Hi Everybody, We are trying to create sync between Windows 2012 r2 AD and FreeIPA 4.2.0 (CentOS 7) and we run into an issue.
We are following this documentation: https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/active-directory.html I know it is a little bit old and now the preferred method is trust and not sync. But if my understanding is correct in trust you has to use 2 different domain like company.net <--> company.com and can not be user as company.com <--> company.com So anyway we are struggling with the full sync. Currently username sync is working, but their password are not. Replication was specified: ipa-replica-manage connect --winsync --binddn cn=Syncadmin,cn=users,dc=company,dc=com --bindpw ad_password --passsync syncpassword --cacert /etc/openldap/certs/company.cer companypdc.company.com On the Windows we installed and configured 389-PassSync-1.1.5-x86_64 and it was configured as a following: Hostname: name_of_centos_server Password: syncpassword Password field: userpassword Port Number: 636 Search base cn=users,cn=compat,dc=company,dc=com User Name uid/passync,cn=sysaccounts,cn=etc,dc=company,dc=com User Name Field: ntuserdomainid Log from passwordsync on windows: 03/04/16 16:45:07: Attempting to sync password for test.user 03/04/16 16:45:07: Searching for (ntuserdomainid=test.user) 03/04/16 16:45:07: There are no entries that match: test.user 03/04/16 16:45:07: Deferring password change for test.user 03/04/16 16:45:07: Backing off for 1024000ms Trying user on CentOS: kinit test.user -V Using new cache: persistent:0:krb_ccache_wyIa8Nj Using principal: [email protected] kinit: Generic preauthentication failure while getting initial credentials log from /var/log/dirsrv/slapd-COMPANY-COM/access [04/Mar/2016:17:10:08 +0000] conn=4 op=677 SRCH base="dc=jighi,dc=com" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal))(krbPrincipalName= [email protected]))" attrs="krbPrincipalName krbCanonicalName ipaKrbPrincipalAlias krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass" [04/Mar/2016:17:10:08 +0000] conn=4 op=677 RESULT err=0 tag=101 nentries=1 etime=0 [04/Mar/2016:17:10:08 +0000] conn=4 op=678 SRCH base="cn=JIGHI.COM,cn=kerberos,dc=jighi,dc=com" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags" [04/Mar/2016:17:10:08 +0000] conn=4 op=678 RESULT err=0 tag=101 nentries=1 etime=0 Can somebody help in what we are missing? Regards, Csaba Patyi
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
