I'm trying to set up the AD-FreeIPA sync agreement and I'm always
getting this error:
# ipa-replica-manage connect --winsync --binddn cn="IPA
Sync",cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert
/root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v
Added CA certificate /root/dc1.cer to certificate database for
ipa: INFO: AD Suffix is: DC=win,DC=example,DC=com
Where does this insufficient access come from?
Can you please provide some guidance with this issue?
IPA Sync user on the AD side has Domain Admins, Enterprise Admins,
Schema Admins group memberships.
I'm able to query the AD using ldapsearch and binding with the
credentials and have an also an admin kerberos ticket.
On the other hand the documentation in the freeipa enterprise guide is
rather succint than adequate as it doesn't provide at least one working
I've read all the corresponding documentation and it's still unclear
what password do I have to specify with the --passsync to
"the password for the Windows PassSync user, and a required argument to
|ipa-replica-manage| when creating winsync agreements." I can't see any
documentation mentioning that a passync user has to (or being) created
in the AD.
The bindpw already gives read/write permission to the AD tree, so I'm
wondering why is this --passync required?
It's rather annoying to set up the passync on the Windows side.
The only documentation for this (what FreeIPA refers to) I can see is:
However, "cn=sync,cn=config" on the screenshot for the user name is
misleading as full dn was working only for us. I assume instead of
ou=People,dc=example,dc=com cn=user,cn=accounts,dc=example,dc=com has to
be substituted (or it has to be cn=compat?)
Thanks for any help in advance,
Freeipa-users mailing list