Sayid Munawar wrote:
Dear,
I have successfully installed freeipa-server 2 rc2. and create some test
user and tested machine enrollment. now, what i want to do next is sync
all my windows 2008r2 AD accounts. i've got already get the cert needed,
and tested it with ldapsearch tools in the same host as the
freeipa-server. so i assume that AD connection is ok. but when i did
ipa-manage-replica, it complaints about "Can't connect LDAP server".
here it is:
[root@yk ~]# ipa-replica-manage connect --winsync --binddn "cn=Fedora
DS,ou=JogjaCamp,dc=dot,dc=jc" --bindpw "somesecret" --cacert
/root/jcamp-DC1-buat-389DirServ.cer --passsync secretagain -p
anothersecret DC1.DOT.JC
Added CA certificate /root/jcamp-DC1-buat-389DirServ.cer to certificate
database for yk.nix.jc
ipa: INFO: Failed to connect to AD server dc1.dot.jc
ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f
13', 'desc': "Can't contact LDAP server"}
ipa: INFO: Continuning ...
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=nix,dc=jc
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: 0 No
replication sessions started since server startup: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Can't contact LDAP server
[root@yk ~]#
- I have no idea why AD connection is fail here, while it was ok with
ldapsearch tool. any clue ?
- and one more question: what is --passsync argument for? is it for foce
setting a "new password" for passsync user, or we have to first define a
password for passsync user ?
TIA
Sayid Munawar
Passsync is a service that needs to run on all of your AD servers. It is
a windows service that intercepts password requests and sends them along
to IPA (over SSL). We need to have the password in the clear in order to
generate Kerberos key material.
A special LDAP user is used for authentication to the Passsync service,
the --passsync option sets the password for that account.
Make sure your CA was installed as an Enterprise CA (apparently it is
the only kind that sets up a pure SSL LDAP port as opposed to using TLS
over 389).
We discovered several winsync issues shortly after RC 2 was released.
They are fixed now, you can take a look at them here:
https://fedorahosted.org/freeipa/ticket/1006
https://fedorahosted.org/freeipa/ticket/1015
https://fedorahosted.org/freeipa/ticket/1020
https://fedorahosted.org/freeipa/ticket/1021
https://fedorahosted.org/freeipa/ticket/1022
We discovered these while fixing this:
https://fedorahosted.org/freeipa/ticket/266
regards
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users