On 03/19/2015 05:10 AM, Gonzalo Fernandez Ordas wrote:

I have completed changed the scenario and I managed to install freeipa-server 4.1 (Somebody publish the right repo for Centos and it worked really well)

--Let me double check a couple of things. You wrote you installed PassSync on Windows 2013 (which could be a typo?) We support Windows Server 2008 R2 and 2012 R2. We also confirmed it works on Windows Server 2003 R2.

Yes, sorry, that was a typo.

So, starting again from scratch, new machine, the whole installation process went well, not issues there but:

* FreeIPA is supposed to generate a PassSync user by running ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man ipa-replica-manage).

I tried 5 times, the user was never created on the ipa server, I had to create it manually (I gave it admin permissions so it could create/delete/update users). Doing that, the password sync worked all right. We submit a password reset in AD and that propagated all right, tested and it worked fine.
* In one scenario I uninstalled freeipa (still kept the packages), installed again and something went wrong with the kerberos keys. After creating the AD --> LDAP certs and successfully syncing the passwords, I could read in the /var/log/messages a password decryption issue (kerberos related) everytime I tried to log as any user. I have tried uninstalling freeipa and also uninstalling removing the product completely and re-installing. it did not matter if I tried to rebuild the kerberos keys, the issue was always there, so I have to start afresh with a new box.

Something is really messed up with the system.
Do you have some kind of backup and restore running in the background?
It seems that for some reason a kerberos (probably master) key was rewritten in some way.

So.. that has been all so far



On 16/03/2015 20:05, Noriko Hosoi wrote:
Hello, Gonzalo,

Any progress on your Password Synchronization?

Let me double check a couple of things. You wrote you installed PassSync on Windows 2013 (which could be a typo?) We support Windows Server 2008 R2 and 2012 R2. We also confirmed it works on Windows Server 2003 R2.
> On 03/13/2015 12:45 PM,g.fer.or...@unicyber.co.uk  wrote:
>> I got the Password Sync Tool installed in the Windows2013 box
You can find the doc on PassSync here.
The doc is on PassSync 1.1.5, but 1.1.6 remains intact except the default SSL version to connect to the 389 Directory Server (as we discussed before).

We had a dicussion regarding the PassSync user you had to create:
FreeIPA is supposed to generate a PassSync user by running ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man ipa-replica-manage)./
> there must some problem as FreeIPA
> creates own Passsync user in "cn=sysaccounts,cn=etc,<SUFFIX>" also sets it's 
> as passSyncManagersDNs in ipa_pwd_extop plugin to avoid it creating expired
> passwords. So there is no need to create
> "uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" manually.
Please see the above doc regarding the user creation.

    The username of the system user which Active Directory uses to
    connect to the IdM machine. This account is configured
    automatically when sync is configured on the IdM server. The
    default account is
    The password set in the |--passsync| option when the sync
    agreement was created.

I'm sending this response to freeipa-users to share the info and request for more suggestions.


On 03/13/2015 02:48 PM, g.fer.or...@unicyber.co.uk wrote:
I forgot to attach the search command now:
# passsync, users, accounts, corp.company.com
dn: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
cn: passsync
displayName: passsync
krbLastFailedAuth: 20150313211546Z
krbLoginFailedCount: 1
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=corp,dc=company,dc=com
krbLastPwdChange: 20150313210836Z
krbPasswordExpiration: 20150611210836Z
mepManagedEntry: cn=passsync,cn=groups,cn=accounts,dc=corp,dc=company,d
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/bash
gecos: pass sync
sn: sync
homeDirectory: /home/passsync
uid: passsync
mail: passs...@corp.company.com
krbPrincipalName: passs...@corp.company.com
givenName: pass
initials: ps
userPassword:: zxxxxxxxx=
ipaUniqueID: 1d76b14a-c9c5-11e4-93f4-12d2e19d1e3c
uidNumber: 1481000829
gidNumber: 1481000829
krbPrincipalKey:: dfrerererer

# search result
search: 2

On 2015-03-13 21:39, g.fer.or...@unicyber.co.uk wrote:

I had to manually create the user!! For some reason I thought the sync
Agreement task was also creating that entry for the DS!

So now I got:

[13/Mar/2015:14:27:30 -0700] conn=66 op=4 SRCH
scope=0 filter="(objectClass=*)" attrs="telephoneNumber uid title
loginShell uidNumber gidNumber sn homeDirectory mail ou givenName
[13/Mar/2015:14:27:30 -0700] conn=66 op=4 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=5 SRCH
scope=0 filter="(userPassword=*)" attrs="userPassword"
[13/Mar/2015:14:27:30 -0700] conn=66 op=5 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=6 SRCH
scope=0 filter="(krbPrincipalKey=*)" attrs="krbPrincipalKey"
[13/Mar/2015:14:27:30 -0700] conn=66 op=6 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=7 SRCH
scope=0 filter="(objectClass=*)" attrs="ipaSshPubKey"
[13/Mar/2015:14:27:30 -0700] conn=66 op=7 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=8 UNBIND
[13/Mar/2015:14:27:30 -0700] conn=66 op=8 fd=103 closed - U1
[13/Mar/2015:14:27:33 -0700] conn=48 op=20 RESULT err=0 tag=101
nentries=828 etime=90 notes=U
[13/Mar/2015:14:27:33 -0700] conn=48 op=21 ABANDON targetop=NOTFOUND msgid=16
[13/Mar/2015:14:27:33 -0700] conn=48 op=22 SRCH
base="cn=users,cn=accounts,dc=corp,dc=company,dc=com" scope=0
filter="(objectClass=*)" attrs="* aci"
[13/Mar/2015:14:27:33 -0700] conn=48 op=22 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:33 -0700] conn=48 op=23 ABANDON targetop=NOTFOUND msgid=18 [13/Mar/2015:14:27:42 -0700] conn=67 fd=103 slot=103 connection from ::1 to ::1
[13/Mar/2015:14:27:42 -0700] conn=67 op=0 BIND dn="cn=directory
manager" method=128 version=3
[13/Mar/2015:14:27:42 -0700] conn=67 op=0 RESULT err=0 tag=97
nentries=0 etime=0 dn="cn=directory manager"
[13/Mar/2015:14:27:42 -0700] conn=67 op=1 SRCH
scope=2 filter="(objectClass=*)" attrs=ALL
[13/Mar/2015:14:27:42 -0700] conn=67 op=1 RESULT err=0 tag=101
nentries=1 etime=0 notes=U
[13/Mar/2015:14:27:42 -0700] conn=67 op=2 UNBIND
[13/Mar/2015:14:27:42 -0700] conn=67 op=2 fd=103 closed - U1

And target not found??? what else I might be missing ?


On 2015-03-13 21:01, Noriko Hosoi wrote:
On 03/13/2015 01:49 PM, g.fer.or...@unicyber.co.uk wrote:

Restarted... And I also have re-initiated the replica just in case....

I can see the following:
3/Mar/2015:13:41:35 -0700] conn=34 op=329 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2015:13:41:36 -0700] conn=35 fd=84 slot=84 SSL connection from AD.SERVER to IPA.SERVER
[13/Mar/2015:13:41:36 -0700] conn=35 SSL 128-bit AES
[13/Mar/2015:13:41:36 -0700] conn=35 op=0 BIND dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" method=128 version=3 [13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32 tag=97 nentries=0 etime=0
Do you have a user
"uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" in your
Directory Server?

On the host/VM where your Direcotry Server is running, please run this
command line search.  Does it return the entry?
ldapsearch -x -h localhost -p 389 -D 'cn=directory manager' -W -b
[13/Mar/2015:13:41:36 -0700] conn=35 op=1 SRCH base="cn=users,cn=accounts,dc=corp,dc=company,dc=com" scope=2 filter="(ntUserDomainId=john.test)" attrs=ALL [13/Mar/2015:13:41:36 -0700] conn=35 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2015:13:41:36 -0700] conn=34 op=330 SRCH base="cn=meTohqdc1.corp.company.com,cn=replica,cn=dc\3Dcorp\2Cdc\3Dcompany\2Cdc\3Dcom,cn=mapping tree,cn=config" scope=0 filter="(objectClass=*)" attrs="nsds5replicaLastInitStart nsds5replicaUpdateInProgress nsds5replicaLastInitStatus cn nsds5BeginReplicaRefresh nsds5replicaLastInitEnd" [13/Mar/2015:13:41:36 -0700] conn=34 op=330 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2015:13:41:36 -0700] conn=36 fd=101 slot=101 SSL connection from AD.SERVER to IPA.SERVER
[13/Mar/2015:13:41:36 -0700] conn=36 SSL 128-bit AES
[13/Mar/2015:13:41:36 -0700] conn=36 op=0 BIND dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com" method=128 version=3 [13/Mar/2015:13:41:36 -0700] conn=36 op=0 RESULT err=48 tag=97 nentries=0 etime=0
[13/Mar/2015:13:41:36 -0700] conn=36 op=1 UNBIND
[13/Mar/2015:13:41:36 -0700] conn=36 op=1 fd=101 closed - U1
[13/Mar/2015:13:41:36 -0700] conn=35 op=2 MOD dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com" [13/Mar/2015:13:41:36 -0700] conn=35 op=2 RESULT err=50 tag=103 nentries=0 etime=0
Since the above bind failed, your PassSync has no right to update the
password on the Directory Server and the modify attempt failed with

[13/Mar/2015:13:41:37 -0700] conn=35 op=3 UNBIND
[13/Mar/2015:13:41:37 -0700] conn=35 op=3 fd=84 closed - U1


Note there are 2 errors there:
dn="uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com" method=128 version=3 [13/Mar/2015:13:41:36 -0700] conn=35 op=0 RESULT err=32 tag=97 nentries=0 etime=0 dn="uid=john.test,cn=users,cn=accounts,dc=corp,dc=company,dc=com" method=128 version=3

 ipa user-show John.Test

  User login: john.test

  First name: John

  Last name: Test

  Home directory: /home/john.test

  Login shell: /bin/bash

  UID: 1481000790

  GID: 1481000790

  Account disabled: False

  Password: False

  Kerberos keys available: False

  the password is still set as False
The PassSync Tool got defined as base search:

cn=users,cn=accounts,dc=corp,dc=company,dc=com .. Which should be all right

Thanks for all your help!

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to