I turned off all the AD processed on my windows domain controller. The error did not change.
On 2 January 2014 17:07, Andrew Holway <andrew.hol...@gmail.com> wrote: > I have taken out the winsync. > > [r...@ipa.wibble.com ~]# ipa-replica-manage connect --binddn > cn=administrator,cn=users,dc=prattle,dc=com --bindpw pa$$ --passsync > pa$$ --cacert /etc/openldap/cacerts/prattle.crt > win-5uglhak7rin.prattle.com. -vvv > Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate > database for ipa.wibble.com > You cannot connect to a previously deleted master > > I cant find anything useful in the server2008 AD logs....I am seeing > If I can make them more sensitive. > > /var/log/messages > > Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904045, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: > interface 'lsarpc' already registered on endpoint > Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.904642, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: > interface 'samr' already registered on endpoint > Jan 2 16:53:43 ipa smbd[12033]: [2014/01/02 16:53:43.905147, 0] > ../source3/rpc_server/epmapper/srv_epmapper.c:378(_epm_Insert) > Jan 2 16:53:43 ipa smbd[12033]: dcesrv_interface_register: > interface 'netlogon' already registered on endpoint > Jan 2 16:53:47 ipa named[11459]: LDAP error: Can't contact LDAP server > Jan 2 16:53:47 ipa named[11459]: connection to the LDAP server was lost > Jan 2 16:53:47 ipa named[11459]: bind to LDAP server failed: Can't > contact LDAP server > Jan 2 16:53:47 ipa named[11459]: ldap_psearch_watcher failed to > handle LDAP connection error. Reconnection in 60s > Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299083, 0] > ipa_sam.c:3689(bind_callback_cleanup) > Jan 2 16:53:49 ipa winbindd[12071]: kerberos error: > code=-1765328324, message=Generic error (see e-text) > Jan 2 16:53:49 ipa winbindd[12071]: [2014/01/02 16:53:49.299320, 0] > ../source3/lib/smbldap.c:998(smbldap_connect_system) > Jan 2 16:53:49 ipa winbindd[12071]: failed to bind to server > ldapi://%2fvar%2frun%2fslapd-WIBBLE-COM.socket with dn="[Anonymous > bind]" Error: Local error > Jan 2 16:53:49 ipa winbindd[12071]: #011(unknown) > Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.909746, 0] > ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) > Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many > handles (2049) on this pipe. > Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910126, 0] > ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) > Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many > handles (2049) on this pipe. > Jan 2 16:54:13 ipa smbd[12033]: [2014/01/02 16:54:13.910427, 0] > ../source3/rpc_server/rpc_handles.c:261(create_rpc_handle_internal) > Jan 2 16:54:13 ipa smbd[12033]: create_policy_hnd: ERROR: too many > handles (2049) on this pipe. > > > On 2 January 2014 13:41, Dmitri Pal <d...@redhat.com> wrote: >> On 01/02/2014 07:38 AM, Andrew Holway wrote: >>> I have gotten a little further along with this but am having problems >>> connecting to the AD LDAP. >>> >>> [r...@ipa.wibble.com cacerts]# ipa-replica-manage connect --winsync >>> --binddn cn=administrator,cn=users,dc=prattle,dc=com --bindpw >>> X9deiX9dei --passsync X9deiX9dei --cacert >>> /etc/openldap/cacerts/prattle.crt win-5uglhak7rin.prattle.com. -vvv >>> >>> Directory Manager password: >>> >>> Added CA certificate /etc/openldap/cacerts/prattle.crt to certificate >>> database for ipa.wibble.com >>> >>> ipa: INFO: Failed to connect to AD server win-5uglhak7rin.prattle.com. >>> >>> ipa: INFO: The error was: {'info': '00000000: LdapErr: DSID-0C090E17, >>> comment: Error initializing SSL/TLS, data 0, v1db1', 'desc': 'Server >>> is unavailable'} >>> >>> Failed to setup winsync replication >> >> Hello, >> >> Trusts and winsync are mutually exclusive. >> You either do one or another. We do not have a way to move from one >> configuration to another yet and the decision should be made at the >> deployment time. >> >> Which one do you prefer? >> If you prefer trusts please follow the instructions on the wiki. The >> guide is not updated yet, sorry. >> http://www.freeipa.org/page/Trusts >> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup >> >> It seems that after the trust is established you try to login and fail. >> Can you provide more details about those attempts? >> http://www.freeipa.org/page/Troubleshooting#Reporting_bugs >> also see other sections on the same page. >> >> HTH >> Thanks >> Dmitri >> >> >>> >>> On 1 January 2014 22:27, Andrew Holway <andrew.hol...@gmail.com> wrote: >>>> Hello, >>>> >>>> I am attempting to set up trust between my test freeipa server at >>>> ipa.wibble.com. and my test AD server at win-5uglhak7rin.prattle.com. >>>> >>>> In the GUI I can see the following in "Trusts ยป prattle.com". >>>> >>>> Realm name: prattle.com >>>> Domain NetBIOS name: PRATTLE >>>> Domain Security Identifier: S-1-5-21-2812083513-4116408788-3699662436 >>>> Trust direction: Two-way trust >>>> Trust type: Active Directory domain >>>> >>>> However I cant see any of the AD users that I have created nor can I >>>> log on to any of the systems under my freeipa realm. >>>> >>>> Jan 1 20:50:30 host002 sshd[9959]: Failed password for invalid user >>>> bob from 10.51.120.1 port 55101 ssh2 >>>> >>>> I haven't actually done anything to AD to facilitate this trust. Its >>>> not particularly clear what should be done. >>>> >>>> Many thanks, >>>> >>>> Andrew >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users