingo.com BASE dc=ops,dc=boingo,dc=com TLS_CACERT /etc/openldap/cacerts/ TLS_REQCERT allow From: Todd Maugh Sent: Thursday, March 13, 2014 1:47 PM To: Rich Megginson; freeipa-users@redhat.com Subject: RE: [Freeipa-users] [freeipa] Issues with Winsync agreement thank you Rich for all your help as I am inclined to think its a cert issue as well so I ran the new command, and there are some lines that stick out to me in reference to the cert: [r...@idm-master-els.ops.boingo.com ~]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -d 1 -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "g0_b0ing0" -s base -b "cn=Users,dc=bwinc,dc=local" "objectclass=*" dn ldap_create ldap_url_parse_ext(ldap://adc13-els.bwinc.local) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP adc13-els.bwinc.local:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 172.22.170.13:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x25c4210 msgid 1 wait4msg ld 0x25c4210 msgid 1 (infinite timeout) wait4msg continue ld 0x25c4210 msgid 1 all 1 ** ld 0x25c4210 Connections: * host: adc13-els.bwinc.local port: 389 (default) refcnt: 2 status: Connected last used: Thu Mar 13 20:44:41 2014 ** ld 0x25c4210 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x25c4210 request count 1 (abandoned 0) ** ld 0x25c4210 Response Queue: Empty ld 0x25c4210 response count 0 ldap_chkResponseList ld 0x25c4210 msgid 1 all 1 ldap_chkResponseList returns ld 0x25c4210 NULL ldap_int_select read1msg: ld 0x25c4210 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 40 contents: read1msg: ld 0x25c4210 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x25c4210 0 new referrals read1msg: mark request completed, ld 0x25c4210 msgid 1 request done: ld 0x25c4210 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: certdb config: configDir='/etc/dirsrv/slapd-OPS-BOINGO-COM' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/dirsrv/slapd-OPS-BOINGO-COM prefix . TLS: error: the certificate file /etc/openldap/cacerts/ is not a file. TLS: /etc/openldap/cacerts/ is not a valid CA certificate file - error -5953:Cannot perform a normal file operation on a directory. TLS: certificate [CN=ADC13-ELS.BWINC.local] is not valid - error -8179:Peer's Certificate issuer is not recognized.. TLS certificate verification: subject: CN=ADC13-ELS.BWINC.local, issuer: CN=BoingoWirelessCA,DC=BWINC,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 61 bytes to sd 3 ldap_result ld 0x25c4210 msgid 2 wait4msg ld 0x25c4210 msgid 2 (infinite timeout) wait4msg continue ld 0x25c4210 msgid 2 all 1 ** ld 0x25c4210 Connections: * host: adc13-els.bwinc.local port: 389 (default) refcnt: 2 status: Connected last used: Thu Mar 13 20:44:41 2014 ** ld 0x25c4210 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x25c4210 request count 1 (abandoned 0) ** ld 0x25c4210 Response Queue: Empty ld 0x25c4210 response count 0 ldap_chkResponseList ld 0x25c4210 msgid 2 all 1 ldap_chkResponseList returns ld 0x25c4210 NULL ldap_int_select read1msg: ld 0x25c4210 msgid 2 all 1 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0x25c4210 msgid 2 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x25c4210 0 new referrals read1msg: mark request completed, ld 0x25c4210 msgid 2 request done: ld 0x25c4210 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search_ext put_filter: "objectclass=*" put_filter: default put_simple_filter: "objectclass=*" ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 69 bytes to sd 3 ldap_result ld 0x25c4210 msgid -1 wait
Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
Empty ld 0x25c4210 response count 0 ldap_chkResponseList ld 0x25c4210 msgid -1 all 0 ldap_chkResponseList returns ld 0x25c4210 NULL ldap_int_select read1msg: ld 0x25c4210 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 43 contents: read1msg: ld 0x25c4210 msgid 3 message type search-entry ldap_get_dn_ber ber_scanf fmt ({ml{) ber: dn: cn=Users,dc=bwinc,dc=local ber_scanf fmt ({xx) ber: ldap_get_attribute_ber ldap_msgfree ldap_result ld 0x25c4210 msgid -1 wait4msg ld 0x25c4210 msgid -1 (infinite timeout) wait4msg continue ld 0x25c4210 msgid -1 all 0 ** ld 0x25c4210 Connections: * host: adc13-els.bwinc.local port: 389 (default) refcnt: 2 status: Connected last used: Thu Mar 13 20:44:41 2014 ** ld 0x25c4210 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0x25c4210 request count 1 (abandoned 0) ** ld 0x25c4210 Response Queue: Empty ld 0x25c4210 response count 0 ldap_chkResponseList ld 0x25c4210 msgid -1 all 0 ldap_chkResponseList returns ld 0x25c4210 NULL read1msg: ld 0x25c4210 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0x25c4210 msgid 3 message type search-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x25c4210 0 new referrals read1msg: mark request completed, ld 0x25c4210 msgid 3 request done: ld 0x25c4210 msgid 3 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 3, msgid 3) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_free_connection: actually freed From: Rich Megginson [rmegg...@redhat.com] Sent: Thursday, March 13, 2014 1:29 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/13/2014 01:58 PM, Todd Maugh wrote: I believe they are. so here is the out put of the log. it was showing those errors, I deleted the wynsync agreement and then restarted ipa and then readded the winsync and the errors returned. could this be a cert issue? [13/Mar/2014:19:48:20 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:48:44 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:49:32 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:51:08 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) here I removed the winsync agreement :ipa-replica-manage del adc13-els.bwinc.local then restartd ipa ipactl restart [13/Mar/2014:19:51:50 +] NSMMReplicationPlugin - agmt_delete: begin [13/Mar/2014:19:51:59 +] - slapd shutting down - signaling operation threads [13/Mar/2014:19:51:59 +] - slapd shutting down - waiting for 29 threads to terminate [13/Mar/2014:19:51:59 +] - slapd shutting down - closing down internal subsystems and plugins [13/Mar/2014:19:51:59 +] - Waiting for 4 database threads to stop [13/Mar/2014:19:51:59 +] - All database threads now stopped [13/Mar/2014:19:51:59 +] - slapd stopped. [13/Mar/2014:19:52:14 +] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [13/Mar/2014:19:52:14 +] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ops,dc=boingo,dc=com [13/Mar/2014:19:52:14 +] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=ops,dc=boingo,dc=com [13/Mar/2014:19:52:14 +] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=ops,dc=boingo,dc=com [13/Mar/2014:19:52:14 +] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [13/Mar/2014:19:52:14 +] set_krb5_creds - Could not get initial credentials for principal [ldap/idm-master-els.ops.boingo@ops.boingo.com<mailto:ldap/idm-master-els.ops.boingo@ops.boingo.com>] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [13/Mar/2014:19:52:14 +] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [13/Mar/2014:19:52:14 +] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [13/Mar/2014:19:52:14 +] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [13/Mar/2014:19:52:14 +] NSMMReplicationPlugin - agmt="cn=meToi
Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [13/Mar/2014:19:53:20 +] - slapd started. Listening on All Interfaces port 389 for LDAP requests [13/Mar/2014:19:53:20 +] - Listening on All Interfaces port 636 for LDAPS requests [13/Mar/2014:19:53:20 +] - Listening on /var/run/slapd-OPS-BOINGO-COM.socket for LDAPI requests [13/Mar/2014:19:53:22 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:53:22 +] NSMMReplicationPlugin - agmt="cn=meToadc13-els.bwinc.local" (adc13-els:389): Replication bind with SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8179:Peer's Certificate issuer is not recognized.) [13/Mar/2014:19:53:22 +] - Entry "cn=meToadc13-els.bwinc.local,cn=replica,cn=dc\3Dops\2Cdc\3Dboingo\2Cdc\3Dcom,cn=mapping tree,cn=config" -- attribute "nsDS5ReplicatedAttributeListTotal" not allowed [13/Mar/2014:19:53:22 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:53:22 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:53:24 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:53:24 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:19:53:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) From: Rich Megginson [rmegg...@redhat.com] Sent: Thursday, March 13, 2014 12:05 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/13/2014 12:50 PM, Todd Maugh wrote: Ok the error I see repeated in the log is [13/Mar/2014:18:41:21 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:11 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:14 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:20 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:32 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:56 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:44:30 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [13/Mar/2014:18:44:33 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:44:44 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:46:20 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:47:29 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:47:32 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:47:38 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:47:50 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:11 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:14 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:20 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:32 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:56 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> cacerts]$ Are all of these associated with the winsync agreement? From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Thursday, March 13, 2014 11:43 AM To: Todd Maugh; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/13/2014 12
Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
Ok the error I see repeated in the log is [13/Mar/2014:18:41:21 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:11 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:14 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:20 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:32 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:43:56 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:44:30 +] slapi_ldap_bind - Error: could not send startTLS request: error -1 (Can't contact LDAP server) errno 0 (Success) [13/Mar/2014:18:44:33 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:44:44 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:46:20 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:47:29 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:47:32 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:47:38 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:47:50 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:11 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:14 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:20 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:32 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [13/Mar/2014:18:48:56 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [r...@idm-master-els.ops.boingo.com cacerts]$ From: Rich Megginson [rmegg...@redhat.com] Sent: Thursday, March 13, 2014 11:43 AM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/13/2014 12:29 PM, Todd Maugh wrote: ok so I ran that and Get this output Ok. Next, take a look at /var/log/dirsrv/slapd-OPS-BOINGO-COM/errors [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" -s base -b "cn=Users,dc=bwinc,dc=local" dn: cn=Users,dc=bwinc,dc=local objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=BWINC,DC=local instanceType: 4 whenCreated: 20060824234034.0Z whenChanged: 20140306190741.0Z uSNCreated: 17702 uSNChanged: 17702 showInAdvancedViewOnly: FALSE name: Users objectGUID:: kCZ7CbnIZk+0GpmCr3PCfw== systemFlags: -1946157056 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=BWINC,DC=local isCriticalSystemObject: TRUE dSCorePropagationData: 20140306234416.0Z dSCorePropagationData: 20140306234348.0Z dSCorePropagationData: 20140306225101.0Z dSCorePropagationData: 20140306225055.0Z dSCorePropagationData: 1601010100.0Z From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Wednesday, March 12, 2014 3:47 PM To: Todd Maugh; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/12/2014 04:39 PM, Todd Maugh wrote: thanks Rich, when I run that I get the following: [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" s base -b "cn=Users,dc=bwinc,dc=local" ldap_bind: Invalid credentials (49) Invalid credentials almost always means your password "XX" is not correct for user "cn=idmadmin,cn=Users,dc=bwinc,dc=local" additional info: 80090308: LdapErr: DSID-0C0903C5, comment:
Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
ok so I ran that and Get this output [r...@idm-master-els.ops.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" -s base -b "cn=Users,dc=bwinc,dc=local" dn: cn=Users,dc=bwinc,dc=local objectClass: top objectClass: container cn: Users description: Default container for upgraded user accounts distinguishedName: CN=Users,DC=BWINC,DC=local instanceType: 4 whenCreated: 20060824234034.0Z whenChanged: 20140306190741.0Z uSNCreated: 17702 uSNChanged: 17702 showInAdvancedViewOnly: FALSE name: Users objectGUID:: kCZ7CbnIZk+0GpmCr3PCfw== systemFlags: -1946157056 objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=BWINC,DC=local isCriticalSystemObject: TRUE dSCorePropagationData: 20140306234416.0Z dSCorePropagationData: 20140306234348.0Z dSCorePropagationData: 20140306225101.0Z dSCorePropagationData: 20140306225055.0Z dSCorePropagationData: 1601010100.0Z From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, March 12, 2014 3:47 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/12/2014 04:39 PM, Todd Maugh wrote: thanks Rich, when I run that I get the following: [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" s base -b "cn=Users,dc=bwinc,dc=local" ldap_bind: Invalid credentials (49) Invalid credentials almost always means your password "XX" is not correct for user "cn=idmadmin,cn=Users,dc=bwinc,dc=local" additional info: 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580 From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Wednesday, March 12, 2014 3:30 PM To: Todd Maugh; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/12/2014 04:18 PM, Todd Maugh wrote: Hello. I'm using latest IPA build on red hat 6.5 I retrieved my CA cert from the AD Domain controller I try to set up my winsyncagreement and I am getting this [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> ipa]$ ipa-replica-manage connect --winsync --binddn "cn=idmadmin, cn=Users, dc=bwinc, dc=local" --bindpw "XX" --passsync "XX" --cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local Directory Manager password: Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to certificate database for idm-master-els.ops.boingo.com ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} Failed to setup winsync replication not sure where to look for the logs for this to see what the invalivd credentials are or wether this might still be a cert issue or a log in issue or what not? You can test with ldapsearch like this: $ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" -s base -b "cn=Users,dc=bwinc,dc=local" Thanks in advance for the help -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
Ok I got the credentials error worked out, my ad admin had the IDMadmin account in the wrong OU but now i get this Added CA certificate ADC13-ELS.CA.cer to certificate database for idm-master-els.ops.boingo.com ipa: INFO: AD Suffix is: DC=BWINC,DC=local The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ops,dc=boingo,dc=com ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [idm-master-els.ops.boingo.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication not sure where to look for more errors about this From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, March 12, 2014 4:23 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/12/2014 05:07 PM, Todd Maugh wrote: so to verify this I am able to log in to the AD server as idmadmin with the password I'm using in the winsync agreement. I guess you mean that login to Windows using the standard Windows login dialog is working correctly? And that this is still not working correctly: [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" s base -b "cn=Users,dc=bwinc,dc=local" Do you have the Windows administrator password? If so, can you try something like this: [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=administrator,cn=Users,dc=bwinc,dc=local" -w "XX" s base -b "cn=Users,dc=bwinc,dc=local" Is AD configured to allow external LDAP binds? is there a log I can look at to see what it is getting tripped up on. I suppose you could try somewhere in the Windows Event Viewer . . . I double checked all the security groups for the AD user and they all look good From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Wednesday, March 12, 2014 3:47 PM To: Todd Maugh; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/12/2014 04:39 PM, Todd Maugh wrote: thanks Rich, when I run that I get the following: [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" s base -b "cn=Users,dc=bwinc,dc=local" ldap_bind: Invalid credentials (49) Invalid credentials almost always means your password "XX" is not correct for user "cn=idmadmin,cn=Users,dc=bwinc,dc=local" additional info: 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580 ________ From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Wednesday, March 12, 2014 3:30 PM To: Todd Maugh; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/12/2014 04:18 PM, Todd Maugh wrote: Hello. I'm using latest IPA build on red hat 6.5 I retrieved my CA cert from the AD Domain controller I try to set up my winsyncagreement and I am getting this [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> ipa]$ ipa-replica-manage connect --winsync --binddn "cn=idmadmin, cn=Users, dc=bwinc, dc=local" --bindpw "XX" --passsync "XX" --cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local Directory Manager password: Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to certificate database for idm-master-els.ops.boingo.com ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} Failed to setup winsync replication not sure where to look for the logs for this to see what the invalivd credentials are or wether this might still be a cert issue or a log in issue or what not? You can test with ldapsearch like this: $ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D &
Re: [Freeipa-users] quick question
Yes for trusts rhel6.5 with AD 2012 for winsync and password sync From: Rich Megginson [mailto:rmegg...@redhat.com] Sent: Thursday, March 13, 2014 10:16 AM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] quick question On 03/13/2014 11:02 AM, Todd Maugh wrote: does IDM work with AD 2012 or only 2008 Are you talking about trusts? Not sure. Winsync? The PassSync password sync agent? I think so, with RHEL 6.5, or perhaps it is RHEL6.6. -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] quick question
does IDM work with AD 2012 or only 2008 -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
so to verify this I am able to log in to the AD server as idmadmin with the password I'm using in the winsync agreement. is there a log I can look at to see what it is getting tripped up on. I double checked all the security groups for the AD user and they all look good From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, March 12, 2014 3:47 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/12/2014 04:39 PM, Todd Maugh wrote: thanks Rich, when I run that I get the following: [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" s base -b "cn=Users,dc=bwinc,dc=local" ldap_bind: Invalid credentials (49) Invalid credentials almost always means your password "XX" is not correct for user "cn=idmadmin,cn=Users,dc=bwinc,dc=local" additional info: 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580 From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Wednesday, March 12, 2014 3:30 PM To: Todd Maugh; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/12/2014 04:18 PM, Todd Maugh wrote: Hello. I'm using latest IPA build on red hat 6.5 I retrieved my CA cert from the AD Domain controller I try to set up my winsyncagreement and I am getting this [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> ipa]$ ipa-replica-manage connect --winsync --binddn "cn=idmadmin, cn=Users, dc=bwinc, dc=local" --bindpw "XX" --passsync "XX" --cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local Directory Manager password: Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to certificate database for idm-master-els.ops.boingo.com ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} Failed to setup winsync replication not sure where to look for the logs for this to see what the invalivd credentials are or wether this might still be a cert issue or a log in issue or what not? You can test with ldapsearch like this: $ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" -s base -b "cn=Users,dc=bwinc,dc=local" Thanks in advance for the help -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [freeipa] Issues with Winsync agreement
thanks Rich, when I run that I get the following: [r...@idm-master-els.ops.boingo.com ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" s base -b "cn=Users,dc=bwinc,dc=local" ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580 From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, March 12, 2014 3:30 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/12/2014 04:18 PM, Todd Maugh wrote: Hello. I'm using latest IPA build on red hat 6.5 I retrieved my CA cert from the AD Domain controller I try to set up my winsyncagreement and I am getting this [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> ipa]$ ipa-replica-manage connect --winsync --binddn "cn=idmadmin, cn=Users, dc=bwinc, dc=local" --bindpw "XX" --passsync "XX" --cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local Directory Manager password: Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to certificate database for idm-master-els.ops.boingo.com ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} Failed to setup winsync replication not sure where to look for the logs for this to see what the invalivd credentials are or wether this might still be a cert issue or a log in issue or what not? You can test with ldapsearch like this: $ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XX" -s base -b "cn=Users,dc=bwinc,dc=local" Thanks in advance for the help -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] [freeipa] Issues with Winsync agreement
Hello. I'm using latest IPA build on red hat 6.5 I retrieved my CA cert from the AD Domain controller I try to set up my winsyncagreement and I am getting this [r...@idm-master-els.ops.boingo.com ipa]$ ipa-replica-manage connect --winsync --binddn "cn=idmadmin, cn=Users, dc=bwinc, dc=local" --bindpw "XX" --passsync "XX" --cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local Directory Manager password: Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to certificate database for idm-master-els.ops.boingo.com ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} Failed to setup winsync replication not sure where to look for the logs for this to see what the invalivd credentials are or wether this might still be a cert issue or a log in issue or what not? Thanks in advance for the help -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to remove the CA cert from an IDM replica
skipping the con check due to a clock skew error From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, March 12, 2014 2:39 PM To: Todd Maugh; Simo Sorce; freeipa-users@redhat.com Subject: Re: [Freeipa-users] How to remove the CA cert from an IDM replica Todd Maugh wrote: > Im seeing this error: > > where is the install log located > > [root@idm-rep02-w1c-aws ipa]# ipa-replica-install --setup-ca > /var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg > --skip-conncheck > Directory Manager (existing master) password: > > Configuring NTP daemon (ntpd) >[1/4]: stopping ntpd >[2/4]: writing configuration >[3/4]: configuring ntpd to start on boot >[4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > A CA is already configured on this system. # /usr/bin/pkiremove -pki_instance_root=/var/lib -pki_instance_name=pki-ca --force > [root@idm-rep02-w1c-aws ipa]# ipa-replica-install > /var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg > --skip-conncheck > Directory Manager (existing master) password: > > Configuring NTP daemon (ntpd) >[1/4]: stopping ntpd >[2/4]: writing configuration >[3/4]: configuring ntpd to start on boot >[4/4]: starting ntpd > Done configuring NTP daemon (ntpd). > Configuring directory server (dirsrv): Estimated time 1 minute >[1/31]: creating directory server user >[2/31]: creating directory server instance >[3/31]: adding default schema >[4/31]: enabling memberof plugin >[5/31]: enabling winsync plugin >[6/31]: configuring replication version plugin >[7/31]: enabling IPA enrollment plugin >[8/31]: enabling ldapi >[9/31]: disabling betxn plugins >[10/31]: configuring uniqueness plugin >[11/31]: configuring uuid plugin >[12/31]: configuring modrdn plugin >[13/31]: enabling entryUSN plugin >[14/31]: configuring lockout plugin >[15/31]: creating indices >[16/31]: enabling referential integrity plugin >[17/31]: configuring ssl for ds instance >[18/31]: configuring certmap.conf >[19/31]: configure autobind for root >[20/31]: configure new location for managed entries >[21/31]: restarting directory server >[22/31]: setting up initial replication > Starting replication, please wait until this has completed. > [idm-master-els.ops.boingo.com] reports: Update failed! Status: [-1 - LDAP > error: Can't contact LDAP server] Why are you skipping the conncheck? It looks like there is a firewall issue. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to remove the CA cert from an IDM replica
but dont I have to remove it from the cert DB? From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Simo Sorce [s...@redhat.com] Sent: Wednesday, March 12, 2014 2:23 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] How to remove the CA cert from an IDM replica On Wed, 2014-03-12 at 21:10 +, Todd Maugh wrote: > I need to remove the CA certs on a box from a previous IDM install > > what is the command to do this > > error im getting is > > A CA is already configured on this system. rm /etc/ipa/ca.crt Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to remove the CA cert from an IDM replica
Im seeing this error: where is the install log located [root@idm-rep02-w1c-aws ipa]# ipa-replica-install --setup-ca /var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg --skip-conncheck Directory Manager (existing master) password: Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). A CA is already configured on this system. [root@idm-rep02-w1c-aws ipa]# ipa-replica-install /var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg --skip-conncheck Directory Manager (existing master) password: Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv): Estimated time 1 minute [1/31]: creating directory server user [2/31]: creating directory server instance [3/31]: adding default schema [4/31]: enabling memberof plugin [5/31]: enabling winsync plugin [6/31]: configuring replication version plugin [7/31]: enabling IPA enrollment plugin [8/31]: enabling ldapi [9/31]: disabling betxn plugins [10/31]: configuring uniqueness plugin [11/31]: configuring uuid plugin [12/31]: configuring modrdn plugin [13/31]: enabling entryUSN plugin [14/31]: configuring lockout plugin [15/31]: creating indices [16/31]: enabling referential integrity plugin [17/31]: configuring ssl for ds instance [18/31]: configuring certmap.conf [19/31]: configure autobind for root [20/31]: configure new location for managed entries [21/31]: restarting directory server [22/31]: setting up initial replication Starting replication, please wait until this has completed. [idm-master-els.ops.boingo.com] reports: Update failed! Status: [-1 - LDAP error: Can't contact LDAP server] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Simo Sorce [s...@redhat.com] Sent: Wednesday, March 12, 2014 2:23 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] How to remove the CA cert from an IDM replica On Wed, 2014-03-12 at 21:10 +0000, Todd Maugh wrote: > I need to remove the CA certs on a box from a previous IDM install > > what is the command to do this > > error im getting is > > A CA is already configured on this system. rm /etc/ipa/ca.crt Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How to remove the CA cert from an IDM replica
Red Hat 6.5 latest Ipa from yum From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Wednesday, March 12, 2014 2:16 PM To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] How to remove the CA cert from an IDM replica On 03/12/2014 05:10 PM, Todd Maugh wrote: I need to remove the CA certs on a box from a previous IDM install what is the command to do this error im getting is A CA is already configured on this system. Which OS and which version? Thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/<http://www.redhat.com/carveoutcosts/> ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] How to remove the CA cert from an IDM replica
I need to remove the CA certs on a box from a previous IDM install what is the command to do this error im getting is A CA is already configured on this system. Thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Ubuntu Client HELL
thanks Rob! the main issue I am having is that the install is not completing and setting this ubuntu host up as a client. I cleared out the old cert as you suggested, the ssh keys were copied over from a previous attempt. IM not using IPA as DNS and I understand the ntp part. so now my install finishes up like this: Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' NSSConnection init se-idm-01.boingo.com Connecting: 66.103.90.130:0 handshake complete, peer = 66.103.90.130:443 received Set-Cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; Secure; HttpOnly' storing cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; Secure; HttpOnly' for principal host/se-idm-ubuntu-client-01.boingo@boingo.com Starting external process args=keyctl search @s user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com Process finished, return code=1 stdout= stderr=keyctl_search: Required key not available Starting external process args=keyctl search @s user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com Process finished, return code=1 stdout= stderr=keyctl_search: Required key not available Starting external process args=keyctl padd user ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com @s Process finished, return code=0 stdout=700576616 stderr= Caught fault 4202 from server https://se-idm-01.boingo.com/ipa/xml: no modifications to be performed Writing nsupdate commands to /etc/ipa/.dns_update.txt: zone boingo.com. update delete se-idm-ubuntu-client-01.boingo.com. IN SSHFP send update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 1 AD5C9E4F7AEA55418455D54D84862A2B6EC16AB4 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 2 B1BE4E3E3B4A79CFFCE5B3BBCC31DFB9979F6A1D97EF4E3EF8F8295C2595033A update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 1 D456E5C237736406CB5F4B4C24C836217B6D977E update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 2 8125272934E18BFDDA77D5B03BBBF600A0833C37669C568A3476D623A191C457 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 1 270551D349212B7112D4A9079FF490C8D6733041 update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 2 0BC5F5FA7155A03BD9B05DDD5882FD907A0FC8C6D6F6F3341521D4F7B57D3662 send Starting external process args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt Process finished, return code=1 stdout= stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server DNS/ns-1454.awsdns-53@boingo.com not found in Kerberos database. nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' returned non-zero exit status 1 Could not update DNS SSHFP records. Starting external process args=/usr/sbin/service nscd status Process finished, return code=1 stdout= stderr=nscd: unrecognized service Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' thanks in advance for any help -Todd From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rob Crittenden [rcrit...@redhat.com] Sent: Friday, February 21, 2014 11:57 AM To: freeipa-users Subject: Re: [Freeipa-users] Ubuntu Client HELL Todd Maugh wrote: > IM in limbo here trying to solve this issue It would help if you said what issue you were having... And what version of the client you are running. Trolling through the log I see a couple of things: ntpdate failed, but that can happen if you already have ntpd configured on your client. We have a ticket open on that. The DNS update failed, presumably because you aren't using IPA for DNS. Not a big deal. The certmonger failure is due to a bad uninstall in the past. It is still tracking an old cert. You can clear it with: # ipa-getcert list # ipa-getcert stop-tracking -i The SSH keys are failing to load because they already exist in the host entry. I guess it was pre-created, or left over from a previous attempt? It doesn't appear to be a fatal error. rob > > here is my out put with the debug > > root@se-idm-ubuntu-client-01:/var/lib/ipa-client/sysrestore# > ipa-client-install -d --no-dns-sshfp > --hostname=se-idm-ubuntu-client-01.boingo.com --force-join > --domain=boingo.com --server=se-idm-01.boingo.com > /usr/sbin/ipa-client-install was invoked with options: {'domain': > 'boingo.com', 'force': False, 'krb5_offline_passwords': True, 'primary': > False, 'realm_name': None, 'force_ntpd': False, '
Re: [Freeipa-users] adding ubuntu client to red hat server
OK I got it to go through with this but i don't understand the errors cause it didn't seem to work. Domain boingo.com is already configured in existing SSSD config, creating a new one. The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm BOINGO.COM trying https://se-idm-01.boingo.com/ipa/xml Forwarding 'env' to server u'https://se-idm-01.boingo.com/ipa/xml' Hostname (se-idm-ubuntu-client-01.boingo.com) not found in DNS Failed to update DNS records. certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' Could not update DNS SSHFP records. From: Will Sheldon [m...@willsheldon.com] Sent: Friday, February 21, 2014 9:46 AM To: Todd Maugh Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] adding ubuntu client to red hat server I also ran into this problem. I ended up using vm’s to test and just reverting to snapshots. I believe that the install script checks for presence a couple of files that you can delete to be able retry though, have a look in the install script. (Also, did you try with ‘—force'?) Kind regards, Will Sheldon +1.778-689-1244 On Friday, February 21, 2014 at 9:42 AM, Todd Maugh wrote: thanks IM trying that but running in to an issue where it says im still installed I run the uninstall command and I get this root@se-idm-ubuntu-client-01:~# ipa-client-install --uninstall Unconfigured automount client failed: [Errno 2] No such file or directory certmonger failed to start: [Errno 2] No such file or directory: '/var/run/ipa/services.list' certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Disabling client Kerberos and LDAP configurations Failed to remove krb5/LDAP configuration: isnt there a conf file I can remove or a a way to force the uninstall? From: Will Sheldon [m...@willsheldon.com<mailto:m...@willsheldon.com>] Sent: Friday, February 21, 2014 9:32 AM To: Todd Maugh Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] adding ubuntu client to red hat server I ran into this, there was a post bout it a little while back. It seems that you can modify ipapython/version.py to revert the version number for enrolment, then revert it. with no ill effects. My script looks like: #revert reported version of ipapython so keys will upload properly (backup first tho) cp /usr/share/pyshared/ipapython/version.py /usr/share/pyshared/ipapython/version.py.bak sed -i "s/API_VERSION=.*/API_VERSION=u'2.49'/g" /usr/share/pyshared/ipapython/version.py # install! ipa-client-install -d -U --enable-dns-updates --hostname=$FQDN --mkhomedir --password=$PASS #revert change to the ipapython version back again #rm -f /usr/share/pyshared/ipapython/version.py && mv /usr/share/pyshared/ipapython/version.py.bak /usr/share/pyshared/ipapython/version.py Kind regards, Will Sheldon +1.778-689-1244 On Friday, February 21, 2014 at 9:20 AM, Todd Maugh wrote: Hello, Another day another issue it seems :) so I'm trying to set up an ubunutu client I get almost all the way through the install and it fails with a version error. Ive hear this is a known bug and there is a fix out there. although Im not sure how to apply the fix or get the older client install. my error is as follows: Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' host_mod: 2.58 client incompatible with 2.49 server at u'https://se-idm-01.boingo.com/ipa/xml' Failed to upload host SSH public keys. Please help Thanks -Todd tma...@boingo.com<mailto:tma...@boingo.com> ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] adding ubuntu client to red hat server
thanks IM trying that but running in to an issue where it says im still installed I run the uninstall command and I get this root@se-idm-ubuntu-client-01:~# ipa-client-install --uninstall Unconfigured automount client failed: [Errno 2] No such file or directory certmonger failed to start: [Errno 2] No such file or directory: '/var/run/ipa/services.list' certmonger failed to stop: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Disabling client Kerberos and LDAP configurations Failed to remove krb5/LDAP configuration: isnt there a conf file I can remove or a a way to force the uninstall? From: Will Sheldon [m...@willsheldon.com] Sent: Friday, February 21, 2014 9:32 AM To: Todd Maugh Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] adding ubuntu client to red hat server I ran into this, there was a post bout it a little while back. It seems that you can modify ipapython/version.py to revert the version number for enrolment, then revert it. with no ill effects. My script looks like: #revert reported version of ipapython so keys will upload properly (backup first tho) cp /usr/share/pyshared/ipapython/version.py /usr/share/pyshared/ipapython/version.py.bak sed -i "s/API_VERSION=.*/API_VERSION=u'2.49'/g" /usr/share/pyshared/ipapython/version.py # install! ipa-client-install -d -U --enable-dns-updates --hostname=$FQDN --mkhomedir --password=$PASS #revert change to the ipapython version back again #rm -f /usr/share/pyshared/ipapython/version.py && mv /usr/share/pyshared/ipapython/version.py.bak /usr/share/pyshared/ipapython/version.py Kind regards, Will Sheldon +1.778-689-1244 On Friday, February 21, 2014 at 9:20 AM, Todd Maugh wrote: Hello, Another day another issue it seems :) so I'm trying to set up an ubunutu client I get almost all the way through the install and it fails with a version error. Ive hear this is a known bug and there is a fix out there. although Im not sure how to apply the fix or get the older client install. my error is as follows: Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' host_mod: 2.58 client incompatible with 2.49 server at u'https://se-idm-01.boingo.com/ipa/xml' Failed to upload host SSH public keys. Please help Thanks -Todd tma...@boingo.com<mailto:tma...@boingo.com> ___ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] adding ubuntu client to red hat server
Hello, Another day another issue it seems :) so I'm trying to set up an ubunutu client I get almost all the way through the install and it fails with a version error. Ive hear this is a known bug and there is a fix out there. although Im not sure how to apply the fix or get the older client install. my error is as follows: Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml' host_mod: 2.58 client incompatible with 2.49 server at u'https://se-idm-01.boingo.com/ipa/xml' Failed to upload host SSH public keys. Please help Thanks -Todd tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Setting up sudo
and If I am configuring the sud-ldap.conf what should it look like does any one have an example? From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Thursday, February 13, 2014 3:17 PM To: freeipa-users@redhat.com Subject: [Freeipa-users] Setting up sudo the documentation is kinda vague on some parts from the documentation: Because the sudo information is not available anonymously over LDAP by default, Identity Management defines a default sudo user, uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo configuration file, /etc/sud-ldap.conf. so is this user supposed to already pre defined. or do I need to create the user, and then modify them thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Setting up sudo
the documentation is kinda vague on some parts from the documentation: Because the sudo information is not available anonymously over LDAP by default, Identity Management defines a default sudo user, uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo configuration file, /etc/sud-ldap.conf. so is this user supposed to already pre defined. or do I need to create the user, and then modify them thanks -Todd ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] trouble creating a replica in the cloud
thanks Guys, turns out this was a redhat bug in the 6.4 image of the aws instance, so I built in 6.5 and was able to get past it, but now I'm failing with this: Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Unexpected error - see /var/log/ipareplica-install.log for details: ObjectclassViolation: missing attribute "idnsSOAserial" required by object class "idnsZone" i tried attaching the log file but unfortunately its 30 mb trying to compress From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, February 12, 2014 10:36 AM To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] trouble creating a replica in the cloud Dmitri Pal wrote: > On 02/11/2014 05:02 PM, Todd Maugh wrote: >> Hey Guys, >> >> So I have my master and replica up in my datacenter. >> >> I have a client, I have a winsync agreement, I have a password sync. >> >> It's working lovely. >> >> So Now I have spun up an AWS instance of redh hat 6.5 (same as my >> master and first replica) >> >> I run the ipa replica and it fails >> >> >> ipa-replica-install --setup-ca --setup-dns --no-forwarders >> /var/lib/ipa/replica-info-se-idm-03.boingo.com.gpg >> Directory Manager (existing master) password: >> >> Run connection check to master >> Check connection from replica to remote master 'se-idm-01.boingo.com': >>Directory Service: Unsecure port (389): OK >>Directory Service: Secure port (636): OK >>Kerberos KDC: TCP (88): OK >>Kerberos Kpasswd: TCP (464): OK >>HTTP Server: Unsecure port (80): OK >>HTTP Server: Secure port (443): OK >>PKI-CA: Directory Service port (7389): OK >> >> The following list of ports use UDP protocol and would need to be >> checked manually: >>Kerberos KDC: UDP (88): SKIPPED >>Kerberos Kpasswd: UDP (464): SKIPPED >> >> Connection from replica to master is OK. >> Start listening on required ports for remote master check >> Get credentials to log in to remote master >> ad...@boingo.com password: >> >> Execute check on remote master >> Check connection from master to remote replica 'se-idm-03.boingo.com': >>Directory Service: Unsecure port (389): OK >>Directory Service: Secure port (636): OK >>Kerberos KDC: TCP (88): OK >>Kerberos KDC: UDP (88): OK >>Kerberos Kpasswd: TCP (464): OK >>Kerberos Kpasswd: UDP (464): OK >>HTTP Server: Unsecure port (80): OK >>HTTP Server: Secure port (443): OK >>PKI-CA: Directory Service port (7389): OK >> >> Connection from master to replica is OK. >> >> Connection check OK >> Configuring NTP daemon (ntpd) >> [1/4]: stopping ntpd >> [2/4]: writing configuration >> [3/4]: configuring ntpd to start on boot >> [4/4]: starting ntpd >> Done configuring NTP daemon (ntpd). >> Configuring directory server for the CA (pkids): Estimated time 30 seconds >> [1/3]: creating directory server user >> [2/3]: creating directory server instance >> ipa : CRITICAL failed to create ds instance Command >> '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3' >> returned non-zero exit status 1 >> [3/3]: restarting directory server >> ipa : CRITICAL Failed to restart the directory server. See the >> installation log for details. >> Done configuring directory server for the CA (pkids). >> >> Your system may be partly configured. >> Run /usr/sbin/ipa-server-install --uninstall to clean up. >> Can't contact LDAP server >> >> >> I check the log file and this is what I get >> >> 2014-02-11T19:55:48Z DEBUG calling setup-ds.pl >> 2014-02-11T19:57:53Z DEBUG args=/usr/sbin/setup-ds.pl --silent >> --logfile - -f /tmp/tmpo9ROF3 >> 2014-02-11T19:57:53Z DEBUG stdout=[11/Feb/2014:14:57:53 -0500] >> createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: >> Netscape Portable Runtime error -5966 (Access Denied.) >> [11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All >> Interfaces port 7389 failed: Netscape Portable Runtime error -5966 >> (Access Denied.) >> [14/02/11:14:57:53] - [Setup] Info Could not start the directory >> server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. >> The last line from the error log was '[11/Feb/2014:14:57:53 -0500] create >> prlistensoc
[Freeipa-users] trouble creating a replica in the cloud
Hey Guys, So I have my master and replica up in my datacenter. I have a client, I have a winsync agreement, I have a password sync. It's working lovely. So Now I have spun up an AWS instance of redh hat 6.5 (same as my master and first replica) I run the ipa replica and it fails ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-se-idm-03.boingo.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'se-idm-01.boingo.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote master ad...@boingo.com password: Execute check on remote master Check connection from master to remote replica 'se-idm-03.boingo.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK Connection from master to replica is OK. Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server for the CA (pkids): Estimated time 30 seconds [1/3]: creating directory server user [2/3]: creating directory server instance ipa : CRITICAL failed to create ds instance Command '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3' returned non-zero exit status 1 [3/3]: restarting directory server ipa : CRITICAL Failed to restart the directory server. See the installation log for details. Done configuring directory server for the CA (pkids). Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Can't contact LDAP server I check the log file and this is what I get 2014-02-11T19:55:48Z DEBUG calling setup-ds.pl 2014-02-11T19:57:53Z DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3 2014-02-11T19:57:53Z DEBUG stdout=[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) [11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) [14/02/11:14:57:53] - [Setup] Info Could not start the directory server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last line from the error log was '[11/Feb/2014:14:57:53 -0500] create prlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) '. Error: Unknown error 256 Could not start the directory server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'. The last line from the error log was '[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access Denied.) '. Error: Unknown error 256 [14/02/11:14:57:53] - [Setup] Fatal Error: Could not create directory server instance 'PKI-IPA'. Error: Could not create directory server instance 'PKI-IPA'. [14/02/11:14:57:53] - [Setup] Fatal Exiting . . . Log file is '-' Exiting . . . Log file is '-' Please help ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
I would be so grateful for your notes as it looks like im most likely having a cert issue as well I'm so damn close to having this thing working, (doesn't help to have your boss come by every 10 minutes) I understand the changes concept now, if I can just get it to work From: Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, February 04, 2014 2:11 PM To: Todd Maugh; Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: RE: Creating password sync I am just doing this now and works fine for me. The password has to be changed as there is no way to de-crypt the password in AD and send that. So the .msi you install on each AD server intercepts the password change while its in "plain text" and sends it over to IPA, hence only changes. I did have issues with certs, they were a pain in the ass to get right/trusted, looks like you might have a similar issue. I had to work through Redhat support to get it right. On a brighter note I did it on RHEL6.4 and upgraded the IPA servers to RHEL6.5 and winsync and passync still work fine. I'll send you my notes. You could use trusts but frankly trusting AD with all its swiss cheese security seems a bit too risky. regards Steven From: freeipa-users-boun...@redhat.com on behalf of Todd Maugh Sent: Wednesday, 5 February 2014 9:57 a.m. To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Creating password sync I tested a ssl connection from my ldap server to AD this is the output openssl s_client -connect qatestdc2.boingoqa.local:636 CONNECTED(0003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=27:certificate not trusted verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s: i:/DC=local/DC=boingoqa/CN=SKYWARPCA --- Server certificate -BEGIN CERTIFICATE- MIIGpzCCBI+gAwIBAgIKYTm2iQAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7 q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5 4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3 Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7 mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8 Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6 1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9 -END CERTIFICATE- subject= issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA --- Acceptable client certificate CA names /DC=local/DC=boingoqa/CN=SKYWARPCA /CN=QATESTDC2.boingoqa.local /DC=local/DC=boingoqa/CN=boingoqaca /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.n
Re: [Freeipa-users] Creating password sync
/Sb nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6 1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9 -END CERTIFICATE- subject= issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA --- Acceptable client certificate CA names /DC=local/DC=boingoqa/CN=SKYWARPCA /CN=QATESTDC2.boingoqa.local /DC=local/DC=boingoqa/CN=boingoqaca /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root /O=BOINGO.COM/CN=Certificate Authority /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority /CN=NT AUTHORITY --- SSL handshake has read 3480 bytes and written 601 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES128-SHA Session-ID: 333C854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A Session-ID-ctx: Master-Key: 63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1391547347 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>] Sent: Tuesday, February 04, 2014 12:53 PM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] Creating password sync I tried changing the password for a user in AD this is what the passsync log shows: 02/04/14 12:29:14: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:34: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:34: Ldap error in QueryUsername 81: Can't contact LDAP server 02/04/14 12:49:36: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:36: Ldap error in QueryUsername 81: Can't contact LDAP server and you say this is one of many issues with passsync. do you recommend another option? From: Todd Maugh Sent: Tuesday, February 04, 2014 12:48 PM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: RE: Creating password sync but what about the "cant contact LDAP server in the passsync log" and are you saying I should try to change one of the passwords in AD for it to go to IDM, or vice versa? thanks From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Tuesday, February 04, 2014 12:45 PM To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: Creating password sync On 02/04/2014 01:42 PM, Todd Maugh wrote: I have not changed any passwords in AD yet. Then passsync will not have sent anything. and the users I have in IDM from AD, their passwords are not working Right. This is one of the (many) problems with the passsync approach - there currently is no way to populate the initial passwords - that is, passsync/IdM cannot copy your passwords over from AD to IdM. ____ From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Tuesday, February 04, 2014 12:40 PM To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: Creating password sync On 02/04/2014 01:20 PM, Todd Maugh wrote: my passhook.log file is empty Have you changed any passwords in AD? From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [t
Re: [Freeipa-users] Creating password sync
cal/DC=boingoqa/CN=SKYWARPCA /CN=QATESTDC2.boingoqa.local /DC=local/DC=boingoqa/CN=boingoqaca /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root /O=BOINGO.COM/CN=Certificate Authority /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority /CN=NT AUTHORITY --- SSL handshake has read 3480 bytes and written 601 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES128-SHA Session-ID: 333C854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A Session-ID-ctx: Master-Key: 63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1391547347 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>] Sent: Tuesday, February 04, 2014 12:53 PM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] Creating password sync I tried changing the password for a user in AD this is what the passsync log shows: 02/04/14 12:29:14: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:34: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:34: Ldap error in QueryUsername 81: Can't contact LDAP server 02/04/14 12:49:36: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:36: Ldap error in QueryUsername 81: Can't contact LDAP server and you say this is one of many issues with passsync. do you recommend another option? From: Todd Maugh Sent: Tuesday, February 04, 2014 12:48 PM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: RE: Creating password sync but what about the "cant contact LDAP server in the passsync log" and are you saying I should try to change one of the passwords in AD for it to go to IDM, or vice versa? thanks From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Tuesday, February 04, 2014 12:45 PM To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: Creating password sync On 02/04/2014 01:42 PM, Todd Maugh wrote: I have not changed any passwords in AD yet. Then passsync will not have sent anything. and the users I have in IDM from AD, their passwords are not working Right. This is one of the (many) problems with the passsync approach - there currently is no way to populate the initial passwords - that is, passsync/IdM cannot copy your passwords over from AD to IdM. ____ From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Tuesday, February 04, 2014 12:40 PM To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: Creating password sync On 02/04/2014 01:20 PM, Todd Maugh wrote: my passhook.log file is empty Have you changed any passwords in AD? From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>] Sent: Tuesday, February 04, 2014 11:56 AM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject:
Re: [Freeipa-users] Creating password sync
trying to find a command to check that connection From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 1:02 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 01:57 PM, Todd Maugh wrote: I tested a ssl connection from my ldap server to AD Ok. What about the ssl connection from the windows AD machine to your IdM ldap server? this is the output openssl s_client -connect qatestdc2.boingoqa.local:636 CONNECTED(0003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=27:certificate not trusted verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s: i:/DC=local/DC=boingoqa/CN=SKYWARPCA --- Server certificate -BEGIN CERTIFICATE- MIIGpzCCBI+gAwIBAgIKYTm2iQAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7 q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5 4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3 Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7 mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8 Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6 1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9 -END CERTIFICATE- subject= issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA --- Acceptable client certificate CA names /DC=local/DC=boingoqa/CN=SKYWARPCA /CN=QATESTDC2.boingoqa.local /DC=local/DC=boingoqa/CN=boingoqaca /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root /O=BOINGO.COM/CN=Certificate Authority /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority /CN=NT AUTHORITY --- SSL handshake has read 3480 bytes and written 601 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES128-SHA Session-ID: 333C854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A Session-ID-ctx: Master-Key: 63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47 Key-Arg : None Krb5 Principal: None
Re: [Freeipa-users] Creating password sync
I tested a ssl connection from my ldap server to AD this is the output openssl s_client -connect qatestdc2.boingoqa.local:636 CONNECTED(0003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=27:certificate not trusted verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s: i:/DC=local/DC=boingoqa/CN=SKYWARPCA --- Server certificate -BEGIN CERTIFICATE- MIIGpzCCBI+gAwIBAgIKYTm2iQAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7 q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5 4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3 Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7 mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8 Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6 1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9 -END CERTIFICATE- subject= issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA --- Acceptable client certificate CA names /DC=local/DC=boingoqa/CN=SKYWARPCA /CN=QATESTDC2.boingoqa.local /DC=local/DC=boingoqa/CN=boingoqaca /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root /O=BOINGO.COM/CN=Certificate Authority /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority /CN=NT AUTHORITY --- SSL handshake has read 3480 bytes and written 601 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES128-SHA Session-ID: 333C854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A Session-ID-ctx: Master-Key: 63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1391547347 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Tuesday, February 04, 2014 12:53 PM To: Rich Megginson; d
Re: [Freeipa-users] Creating password sync
but what about the "cant contact LDAP server in the passsync log" and are you saying I should try to change one of the passwords in AD for it to go to IDM, or vice versa? thanks From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 12:45 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 01:42 PM, Todd Maugh wrote: I have not changed any passwords in AD yet. Then passsync will not have sent anything. and the users I have in IDM from AD, their passwords are not working Right. This is one of the (many) problems with the passsync approach - there currently is no way to populate the initial passwords - that is, passsync/IdM cannot copy your passwords over from AD to IdM. From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Tuesday, February 04, 2014 12:40 PM To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: Creating password sync On 02/04/2014 01:20 PM, Todd Maugh wrote: my passhook.log file is empty Have you changed any passwords in AD? From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>] Sent: Tuesday, February 04, 2014 11:56 AM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] Creating password sync Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Tuesday, February 04, 2014 9:19 AM To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>] Sent: Tuesday, February 04, 2014 9:04 AM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.com<mailto:tma...@boingo.com> ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
I tried changing the password for a user in AD this is what the passsync log shows: 02/04/14 12:29:14: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:34: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:34: Ldap error in QueryUsername 81: Can't contact LDAP server 02/04/14 12:49:36: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:36: Ldap error in QueryUsername 81: Can't contact LDAP server and you say this is one of many issues with passsync. do you recommend another option? ____ From: Todd Maugh Sent: Tuesday, February 04, 2014 12:48 PM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: RE: Creating password sync but what about the "cant contact LDAP server in the passsync log" and are you saying I should try to change one of the passwords in AD for it to go to IDM, or vice versa? thanks From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 12:45 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 01:42 PM, Todd Maugh wrote: I have not changed any passwords in AD yet. Then passsync will not have sent anything. and the users I have in IDM from AD, their passwords are not working Right. This is one of the (many) problems with the passsync approach - there currently is no way to populate the initial passwords - that is, passsync/IdM cannot copy your passwords over from AD to IdM. From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Tuesday, February 04, 2014 12:40 PM To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: Creating password sync On 02/04/2014 01:20 PM, Todd Maugh wrote: my passhook.log file is empty Have you changed any passwords in AD? From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>] Sent: Tuesday, February 04, 2014 11:56 AM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] Creating password sync Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Tuesday, February 04, 2014 9:19 AM To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>] Sent: Tuesday, February 04, 2014 9:04 AM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not
Re: [Freeipa-users] Creating password sync
I have not changed any passwords in AD yet. and the users I have in IDM from AD, their passwords are not working From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 12:40 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 01:20 PM, Todd Maugh wrote: my passhook.log file is empty Have you changed any passwords in AD? From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>] Sent: Tuesday, February 04, 2014 11:56 AM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] Creating password sync Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Tuesday, February 04, 2014 9:19 AM To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>] Sent: Tuesday, February 04, 2014 9:04 AM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.com<mailto:tma...@boingo.com> ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
my passhook.log file is empty From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Tuesday, February 04, 2014 11:56 AM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Creating password sync Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 9:19 AM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>] Sent: Tuesday, February 04, 2014 9:04 AM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.com<mailto:tma...@boingo.com> ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
now I am getting this after rerunning the install and trying to reinstall my cert LDAP bind error in connect 81: Can't Contact LDAP Server From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Tuesday, February 04, 2014 11:56 AM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Creating password sync Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 9:19 AM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>] Sent: Tuesday, February 04, 2014 9:04 AM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.com<mailto:tma...@boingo.com> ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 9:19 AM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>] Sent: Tuesday, February 04, 2014 9:04 AM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.com<mailto:tma...@boingo.com> ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Tuesday, February 04, 2014 9:04 AM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Creating password sync
Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cant create winsync reolication
asked: Can you provide your /etc/openldap/ldap.conf? answer: /etc/openldap/ldap.con #File modified by ipa-client-install URI ldaps://se-idm-01.boingo.com BASE dc=boingo,dc=com TLS_CACERT /etc/ipa/ca.crt TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow ping TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error -8179:Peer's Certificate issuer is not recognized.. This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP address does not match. This is usually a problem, but perhaps you have set your ldap.conf to continue despite this problem? PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of data. 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=1 ttl=124 time=0.559 ms 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=2 ttl=124 time=0.660 ms ^C --- qatestdc2.boingoqa.local ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1070ms rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cant create winsync reolication
s outstanding referrals 0, parent count 0 ld 0x1fe2160 request count 1 (abandoned 0) ** ld 0x1fe2160 Response Queue: Empty ld 0x1fe2160 response count 0 ldap_chkResponseList ld 0x1fe2160 msgid -1 all 0 ldap_chkResponseList returns ld 0x1fe2160 NULL ldap_int_select read1msg: ld 0x1fe2160 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 59 contents: read1msg: ld 0x1fe2160 msgid 3 message type search-entry ldap_get_dn_ber ber_scanf fmt ({ml{) ber: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local ber_scanf fmt ({xx) ber: ldap_get_attribute_ber ldap_msgfree ldap_result ld 0x1fe2160 msgid -1 wait4msg ld 0x1fe2160 msgid -1 (infinite timeout) wait4msg continue ld 0x1fe2160 msgid -1 all 0 ** ld 0x1fe2160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 23:59:23 2014 ** ld 0x1fe2160 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0x1fe2160 request count 1 (abandoned 0) ** ld 0x1fe2160 Response Queue: Empty ld 0x1fe2160 response count 0 ldap_chkResponseList ld 0x1fe2160 msgid -1 all 0 ldap_chkResponseList returns ld 0x1fe2160 NULL read1msg: ld 0x1fe2160 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0x1fe2160 msgid 3 message type search-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x1fe2160 0 new referrals read1msg: mark request completed, ld 0x1fe2160 msgid 3 request done: ld 0x1fe2160 msgid 3 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 3, msgid 3) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 ldap_free_connection: actually freed ____ From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, January 31, 2014 3:58 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 04:13 PM, Todd Maugh wrote: asked: Can you provide your /etc/openldap/ldap.conf? answer: /etc/openldap/ldap.con #File modified by ipa-client-install URI ldaps://se-idm-01.boingo.com BASE dc=boingo,dc=com TLS_CACERT /etc/ipa/ca.crt TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow This will allow errors where the hostname in the cert subject DN does not match the IP address or vice versa. What happens if you set it to TLS_REQCERT demand? Or, if you don't want to touch this file (because it will probably break other things), try this: LDAPTLS_REQCERT=demand LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn If that works, then please provide the output of rpm -q 389-ds-base openldap nss ping TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error -8179:Peer's Certificate issuer is not recognized.. This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP address does not match. This is usually a problem, but perhaps you have set your ldap.conf to continue despite this problem? PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of data. 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=1 ttl=124 time=0.559 ms 64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=2 ttl=124 time=0.660 ms ^C --- qatestdc2.boingoqa.local ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1070ms rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms Ok. Does 10.194.55.48 resolve to qatestdc2.boingoqa.local? TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cant create winsync reolication
Ok that time i got output [r...@se-idm-01.boingo.com slapd-BOINGO-COM]$ ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W 'objectclass=nsds5replicationagreement' Enter LDAP Password: dn: cn=meTose-idm-02.boingo.com,cn=replica,cn=dc\3Dboingo\2Cdc\3Dcom,cn=mappin g tree,cn=config cn: meTose-idm-02.boingo.com objectClass: nsds5replicationagreement objectClass: top nsDS5ReplicaTransportInfo: LDAP description: me to se-idm-02.boingo.com nsDS5ReplicaRoot: dc=boingo,dc=com nsDS5ReplicaHost: se-idm-02.boingo.com nsds5replicaTimeout: 120 nsDS5ReplicaPort: 389 nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount nsDS5ReplicaBindMethod: SASL/GSSAPI nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts uccessfulauth krblastfailedauth krbloginfailedcount nsds50ruv: {replicageneration} 52e153690004 nsds50ruv: {replica 3 ldap://se-idm-02.boingo.com:389} 52e1537200010003 52 ebf4230003 nsds50ruv: {replica 4 ldap://se-idm-01.boingo.com:389} 52e153d500020004 52 ebf6280004 nsruvReplicaLastModified: {replica 3 ldap://se-idm-02.boingo.com:389} nsruvReplicaLastModified: {replica 4 ldap://se-idm-01.boingo.com:389} nsds5replicareapactive: 0 nsds5replicaLastUpdateStart: 20140131210414Z nsds5replicaLastUpdateEnd: 20140131210414Z nsds5replicaChangesSentSinceStartup:: NDozLzAg nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd ate succeeded nsds5replicaUpdateInProgress: FALSE nsds5replicaLastInitStart: 0 nsds5replicaLastInitEnd: 0 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] cant create winsync reolication
ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W 'objectclass=nsds5replicationagreement' From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, January 31, 2014 1:30 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 02:14 PM, Todd Maugh wrote: I used the IPA directory manager password and got no output [r...@se-idm-01.boingo.com<mailto:r...@se-idm-01.boingo.com> cacerts]$ ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: Very strange. Try this: ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W 'objectclass=nsds5replicationagreement' From: Todd Maugh Sent: Friday, January 31, 2014 1:11 PM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: RE: [Freeipa-users] cant create winsync reolication For the second Command I do not have an account called directory manager, so I do not have a password ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: ldap_bind: Invalid credentials (49) From: freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com> [freeipa-users-boun...@redhat.com<mailto:freeipa-users-boun...@redhat.com>] on behalf of Todd Maugh [tma...@boingo.com<mailto:tma...@boingo.com>] Sent: Friday, January 31, 2014 12:55 PM To: Rich Megginson; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] cant create winsync reolication [r...@se-idm-01.boingo.com<mailto:r...@se-idm-01.boingo.com> cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local<mailto:idmadmin@boingoqa.local> lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 16010101000000.0Z lastLogonTimestamp: 130356060672110578 From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Friday, January 31, 2014 12:39 PM To: Todd Maugh; d...@redhat.com<mailto:d...@redhat.com> Cc: freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS reques
Re: [Freeipa-users] cant create winsync reolication
I used the IPA directory manager password and got no output [r...@se-idm-01.boingo.com cacerts]$ ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: ____ From: Todd Maugh Sent: Friday, January 31, 2014 1:11 PM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] cant create winsync reolication For the second Command I do not have an account called directory manager, so I do not have a password ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: ldap_bind: Invalid credentials (49) From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Friday, January 31, 2014 12:55 PM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication [r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 1601010100.0Z lastLogonTimestamp: 130356060672110578 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, January 31, 2014 12:39 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS request: err
Re: [Freeipa-users] cant create winsync reolication
For the second Command I do not have an account called directory manager, so I do not have a password ldapsearch -LLLx -b "cn=config" -D "cn=directory manager" -W 'objectclass=nsdswindowsreplicationagreement' dn Enter LDAP Password: ldap_bind: Invalid credentials (49) From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Friday, January 31, 2014 12:55 PM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication [r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 1601010100.0Z lastLogonTimestamp: 130356060672110578 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, January 31, 2014 12:39 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:24 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:57 +] NSMMReplicationPlugin - agmt_delete: begin [31/Jan/2014:19:14:09 +] - slapd shutting down - signaling operation threads [31/Jan/2014:19:14:09 +
Re: [Freeipa-users] cant create winsync reolication
thank you for the reply. here is the out put of the first command. I'm going to run the second now and will reply with that as well LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W 'objectclass=*' dn ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local) ldap_create ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local:389/??base) ldap_extended_operation_s ldap_extended_operation ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP qatestdc2.boingoqa.local:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.194.55.48:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 31 bytes to sd 3 ldap_result ld 0x260a160 msgid 1 wait4msg ld 0x260a160 msgid 1 (infinite timeout) wait4msg continue ld 0x260a160 msgid 1 all 1 ** ld 0x260a160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 21:07:43 2014 ** ld 0x260a160 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x260a160 request count 1 (abandoned 0) ** ld 0x260a160 Response Queue: Empty ld 0x260a160 response count 0 ldap_chkResponseList ld 0x260a160 msgid 1 all 1 ldap_chkResponseList returns ld 0x260a160 NULL ldap_int_select read1msg: ld 0x260a160 msgid 1 all 1 ber_get_next ber_get_next: tag 0x30 len 40 contents: read1msg: ld 0x260a160 msgid 1 message type extended-result ber_scanf fmt ({eAA) ber: read1msg: ld 0x260a160 0 new referrals read1msg: mark request completed, ld 0x260a160 msgid 1 request done: ld 0x260a160 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_extended_result ber_scanf fmt ({eAA) ber: ber_scanf fmt (a) ber: ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (x) ber: ber_scanf fmt (}) ber: ldap_msgfree TLS: certdb config: configDir='/etc/dirsrv/slapd-BOINGO-COM/' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly TLS: using moznss security dir /etc/dirsrv/slapd-BOINGO-COM/ prefix . TLS: loaded CA certificate file /etc/ipa/ca.crt. TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error -8179:Peer's Certificate issuer is not recognized.. TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, cache not reusable: 0 Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 65 bytes to sd 3 ldap_result ld 0x260a160 msgid 2 wait4msg ld 0x260a160 msgid 2 (infinite timeout) wait4msg continue ld 0x260a160 msgid 2 all 1 ** ld 0x260a160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 21:07:50 2014 ** ld 0x260a160 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ld 0x260a160 request count 1 (abandoned 0) ** ld 0x260a160 Response Queue: Empty ld 0x260a160 response count 0 ldap_chkResponseList ld 0x260a160 msgid 2 all 1 ldap_chkResponseList returns ld 0x260a160 NULL ldap_int_select read1msg: ld 0x260a160 msgid 2 all 1 ber_get_next ber_get_next: tag 0x30 len 16 contents: read1msg: ld 0x260a160 msgid 2 message type bind ber_scanf fmt ({eAA) ber: read1msg: ld 0x260a160 0 new referrals read1msg: mark request completed, ld 0x260a160 msgid 2 request done: ld 0x260a160 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_scanf fmt (}) ber: ldap_msgfree ldap_search_ext put_filter: "objectclass=*" put_filter: default put_simple_filter: "objectclass=*" ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({) ber: ber_flush2: 85 bytes to sd 3 ldap_result ld 0x260a160 msgid -1 wait4msg ld 0x260a160 msgid -1 (infinite timeout) wait4msg continue ld 0x260a160 msgid -1 all 0 ** ld 0x260a160 Connections: * host: qatestdc2.boingoqa.local port: 389 (default) refcnt: 2 status: Connected last used: Fri Jan 31 21:07:50 2014 ** ld 0x260a160 Outstanding Requests: * msgid 3, origid 3, status InProgress outstanding referrals 0, parent count 0 ld 0x260a160 request count 1 (abandoned 0) ** ld 0x260a160 Response Queue: Empty ld 0x260a160 response count 0 ldap_chkResponseList ld 0x260a160 msgid -1 all 0 ldap_chkResponseList returns ld 0x260a160 NULL ldap_int_select read1msg: ld 0x260a160 msgid -1 all 0 ber_get_next ber_get_next: tag 0x30 len 59 contents: read1msg: ld 0x260a160 msgid 3 m
Re: [Freeipa-users] cant create winsync reolication
[r...@se-idm-01.boingo.com cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W Enter LDAP Password: dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IDM ADMIN givenName: IDMADMIN distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local instanceType: 4 whenCreated: 20140128182537.0Z whenChanged: 20140131014315.0Z displayName: IDMADMIN uSNCreated: 31968 memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local uSNChanged: 38786 name: IDM ADMIN objectGUID:: jai63JfDvUuOGcURntA7hg== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 130356008006093750 primaryGroupID: 513 objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: idmadmin sAMAccountType: 805306368 userPrincipalName: idmadmin@boingoqa.local lockoutTime: 0 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local dSCorePropagationData: 20140129224024.0Z dSCorePropagationData: 1601010100.0Z lastLogonTimestamp: 130356060672110578 From: Rich Megginson [rmegg...@redhat.com] Sent: Friday, January 31, 2014 12:39 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] cant create winsync reolication On 01/31/2014 12:16 PM, Todd Maugh wrote: RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement Note that 389 does not use /etc/openldap/cacerts - it uses /etc/dirsrv/slapd-YOUR-DOMAIN, so try this: LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H ldap://qatestdc2.boingoqa.local -b "cn=idm admin,cn=users,dc=boingoqa,dc=local" -D "cn=idm admin,cn=users,dc=boingoqa,dc=local" -W [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:24 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:57 +] NSMMReplicationPlugin - agmt_delete: begin [31/Jan/2014:19:14:09 +] - slapd shutting down - signaling operation threads [31/Jan/2014:19:14:09 +] - slapd shutting down - waiting for 30 threads to terminate [31/Jan/2014:19:14:09 +] - slapd shutting down - closing down internal subsystems and plugins [31/Jan/2014:19:14:09 +] - Waiting for 4 database threads to stop [31/Jan/2014:19:14:09 +] - All database threads now stopped [31/Jan/2014:19:14:09 +] - slapd stopped. [31/Jan/2014:19:14:12 +] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no e
Re: [Freeipa-users] cant create winsync reolication
RE: I am not sure I was clear. It seems that you provided the LDAP trace for the ldapsearch commands you executed above. I was talking about the DS level logs for the replica management agreement establishment and the follow up replication. here is the log tailed while I deleted teh replication agreement, restarted the dirsrv and tried to setup the replication agreement [31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:24 +] slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) [31/Jan/2014:19:13:57 +] NSMMReplicationPlugin - agmt_delete: begin [31/Jan/2014:19:14:09 +] - slapd shutting down - signaling operation threads [31/Jan/2014:19:14:09 +] - slapd shutting down - waiting for 30 threads to terminate [31/Jan/2014:19:14:09 +] - slapd shutting down - closing down internal subsystems and plugins [31/Jan/2014:19:14:09 +] - Waiting for 4 database threads to stop [31/Jan/2014:19:14:09 +] - All database threads now stopped [31/Jan/2014:19:14:09 +] - slapd stopped. [31/Jan/2014:19:14:12 +] - 389-Directory/1.2.11.15 B2013.337.1530 starting up [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up under cn=ng, cn=compat,dc=boingo,dc=com [31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up under ou=sudoers,dc=boingo,dc=com [31/Jan/2014:19:14:12 +] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jan/2014:19:14:12 +] set_krb5_creds - Could not get initial credentials for principal [ldap/se-idm-01.boingo@boingo.com] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [31/Jan/2014:19:14:12 +] - Skipping CoS Definition cn=Password Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be added before the CoS Definition. [31/Jan/2014:19:14:12 +] slapd_ldap_sasl_interactive_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) errno 0 (Success) [31/Jan/2014:19:14:12 +] slapi_ldap_bind - Error: could not perform interactive bind for id [] mech [GSSAPI]: error -2 (Local error) [31/Jan/2014:19:14:12 +] NSMMReplicationPlugin - agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_495' not found)) [31/Jan/2014:19:14:12 +] - slapd started. Listening on All Interfaces port 389 for LDAP requests [31/Jan/2014:19:14:12 +] - Listening on All Interfaces port 636 for LDAPS requests [31/Jan/2014:19:14:12 +] - Listening on /var/run/slapd-BOINGO-COM.socket for LDAPI requests [31/Jan/2014:19:14:16 +] NSMMReplicationPlugin - agmt="cn=meTose-idm-02.boingo.com" (se-idm-02:389): Replication bind with GSSAPI auth resumed [31/Jan/2014:19:15:18 +] - slapd shutting down - signaling operation threads [31/Jan/2014:19:15:1
[Freeipa-users] cant create winsync reolication
please help im stuck trying to finish this winsync agreement [r...@se-idm-01.boingo.com slapd-BOINGO-COM]$ ipa-replica-manage connect --winsync --binddn "cn=idm admin, cn=Users, dc=boingoqa, dc=local" --bindpw "***" --passsync "" --cacert=/etc/openldap/cacerts/boingoqaCA.cer qatestdc2.boingoqa.local -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/boingoqaCA.cer to certificate database for se-idm-01.boingo.com ipa: INFO: AD Suffix is: DC=boingoqa,DC=local The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=boingo,dc=com Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [se-idm-01.boingo.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users