Ok I got the credentials error worked out, my ad admin had the IDMadmin account in the wrong OU
but now i get this Added CA certificate ADC13-ELS.CA.cer to certificate database for idm-master-els.ops.boingo.com ipa: INFO: AD Suffix is: DC=BWINC,DC=local The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=ops,dc=boingo,dc=com ipa: INFO: Added new sync agreement, waiting for it to become ready . . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0: end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [idm-master-els.ops.boingo.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] Failed to start replication not sure where to look for more errors about this ________________________________ From: Rich Megginson [rmegg...@redhat.com] Sent: Wednesday, March 12, 2014 4:23 PM To: Todd Maugh; freeipa-users@redhat.com Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/12/2014 05:07 PM, Todd Maugh wrote: so to verify this I am able to log in to the AD server as idmadmin with the password I'm using in the winsync agreement. I guess you mean that login to Windows using the standard Windows login dialog is working correctly? And that this is still not working correctly: [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" s base -b "cn=Users,dc=bwinc,dc=local" Do you have the Windows administrator password? If so, can you try something like this: [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=administrator,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" s base -b "cn=Users,dc=bwinc,dc=local" Is AD configured to allow external LDAP binds? is there a log I can look at to see what it is getting tripped up on. I suppose you could try somewhere in the Windows Event Viewer . . . I double checked all the security groups for the AD user and they all look good ________________________________ From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Wednesday, March 12, 2014 3:47 PM To: Todd Maugh; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/12/2014 04:39 PM, Todd Maugh wrote: thanks Rich, when I run that I get the following: [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" s base -b "cn=Users,dc=bwinc,dc=local" ldap_bind: Invalid credentials (49) Invalid credentials almost always means your password "XXXXXX" is not correct for user "cn=idmadmin,cn=Users,dc=bwinc,dc=local" additional info: 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580 ________________________________ From: Rich Megginson [rmegg...@redhat.com<mailto:rmegg...@redhat.com>] Sent: Wednesday, March 12, 2014 3:30 PM To: Todd Maugh; freeipa-users@redhat.com<mailto:freeipa-users@redhat.com> Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement On 03/12/2014 04:18 PM, Todd Maugh wrote: Hello. I'm using latest IPA build on red hat 6.5 I retrieved my CA cert from the AD Domain controller I try to set up my winsyncagreement and I am getting this [r...@idm-master-els.ops.boingo.com<mailto:r...@idm-master-els.ops.boingo.com> ipa]$ ipa-replica-manage connect --winsync --binddn "cn=idmadmin, cn=Users, dc=bwinc, dc=local" --bindpw "XXXXXX" --passsync "XXXXXX" --cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local Directory Manager password: Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to certificate database for idm-master-els.ops.boingo.com ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'} Failed to setup winsync replication not sure where to look for the logs for this to see what the invalivd credentials are or wether this might still be a cert issue or a log in issue or what not? You can test with ldapsearch like this: $ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ -h adc13-els.bwinc.local -D "cn=idmadmin,cn=Users,dc=bwinc,dc=local" -w "XXXXXX" -s base -b "cn=Users,dc=bwinc,dc=local" Thanks in advance for the help -Todd _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com<mailto:Freeipa-users@redhat.com> https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users