[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Problems replicating with Windows 2008 AD



Kline, Sara wrote:
I found the issue, it had to do with what Windows set the cn to, as
opposed to what I thought the CN was. Once I figured out where that was
set at I was able to fix it. Cn’s for us are usually the user id so that
was where the disconnect was. Once I fixed that issue however I got
another error. I am logged in as root on the FreeIPA server. When I run
the ipa-manage-replica command I get:

Added CA certificate /etc/openldap/cacerts/winadcert.cer to certificate
database for oly-infra-ldap1.prod.tnsi.com

INFO:root:AD Suffix is: DC=prod,DC=example,DC=com

Insufficient access

I am not sure I understand why this is not working.

Hmm, can you try this:

# kdestroy
# ipa-replica-manage ...

It should prompt you for the Directory Manager password. My guess is that this isn't working with a delegated user over GSSAPI. What version of freeIPA are you running?

rob


Thanks,

Sara Kline

*From:*Rich Megginson [mailto:rmeggins redhat com]
*Sent:* Wednesday, May 16, 2012 4:12 PM
*To:* Kline, Sara
*Cc:* freeipa-users redhat com
*Subject:* Re: [Freeipa-users] Problems replicating with Windows 2008 AD

On 05/16/2012 04:33 PM, Kline, Sara wrote:

Hey all,

FreeIPA has been very simple to setup so far, I have been able to follow
along with the documentation every step of the way. I am running into an
issue however when trying to set up replication between the Red Hat 6.2
server running FreeIPA and the Win 2008 R2 server running Active
Directory. I created the replication user like the instructions say and
gave it the necessary permissions, however when I try to set up the
agreement, it tells me I am using invalid credentials. I am unsure of
what I should do at this point? SSL Certs are installed on both and
trusted on both, the servers are connected and both are synced to the
same time source. Can anyone think of anything else?

I am using the command as follows:

Ipa-replica-manage connect –winsync

--binddn cn=freeipa,cn=users,dc=prod,dc=example,dc=com

--bindpw mypassword

--passsync mypassword

--cacert /etc/openldap/cacerts/winadcert.cer

oly-infra-ldap2.prod.example.com


You can use ldapsearch to test the connection with AD:

LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -xLLL -H
ldap://oly-infra-ldap2.prod.example.com -ZZ -D
"cn=freeipa,cn=users,dc=prod,dc=example,dc=com" -w mypassword -s base -b
"" 'objectclass=*' namingcontexts

This assumes
1) oly-infra-ldap2.prod.example.com is the correct FQDN of your AD machine
2) cn=freeipa,cn=users,dc=prod,dc=example,dc=com is a valid AD user in AD
3) mypassword is the correct password and doesn't need to be quoted for
the shell


Sara Kline

System Administrator

Transaction Network Services, Inc

4501 Intelco Loop, Lacey WA 98503

Wk: (360) 493-6736

Cell: (360) 280-2495

------------------------------------------------------------------------

This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network
Services.
Any unauthorised review, use, disclosure or distribution is prohibited.
If you
are not the intended recipient, please contact the sender by reply
e-mail and destroy all copies of the original message.




_______________________________________________

Freeipa-users mailing list

Freeipa-users redhat com  <mailto:Freeipa-users redhat com>

https://www.redhat.com/mailman/listinfo/freeipa-users


------------------------------------------------------------------------
This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network
Services.
Any unauthorised review, use, disclosure or distribution is prohibited.
If you
are not the intended recipient, please contact the sender by reply
e-mail and destroy all copies of the original message.



_______________________________________________
Freeipa-users mailing list
Freeipa-users redhat com
https://www.redhat.com/mailman/listinfo/freeipa-users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]