Hi Everybody,

We are trying to create sync between Windows 2012 r2 AD and FreeIPA 4.2.0
(CentOS 7) and we run into an issue.

We are following this documentation:

I know it is a little bit old and now the preferred method is trust and not
sync. But if my understanding is correct in trust you has to use 2
different domain like company.net <--> company.com and can not be user as
company.com <--> company.com

So anyway we are struggling with the full sync. Currently username sync is
working, but their password are not.

Replication was specified:
ipa-replica-manage connect --winsync --binddn
cn=Syncadmin,cn=users,dc=company,dc=com --bindpw ad_password --passsync
syncpassword --cacert /etc/openldap/certs/company.cer

On the Windows we installed and configured 389-PassSync-1.1.5-x86_64 and it
was configured as a following:

Hostname: name_of_centos_server
Password: syncpassword
Password field: userpassword
Port Number: 636
Search base cn=users,cn=compat,dc=company,dc=com
User Name uid/passync,cn=sysaccounts,cn=etc,dc=company,dc=com
User Name Field: ntuserdomainid

Log from passwordsync on windows:
03/04/16 16:45:07: Attempting to sync password for test.user
03/04/16 16:45:07: Searching for (ntuserdomainid=test.user)
03/04/16 16:45:07: There are no entries that match: test.user
03/04/16 16:45:07: Deferring password change for test.user
03/04/16 16:45:07: Backing off for 1024000ms

Trying user on CentOS:
kinit test.user -V
Using new cache: persistent:0:krb_ccache_wyIa8Nj
Using principal: test.u...@company.com
kinit: Generic preauthentication failure while getting initial credentials

log from /var/log/dirsrv/slapd-COMPANY-COM/access

[04/Mar/2016:17:10:08 +0000] conn=4 op=677 SRCH base="dc=jighi,dc=com"
test.u...@jighi.com))" attrs="krbPrincipalName krbCanonicalName
ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference
krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData
krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife
krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData
ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[04/Mar/2016:17:10:08 +0000] conn=4 op=677 RESULT err=0 tag=101 nentries=1
[04/Mar/2016:17:10:08 +0000] conn=4 op=678 SRCH
scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
krbMaxRenewableAge krbTicketFlags"
[04/Mar/2016:17:10:08 +0000] conn=4 op=678 RESULT err=0 tag=101 nentries=1

Can somebody help in what we are missing?

Csaba Patyi
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to