I have taken out the winsync. [r...@ipa.wibble.com ~]# ipa-replica-manage connect --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw pa$$ --passsync pa$$ --cacert /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate database for ipa.wibble.com You cannot connect to a previously deleted master
I cant find anything useful in the server2008 AD logs....I am seeing If I can make them more sensitive. /var/log/messages Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904045, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'lsarpc' already registered on endpoint Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904642, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'samr' already registered on endpoint Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.905147, 0] ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: interface 'netlogon' already registered on endpoint Jan 2 16:53:47 ipa named[11459]: LDAP error: Can't contact LDAP server Jan 2 16:53:47 ipa named[11459]: connection to the LDAP server was lost Jan 2 16:53:47 ipa named[11459]: bind to LDAP server failed: Can't contact LDAP server Jan 2 16:53:47 ipa named[11459]: ldap_psearch_watcher failed to handle LDAP connection error. Reconnection in 60s Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299083, 0] ipa_sam.c:3689(bind_callback_cleanup) Jan 2 16:53:49 ipa winbindd[12071]: kerberos error: code=-1765328324, message=Generic error (see e-text) Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299320, 0] ../source3/lib/smbldap.c:998(smbldap_connect_system) Jan 2 16:53:49 ipa winbindd[12071]: failed to bind to server ldapi://%2fvar%2frun%2fslapd-WIBBLE-COM.socket with dn="[Anonymous bind]" Error: Local error Jan 2 16:53:49 ipa winbindd[12071]: #011(unknown) Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.909746, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910126, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910427, 0] ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many handles (2049) on this pipe. On 2 January 2014 13:41, Dmitri Pal <d...@redhat.com> wrote: > On 01/02/2014 07:38 AM, Andrew Holway wrote: >> I have gotten a little further along with this but am having problems >> connecting to the AD LDAP. >> >> [r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync >> --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw >> X9deiX9dei --passsync X9deiX9dei --cacert >> /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv >> >> Directory Manager password: >> >> Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate >> database for ipa.wibble.com >> >> ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com. >> >> ipa: INFO: The error was: {'info': '00000000: LdapErr: DSID-0C090E17, >> comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server >> is unavailable'} >> >> Failed to setup winsync replication > > Hello, > > Trusts and winsync are mutually exclusive. > You either do one or another. We do not have a way to move from one > configuration to another yet and the decision should be made at the > deployment time. > > Which one do you prefer? > If you prefer trusts please follow the instructions on the wiki. The > guide is not updated yet, sorry. > http://www.freeipa.org/page/Trusts > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup > > It seems that after the trust is established you try to login and fail. > Can you provide more details about those attempts? > http://www.freeipa.org/page/Troubleshooting#Reporting_bugs > also see other sections on the same page. > > HTH > Thanks > Dmitri > > >> >> On 1 January 2014 22:27, Andrew Holway <andrew.hol...@gmail.com> wrote: >>> Hello, >>> >>> I am attempting to set up trust between my test freeipa server at >>> ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com. >>> >>> In the GUI I can see the following in "Trusts ยป prattle.com". >>> >>> Realm name: prattle.com >>> Domain NetBIOS name: PRATTLE >>> Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 >>> Trust direction: Two-way trust >>> Trust type: Active Directory domain >>> >>> However I cant see any of the AD users that I have created nor can I >>> log on to any of the systems under my freeipa realm. >>> >>> Jan 1 20:50:30 host002 sshd[9959]: Failed password for invalid user >>> bob from 10.51.120.1 port 55101 ssh2 >>> >>> I haven't actually done anything to AD to facilitate this trust. Its >>> not particularly clear what should be done. >>> >>> Many thanks, >>> >>> Andrew >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users