Sayid Munawar wrote:
Dear,I have successfully installed freeipa-server 2 rc2. and create some test user and tested machine enrollment. now, what i want to do next is sync all my windows 2008r2 AD accounts. i've got already get the cert needed, and tested it with ldapsearch tools in the same host as the freeipa-server. so i assume that AD connection is ok. but when i did ipa-manage-replica, it complaints about "Can't connect LDAP server". here it is: [root@yk ~]# ipa-replica-manage connect --winsync --binddn "cn=Fedora DS,ou=JogjaCamp,dc=dot,dc=jc" --bindpw "somesecret" --cacert /root/jcamp-DC1-buat-389DirServ.cer --passsync secretagain -p anothersecret DC1.DOT.JC Added CA certificate /root/jcamp-DC1-buat-389DirServ.cer to certificate database for yk.nix.jc ipa: INFO: Failed to connect to AD server dc1.dot.jc ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': "Can't contact LDAP server"} ipa: INFO: Continuning ... The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=nix,dc=jc Windows PassSync entry exists, not resetting password ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: 0 No replication sessions started since server startup: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Can't contact LDAP server [root@yk ~]# - I have no idea why AD connection is fail here, while it was ok with ldapsearch tool. any clue ? - and one more question: what is --passsync argument for? is it for foce setting a "new password" for passsync user, or we have to first define a password for passsync user ? TIA Sayid Munawar
Passsync is a service that needs to run on all of your AD servers. It is a windows service that intercepts password requests and sends them along to IPA (over SSL). We need to have the password in the clear in order to generate Kerberos key material.
A special LDAP user is used for authentication to the Passsync service, the --passsync option sets the password for that account.
Make sure your CA was installed as an Enterprise CA (apparently it is the only kind that sets up a pure SSL LDAP port as opposed to using TLS over 389).
We discovered several winsync issues shortly after RC 2 was released. They are fixed now, you can take a look at them here:
https://fedorahosted.org/freeipa/ticket/1006 https://fedorahosted.org/freeipa/ticket/1015 https://fedorahosted.org/freeipa/ticket/1020 https://fedorahosted.org/freeipa/ticket/1021 https://fedorahosted.org/freeipa/ticket/1022 We discovered these while fixing this: https://fedorahosted.org/freeipa/ticket/266 regards rob _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
