> On 05/14/2015 04:58 AM, nat...@nathanpeters.com wrote: >> I have tried to setup synchronization between a FreeIPA domain and an AD >> domain. The certificates are in the right place. >> >> [root@ipadc1 ~]# ipa-replica-manage connect --winsync --binddn "cn=sync >> user,cn=Users,dc=datacenter,dc=addomain,dc=net" --bindpw secretpassword >> --passsync secretpassword --cacert >> /etc/openldap/cacerts/addc1-datacenter.cer addc1.datacenter.addomain.net >> -v >> Directory Manager password: >> >> Added CA certificate /etc/openldap/cacerts/addc1-datacenter.cer to >> certificate database for ipadc1.ipadomain.net >> ipa: INFO: AD Suffix is: DC=datacenter,DC=addomain,DC=net >> The user for the Windows PassSync service is >> uid=passsync,cn=sysaccounts,cn=etc,dc=ipadomain,dc=net >> Windows PassSync system account exists, not resetting password >> ipa: INFO: Added new sync agreement, waiting for it to become ready . . >> . >> ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP >> error: Connect error: start: 0: end: 0 >> ipa: INFO: Agreement is ready, starting replication . . . >> Starting replication, please wait until this has completed. >> >> [ipadc1.ipadomain.net] reports: Update failed! Status: [-11 - LDAP >> error: >> Connect error] >> >> Failed to start replication >> >> >> This is the system journal while the failure is happening >> >> May 14 02:50:39 ipadc1.ipadomain.net systemd[1]: Stopping 389 Directory >> Server IPADOMAIN-NET.... >> May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error: >> Can't >> contact LDAP server: ldap_sync_poll() failed >> May 14 02:50:41 ipadc1.ipadomain.net named-pkcs11[5594]: ldap_syncrepl >> will reconnect in 60 seconds >> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ipa >> : >> ERROR syncrepl_poll: LDAP error ({'desc': "Can't contact LDAP >> server"}) >> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: Traceback >> (most recent call last): >> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File >> "/usr/libexec/ipa/ipa-dnskeysyncd", line 106, in <module> >> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: while >> ldap_connection.syncrepl_poll(all=1, msgid=ldap_search): >> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File >> "/usr/lib64/python2.7/site-packages/ldap/syncrepl.py", line 349, in >> syncrepl_poll >> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: >> add_intermediates=1, add_ctrls=1, all = 0 >> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File >> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 483, in >> result4 >> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: ldap_result >> = >> self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) >> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: File >> "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 106, in >> _ldap_call >> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: result = >> func(*args,**kwargs) >> May 14 02:50:41 ipadc1.ipadomain.net ipa-dnskeysyncd[3163]: SERVER_DOWN: >> {'desc': "Can't contact LDAP server"} >> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: >> ipa-dnskeysyncd.service: >> main process exited, code=exited, status=1/FAILURE >> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Unit >> ipa-dnskeysyncd.service entered failed state. >> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Stopped 389 Directory >> Server IPADOMAIN-NET.. >> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Starting 389 Directory >> Server IPADOMAIN-NET.... >> May 14 02:50:41 ipadc1.ipadomain.net systemd[1]: Started 389 Directory >> Server IPADOMAIN-NET.. >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] SSL Initialization - Configured SSL version range: min: TLS1.0, >> max: TLS1.2 >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: Configured NSS Ciphers >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: >> enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: >> enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: >> enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: >> enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: >> enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: >> enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA: >> enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA: >> enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA: >> enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA: >> enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA: enabled >> May 14 02:50:41 ipadc1.ipadomain.net ns-slapd[3268]: >> [14/May/2015:02:50:41 >> +0000] - SSL alert: TLS_RSA_WITH_SEED_CBC_SHA: enabled >> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: connection to >> the >> LDAP server was lost >> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client >> step 1 >> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client >> step 1 >> May 14 02:51:41 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step >> 1 >> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client >> step 1 >> May 14 02:51:41 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step >> 2 >> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client >> step 2 >> May 14 02:51:41 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step >> 3 >> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: successfully >> reconnected to LDAP server >> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP instance >> 'ipa' is being synchronized, please ignore message 'all zones loaded' >> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error: >> Can't >> contact LDAP server: while modifying(replace) entry >> 'idnsname=ipadomain.net.,cn=dns,dc=ipadomain,dc=net' >> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: retrying LDAP >> operation (modifying(replace)) on entry >> 'idnsname=ipadomain.net.,cn=dns,dc=ipadomain,dc=net' >> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: LDAP error: >> Can't >> contact LDAP server: connection error >> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client >> step 1 >> May 14 02:51:41 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client >> step 1 >> May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: ipa-dnskeysyncd.service >> holdoff time over, scheduling restart. >> May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: Stopping IPA key >> daemon... >> May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: Starting IPA key >> daemon... >> May 14 02:51:41 ipadc1.ipadomain.net systemd[1]: Started IPA key daemon. >> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step >> 1 >> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client >> step 1 >> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step >> 2 >> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: GSSAPI client >> step 2 >> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step >> 3 >> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: successfully >> reconnected to LDAP server >> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: zone >> 19.21.10.in-addr.arpa/IN: loaded serial 1431571902 >> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: zone >> ipadomain.net/IN: loaded serial 1431571901 >> May 14 02:51:42 ipadc1.ipadomain.net named-pkcs11[5594]: 2 master zones >> from LDAP instance 'ipa' loaded (2 zones defined, 0 inactive, 0 failed >> to >> load) >> May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1 >> May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1 >> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step >> 1 >> May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 1 >> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step >> 2 >> May 14 02:51:42 ipadc1.ipadomain.net sssd_be[5782]: GSSAPI client step 2 >> May 14 02:51:42 ipadc1.ipadomain.net ns-slapd[3269]: GSSAPI server step >> 3 >> May 14 02:51:43 ipadc1.ipadomain.net ipa-dnskeysyncd[3318]: ipa >> : >> INFO LDAP bind... > > CCing Alexander. I wonder if it is related to > > https://bugzilla.redhat.com/show_bug.cgi?id=1215010 > > If your AD has the MS update mentioned in the bug and has a CA cert with > SHA-512 signing, then may be hitting this bug. >
Although the AD DC is Server 2012R2, it does not have KB2992611 installed. I also checked the certificate and it is SHA1RSA not SHA512. I also ensured that the windows firewall is disabled. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project