[Freeipa-users] Creating password sync
Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] *Sent:* Tuesday, February 04, 2014 9:04 AM *To:* Rich Megginson; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Tuesday, February 04, 2014 9:04 AM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Upgrade form Centos to Fedora (3.0.0 - 3.3.3)
Hello IPA users :) We have implemented IPA using the packaged version in centos 6.5 (which is 3.0.0-37.el6), but have been playing with the more recent version in Fedora 19 (3.3.3-2.fc19) and are quite keen to take advantage of the shiny new features, so are thinking about migrating. Has anyone done this? Is there an easy way to migrate/upgrade? What would happen if I tried to setup a FC19 replica, would it get angry and break? We only have users in production so far, (no production clients or issued certs) so maybe the user migration script mentioned in previous posts would be the best bet? Any pointers would be hugely appreciated.. -- Kind regards, Will Sheldon ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 9:19 AM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com] Sent: Tuesday, February 04, 2014 9:04 AM To: Rich Megginson; d...@redhat.commailto:d...@redhat.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.commailto:tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
now I am getting this after rerunning the install and trying to reinstall my cert LDAP bind error in connect 81: Can't Contact LDAP Server From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Tuesday, February 04, 2014 11:56 AM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Creating password sync Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 9:19 AM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com] Sent: Tuesday, February 04, 2014 9:04 AM To: Rich Megginson; d...@redhat.commailto:d...@redhat.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.commailto:tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
my passhook.log file is empty From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Tuesday, February 04, 2014 11:56 AM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Creating password sync Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 9:19 AM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com] Sent: Tuesday, February 04, 2014 9:04 AM To: Rich Megginson; d...@redhat.commailto:d...@redhat.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.commailto:tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] ipa AD trust issue
has anyone worked it out. Secondly cifs-utils has dependency on samba3 packages and ipa-ad-trust needs samba4 but samba3 and samba4 don't like each other , so this is the story of my experience with ipa. Any suggestions ? Why do you need cifs-utils on the same server? cifs-utils to make a system a client to MSFT file server, AFAIU you cant make IPA server to be a cifs client. https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html Step 3 mentions that cifs-utils is required, but: yum install cifs-utils Loaded plugins: product-id, security, subscription-manager This system is receiving updates from Red Hat Subscription Management. rhel-6-server-cf-tools-1-rpms | 2.8 kB 00:00 rhel-6-server-rhev-agent-rpms | 3.1 kB 00:00 rhel-6-server-rpms| 3.7 kB 00:00 Setting up Install Process Resolving Dependencies -- Running transaction check --- Package cifs-utils.x86_64 0:4.8.1-19.el6 will be installed -- Processing Dependency: libwbclient.so.0()(64bit) for package: cifs-utils-4.8.1-19.el6.x86_64 -- Running transaction check --- Package samba-winbind-clients.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Dependency: samba-winbind = 3.6.9-167.el6_5 for package: samba-winbind-clients-3.6.9-167.el6_5.x86_64 -- Running transaction check --- Package samba-winbind.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Dependency: samba-common = 3.6.9-167.el6_5 for package: samba-winbind-3.6.9-167.el6_5.x86_64 -- Running transaction check --- Package samba-common.x86_64 0:3.6.9-167.el6_5 will be installed -- Processing Conflict: samba4-common-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-common 3.9.9 -- Processing Conflict: samba4-winbind-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-winbind 3.9.9 -- Processing Conflict: samba4-winbind-clients-4.0.0-60.el6_5.rc4.x86_64 conflicts samba-winbind-clients 3.9.9 -- Finished Dependency Resolution Error: samba4-common conflicts with samba-common-3.6.9-167.el6_5.x86_64 Error: samba4-winbind-clients conflicts with samba-winbind-clients-3.6.9-167.el6_5.x86_64 Error: samba4-winbind conflicts with samba-winbind-3.6.9-167.el6_5.x86_64 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest Is this no longer a requirement? Can this documentation be updated? Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
On 02/04/2014 01:13 PM, Todd Maugh wrote: now I am getting this after rerunning the install and trying to reinstall my cert LDAP bind error in connect 81: Can't Contact LDAP Server That means 1) ipa ldap server is down 2) some sort of network problem 3) incorrect host/port specified in passsync config 4) host specified in passsync config is not the FQDN, or the FQDN doesn't resolve both forward and reverse from the windows box 5) host specified in the passsync config does not match the ipa ldap server certificate subject dn 6) incorrect CA cert installed in passsync cert db *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] *Sent:* Tuesday, February 04, 2014 11:56 AM *To:* Rich Megginson; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Creating password sync Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Tuesday, February 04, 2014 9:19 AM *To:* Todd Maugh; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] *Sent:* Tuesday, February 04, 2014 9:04 AM *To:* Rich Megginson; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
On 02/04/2014 01:20 PM, Todd Maugh wrote: my passhook.log file is empty Have you changed any passwords in AD? *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] *Sent:* Tuesday, February 04, 2014 11:56 AM *To:* Rich Megginson; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Creating password sync Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Tuesday, February 04, 2014 9:19 AM *To:* Todd Maugh; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] *Sent:* Tuesday, February 04, 2014 9:04 AM *To:* Rich Megginson; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
I have not changed any passwords in AD yet. and the users I have in IDM from AD, their passwords are not working From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 12:40 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 01:20 PM, Todd Maugh wrote: my passhook.log file is empty Have you changed any passwords in AD? From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com] Sent: Tuesday, February 04, 2014 11:56 AM To: Rich Megginson; d...@redhat.commailto:d...@redhat.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Creating password sync Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 9:19 AM To: Todd Maugh; d...@redhat.commailto:d...@redhat.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com] Sent: Tuesday, February 04, 2014 9:04 AM To: Rich Megginson; d...@redhat.commailto:d...@redhat.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.commailto:tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
I tried changing the password for a user in AD this is what the passsync log shows: 02/04/14 12:29:14: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:34: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:34: Ldap error in QueryUsername 81: Can't contact LDAP server 02/04/14 12:49:36: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:36: Ldap error in QueryUsername 81: Can't contact LDAP server and you say this is one of many issues with passsync. do you recommend another option? From: Todd Maugh Sent: Tuesday, February 04, 2014 12:48 PM To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: RE: Creating password sync but what about the cant contact LDAP server in the passsync log and are you saying I should try to change one of the passwords in AD for it to go to IDM, or vice versa? thanks From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 12:45 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 01:42 PM, Todd Maugh wrote: I have not changed any passwords in AD yet. Then passsync will not have sent anything. and the users I have in IDM from AD, their passwords are not working Right. This is one of the (many) problems with the passsync approach - there currently is no way to populate the initial passwords - that is, passsync/IdM cannot copy your passwords over from AD to IdM. From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 12:40 PM To: Todd Maugh; d...@redhat.commailto:d...@redhat.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 01:20 PM, Todd Maugh wrote: my passhook.log file is empty Have you changed any passwords in AD? From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com] Sent: Tuesday, February 04, 2014 11:56 AM To: Rich Megginson; d...@redhat.commailto:d...@redhat.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Creating password sync Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 9:19 AM To: Todd Maugh; d...@redhat.commailto:d...@redhat.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com] Sent: Tuesday, February 04, 2014 9:04 AM To: Rich Megginson; d...@redhat.commailto:d...@redhat.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.commailto:tma...@boingo.com
Re: [Freeipa-users] Creating password sync
On 02/04/2014 01:57 PM, Todd Maugh wrote: I tested a ssl connection from my ldap server to AD Ok. What about the ssl connection from the windows AD machine to your IdM ldap server? this is the output openssl s_client -connect qatestdc2.boingoqa.local:636 CONNECTED(0003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=27:certificate not trusted verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s: i:/DC=local/DC=boingoqa/CN=SKYWARPCA --- Server certificate -BEGIN CERTIFICATE- MIIGpzCCBI+gAwIBAgIKYTm2iQAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7 q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5 4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3 Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7 mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8 Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6 1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9 -END CERTIFICATE- subject= issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA --- Acceptable client certificate CA names /DC=local/DC=boingoqa/CN=SKYWARPCA /CN=QATESTDC2.boingoqa.local /DC=local/DC=boingoqa/CN=boingoqaca /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root /O=BOINGO.COM/CN=Certificate Authority /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority /CN=NT AUTHORITY --- SSL handshake has read 3480 bytes and written 601 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES128-SHA Session-ID: 333C854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A Session-ID-ctx: Master-Key: 63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1391547347 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) ---
Re: [Freeipa-users] Creating password sync
On 02/04/2014 01:53 PM, Todd Maugh wrote: I tried changing the password for a user in AD this is what the passsync log shows: 02/04/14 12:29:14: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:34: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:34: Ldap error in QueryUsername 81: Can't contact LDAP server 02/04/14 12:49:36: Ldap bind error in Connect 81: Can't contact LDAP server 02/04/14 12:49:36: Ldap error in QueryUsername 81: Can't contact LDAP server and you say this is one of many issues with passsync. do you recommend another option? LDAP bind error in connect 81: Can't Contact LDAP Server That means 1) ipa ldap server is down 2) some sort of network problem 3) incorrect host/port specified in passsync config 4) host specified in passsync config is not the FQDN, or the FQDN doesn't resolve both forward and reverse from the windows box 5) host specified in the passsync config does not match the ipa ldap server certificate subject dn 6) incorrect CA cert installed in passsync cert db In order for AD to send a password, you have to change a password in AD. When I said This is one of the (many) problems with passsync, I meant that passsync will not sync existing passwords from AD to IdM. Passsync requires an AD password change operation in order to sync a password. If you were expecting that your existing AD passwords would just suddenly work in IdM, without having all of your AD users change their passwords, that's not how passsync works. There is no way to do that. This is but one of the reasons why the AD/IdM cross domain trust solution is preferred. When I said This is one of the (many) problems with passsync, I most certainly did not mean that LDAP bind error in connect 81: Can't Contact LDAP Server is one of the many problems. It is almost always a configuration issue. *From:* Todd Maugh *Sent:* Tuesday, February 04, 2014 12:48 PM *To:* Rich Megginson; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* RE: Creating password sync but what about the cant contact LDAP server in the passsync log and are you saying I should try to change one of the passwords in AD for it to go to IDM, or vice versa? thanks *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Tuesday, February 04, 2014 12:45 PM *To:* Todd Maugh; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: Creating password sync On 02/04/2014 01:42 PM, Todd Maugh wrote: I have not changed any passwords in AD yet. Then passsync will not have sent anything. and the users I have in IDM from AD, their passwords are not working Right. This is one of the (many) problems with the passsync approach - there currently is no way to populate the initial passwords - that is, passsync/IdM cannot copy your passwords over from AD to IdM. *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Tuesday, February 04, 2014 12:40 PM *To:* Todd Maugh; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: Creating password sync On 02/04/2014 01:20 PM, Todd Maugh wrote: my passhook.log file is empty Have you changed any passwords in AD? *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] *Sent:* Tuesday, February 04, 2014 11:56 AM *To:* Rich Megginson; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Creating password sync Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Tuesday, February 04, 2014 9:19 AM *To:* Todd Maugh; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the
[Freeipa-users] ipa-server-install fails (RHEL 6.5)
Following this guide: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/trust-diff-dns-domains.html STEP 4: ipa-server-install --setup-dns -p 'password' -a 'password' -r MIOVISION.LINUX -n miovision.linux --hostname ipa1.miovision.linux --forwarder=10.0.0.2 --forwarder=10.0.0.5 Server host name [ipa1.miovision.linux]: Warning: skipping DNS resolution of host ipa1.miovision.linux Unable to resolve IP address for host name Please provide the IP address to be used for this host name: 10.0.6.3 Adding [10.0.6.3 ipa1.miovision.linux] to your /etc/hosts file Do you want to configure the reverse zone? [yes]: Please specify the reverse zone name [6.0.10.in-addr.arpa.]: Using reverse zone 6.0.10.in-addr.arpa. The IPA Master Server will be configured with: Hostname: ipa1.miovision.linux IP address:10.0.6.3 Domain name: miovision.linux Realm name:MIOVISION.LINUX BIND DNS server will be configured to serve IPA domain with: Forwarders:10.0.0.2, 10.0.0.5 Reverse zone: 6.0.10.in-addr.arpa. Continue to configure the system with these values? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring NTP daemon (ntpd) [1/4]: stopping ntpd ... Done configuring directory server (dirsrv). Configuring Kerberos KDC (krb5kdc): Estimated time 30 seconds [1/10]: adding sasl mappings to the directory [2/10]: adding kerberos container to the directory [3/10]: configuring KDC [4/10]: initialize kerberos container Failed to initialize the realm container [5/10]: adding default ACIs [6/10]: creating a keytab for the directory Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa1.miovision.linux@MIOVISION.LINUX -x ipa-setup-override-restrictions' returned non-zero exit status 1 */var/log/ipaserver-install.log* add aci: (target=ldap:///cn=*,cn=ca_renewal,cn=ipa,cn=etc,dc=miovision,dc=linux;)(targetattr=userCertificate)(version 3.0; acl Modify CA Certificates for renewals; allow(write) userdn = ldap:///fqdn=ipa1.miovision.linux,cn=computers,cn=accounts,dc=miovision,dc=linux;;) modifying entry cn=ipa,cn=etc,dc=miovision,dc=linux modify complete 2014-02-04T20:45:51Z DEBUG stderr=ldap_initialize( ldapi://%2Fvar%2Frun%2Fslapd-MIOVISION-LINUX.socket/??base ) 2014-02-04T20:45:51Z DEBUG duration: 6 seconds 2014-02-04T20:45:51Z DEBUG [6/10]: creating a keytab for the directory 2014-02-04T20:45:51Z DEBUG args=kadmin.local -q addprinc -randkey ldap/ipa1.miovision.linux@MIOVISION.LINUX -x ipa-setup-override-restrictions 2014-02-04T20:45:51Z DEBUG stdout=Authenticating as principal root/admin@MIOVISION.LINUX with password. 2014-02-04T20:45:51Z DEBUG stderr=kadmin.local: No such entry in the database while initializing kadmin.local interface 2014-02-04T20:45:51Z INFO File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 614, in run_script return_value = main_function() File /usr/sbin/ipa-server-install, line 1024, in main subject_base=options.subject) File /usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py, line 183, in create_instance self.start_creation(runtime=30) File /usr/lib/python2.6/site-packages/ipaserver/install/service.py, line 358, in start_creation method() File /usr/lib/python2.6/site-packages/ipaserver/install/krbinstance.py, line 386, in __create_ds_keytab installutils.kadmin_addprinc(ldap_principal) File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 369, in kadmin_addprinc kadmin(addprinc -randkey + principal) File /usr/lib/python2.6/site-packages/ipaserver/install/installutils.py, line 366, in kadmin -x, ipa-setup-override-restrictions]) File /usr/lib/python2.6/site-packages/ipapython/ipautil.py, line 316, in run raise CalledProcessError(p.returncode, args) 2014-02-04T20:45:51Z INFO The ipa-server-install command failed, exception: CalledProcessError: Command 'kadmin.local -q addprinc -randkey ldap/ipa1.miovision.linux@MIOVISION.LINUX -x ipa-setup-override-restrictions' returned non-zero exit status 1 *Steve Dainard * IT Infrastructure Manager Miovision http://miovision.com/ | *Rethink Traffic* 519-513-2407 ex.250 877-646-8476 (toll-free) *Blog http://miovision.com/blog | **LinkedIn https://www.linkedin.com/company/miovision-technologies | Twitter https://twitter.com/miovision | Facebook https://www.facebook.com/miovision* -- Miovision Technologies Inc. | 148 Manitou Drive, Suite 101, Kitchener, ON, Canada | N2C 1L3 This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately. ___ Freeipa-users mailing list Freeipa-users@redhat.com
Re: [Freeipa-users] Creating password sync
but what about the cant contact LDAP server in the passsync log and are you saying I should try to change one of the passwords in AD for it to go to IDM, or vice versa? thanks From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 12:45 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 01:42 PM, Todd Maugh wrote: I have not changed any passwords in AD yet. Then passsync will not have sent anything. and the users I have in IDM from AD, their passwords are not working Right. This is one of the (many) problems with the passsync approach - there currently is no way to populate the initial passwords - that is, passsync/IdM cannot copy your passwords over from AD to IdM. From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 12:40 PM To: Todd Maugh; d...@redhat.commailto:d...@redhat.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 01:20 PM, Todd Maugh wrote: my passhook.log file is empty Have you changed any passwords in AD? From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com] Sent: Tuesday, February 04, 2014 11:56 AM To: Rich Megginson; d...@redhat.commailto:d...@redhat.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Creating password sync Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 9:19 AM To: Todd Maugh; d...@redhat.commailto:d...@redhat.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com] Sent: Tuesday, February 04, 2014 9:04 AM To: Rich Megginson; d...@redhat.commailto:d...@redhat.com Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have followed this guide from redhat https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html to set up my password sync. I get no errors but my passwords are not syncing! Help! the documentation tells o fno way to verify or trouble shoot Thank You -Todd Maugh tma...@boingo.commailto:tma...@boingo.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
On 02/04/2014 01:48 PM, Todd Maugh wrote: but what about the cant contact LDAP server in the passsync log LDAP bind error in connect 81: Can't Contact LDAP Server That means 1) ipa ldap server is down 2) some sort of network problem 3) incorrect host/port specified in passsync config 4) host specified in passsync config is not the FQDN, or the FQDN doesn't resolve both forward and reverse from the windows box 5) host specified in the passsync config does not match the ipa ldap server certificate subject dn 6) incorrect CA cert installed in passsync cert db and are you saying I should try to change one of the passwords in AD for it to go to IDM, or vice versa? In order for AD to send a password, you have to change a password in AD. When I said This is one of the (many) problems with passsync, I meant that passsync will not sync existing passwords from AD to IdM. Passsync requires an AD password change operation in order to sync a password. If you were expecting that your existing AD passwords would just suddenly work in IdM, without having all of your AD users change their passwords, that's not how passsync works. There is no way to do that. This is but one of the reasons why the AD/IdM cross domain trust solution is preferred. When I said This is one of the (many) problems with passsync, I most certainly did not mean that LDAP bind error in connect 81: Can't Contact LDAP Server is one of the many problems. It is almost always a configuration issue. thanks *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Tuesday, February 04, 2014 12:45 PM *To:* Todd Maugh; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: Creating password sync On 02/04/2014 01:42 PM, Todd Maugh wrote: I have not changed any passwords in AD yet. Then passsync will not have sent anything. and the users I have in IDM from AD, their passwords are not working Right. This is one of the (many) problems with the passsync approach - there currently is no way to populate the initial passwords - that is, passsync/IdM cannot copy your passwords over from AD to IdM. *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Tuesday, February 04, 2014 12:40 PM *To:* Todd Maugh; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: Creating password sync On 02/04/2014 01:20 PM, Todd Maugh wrote: my passhook.log file is empty Have you changed any passwords in AD? *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] *Sent:* Tuesday, February 04, 2014 11:56 AM *To:* Rich Megginson; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] Creating password sync Im seeing these errors in the passsync.log 32: No such object 02/03/14 16:23:40: Ldap error in QueryUsername 32: No such object 02/03/14 16:57:48: Abandoning password change for scottb, backoff expired 02/03/14 16:57:48: Ldap bind error in Connect 32: No such object 02/03/14 16:57:48: Ldap error in QueryUsername 32: No such object 02/03/14 18:06:04: Abandoning password change for scottb, backoff expired 02/03/14 18:06:04: Ldap bind error in Connect 32: No such object 02/04/14 10:24:59: PassSync service initialized 02/04/14 10:24:59: PassSync service running 02/04/14 10:25:00: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: Ldap bind error in Connect 32: No such object 02/04/14 10:58:37: PassSync service stopped 02/04/14 10:58:38: PassSync service initialized 02/04/14 10:58:38: PassSync service running 02/04/14 10:58:39: Ldap bind error in Connect 32: No such object *From:* Rich Megginson [rmegg...@redhat.com] *Sent:* Tuesday, February 04, 2014 9:19 AM *To:* Todd Maugh; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* Re: Creating password sync On 02/04/2014 10:17 AM, Todd Maugh wrote: also I have verified the password synchronization service is started and running on the windows 2008 R2 server but I cant tell if or what it is doing because iM not getting passwords to my IDM http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging You can also look at the 389 access log to see if you have connections from the windows box. *From:* freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] *Sent:* Tuesday, February 04, 2014 9:04 AM *To:* Rich Megginson; d...@redhat.com *Cc:* freeipa-users@redhat.com *Subject:* [Freeipa-users] Creating password sync Ok, So I have my replication agreement set up. and I see accounts coming in to my IDM server from AD I have
Re: [Freeipa-users] Creating password sync
I tested a ssl connection from my ldap server to AD this is the output openssl s_client -connect qatestdc2.boingoqa.local:636 CONNECTED(0003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=27:certificate not trusted verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s: i:/DC=local/DC=boingoqa/CN=SKYWARPCA --- Server certificate -BEGIN CERTIFICATE- MIIGpzCCBI+gAwIBAgIKYTm2iQAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7 q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5 4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3 Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7 mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8 Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6 1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9 -END CERTIFICATE- subject= issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA --- Acceptable client certificate CA names /DC=local/DC=boingoqa/CN=SKYWARPCA /CN=QATESTDC2.boingoqa.local /DC=local/DC=boingoqa/CN=boingoqaca /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root /O=BOINGO.COM/CN=Certificate Authority /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority /CN=NT AUTHORITY --- SSL handshake has read 3480 bytes and written 601 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES128-SHA Session-ID: 333C854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A Session-ID-ctx: Master-Key: 63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1391547347 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Todd Maugh [tma...@boingo.com] Sent: Tuesday, February 04, 2014 12:53 PM To: Rich Megginson;
Re: [Freeipa-users] Creating password sync
trying to find a command to check that connection From: Rich Megginson [rmegg...@redhat.com] Sent: Tuesday, February 04, 2014 1:02 PM To: Todd Maugh; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: Creating password sync On 02/04/2014 01:57 PM, Todd Maugh wrote: I tested a ssl connection from my ldap server to AD Ok. What about the ssl connection from the windows AD machine to your IdM ldap server? this is the output openssl s_client -connect qatestdc2.boingoqa.local:636 CONNECTED(0003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=27:certificate not trusted verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s: i:/DC=local/DC=boingoqa/CN=SKYWARPCA --- Server certificate -BEGIN CERTIFICATE- MIIGpzCCBI+gAwIBAgIKYTm2iQAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7 q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5 4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3 Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7 mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8 Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6 1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9 -END CERTIFICATE- subject= issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA --- Acceptable client certificate CA names /DC=local/DC=boingoqa/CN=SKYWARPCA /CN=QATESTDC2.boingoqa.local /DC=local/DC=boingoqa/CN=boingoqaca /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root /O=BOINGO.COM/CN=Certificate Authority /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority /DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority /CN=NT AUTHORITY --- SSL handshake has read 3480 bytes and written 601 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: AES128-SHA Session-ID: 333C854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A Session-ID-ctx: Master-Key: 63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47 Key-Arg : None Krb5 Principal: None
Re: [Freeipa-users] Creating password sync
Ok. What about the ssl connection from the windows AD machine to your IdM ldap server? ld = ldap_sslinit(se-idm-01.boingo.com:636http://se-idm-01.boingo.com:636, 389, 1); Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3); Error 0 = ldap_connect(hLdap, NULL); Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)lv); Host supports SSL, SSL cipher strength = 256 bits Established connection to se-idm-01.boingo.com:636http://se-idm-01.boingo.com:636. Retrieving base DSA information... Getting 1 entries: Dn: (RootDSE) dataversion: 020140131234000; defaultnamingcontext: dc=boingo,dc=com; lastusn: 5177; namingContexts: dc=boingo,dc=com; netscapemdsuffix: cn=ldap://dc=se-idm-01,dc=boingo,dc=com:389; objectClass: top; supportedControl (21): 2.16.840.1.113730.3.4.2; 2.16.840.1.113730.3.4.3; 2.16.840.1.113730.3.4.4; 2.16.840.1.113730.3.4.5; 1.2.840.113556.1.4.473 = ( SORT ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.16; 2.16.840.1.113730.3.4.15; 2.16.840.1.113730.3.4.17; 2.16.840.1.113730.3.4.19; 1.3.6.1.4.1.42.2.27.8.5.1; 1.3.6.1.4.1.42.2.27.9.5.2; 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.3.6.1.4.1.42.2.27.9.5.8; 1.3.6.1.4.1.4203.666.5.16; 2.16.840.1.113730.3.4.14; 2.16.840.1.113730.3.4.20; 1.3.6.1.4.1.1466.29539.12; 2.16.840.1.113730.3.4.12; 2.16.840.1.113730.3.4.18; 2.16.840.1.113730.3.4.13; supportedExtension (17): 2.16.840.1.113730.3.5.7; 2.16.840.1.113730.3.5.8; 2.16.840.1.113730.3.5.10; 2.16.840.1.113730.3.8.10.3; 1.3.6.1.4.1.4203.1.11.1; 2.16.840.1.113730.3.8.10.1; 2.16.840.1.113730.3.5.3; 2.16.840.1.113730.3.5.12; 2.16.840.1.113730.3.5.5; 2.16.840.1.113730.3.5.6; 2.16.840.1.113730.3.5.9; 2.16.840.1.113730.3.5.4; 2.16.840.1.113730.3.6.5; 2.16.840.1.113730.3.6.6; 2.16.840.1.113730.3.6.7; 2.16.840.1.113730.3.6.8; 1.3.6.1.4.1.1466.20037 = ( START_TLS ); supportedLDAPVersion (2): 2; 3; supportedSASLMechanisms (7): EXTERNAL; ANONYMOUS; PLAIN; LOGIN; DIGEST-MD5; GSSAPI; CRAM-MD5; vendorName: 389 Project; vendorVersion: 389-Directory/1.2.11.15http://1.2.11.15 B2013.337.1530; this is the output openssl s_client -connect qatestdc2.boingoqa.local:636 CONNECTED(0003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=27:certificate not trusted verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s: i:/DC=local/DC=boingoqa/CN=SKYWARPCA --- Server certificate -BEGIN CERTIFICATE- MIIGpzCCBI+gAwIBAgIKYTm2iQAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7 q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5 4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3 Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7 mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8 Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6 1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9 -END CERTIFICATE- subject= issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA --- Acceptable client certificate CA names /DC=local/DC=boingoqa/CN=SKYWARPCA
[Freeipa-users] CentOS IPA Client using Fedora IPA Server - SSO Fails from AD Trust domain
I'm trying to configure our CentOS IPA Client for Single Sign On from our trusted AD domain. SSO works fine when I ssh to the IPA server, but not to the CentOS Client. It prompts for password which it accepts, so it's getting the authentication from the AD domain. Fedora 20 IPA Server CentOS 6.5 IPA Client Win 2012 AD Domain Server Setup as IPA as a subdomain of AD. AD Domain: test.local IPA Domain: hosted.test.local Anybody run into this? Suggestions? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
How did you specify the CA cert of the CA that issued the IdM ldap server cert? On the AD server (qatestdc2) i downloaded the CA from the IDM server (se-idm-01) from the web url http://se-idm-01.boingo.com/ipa/config/ca.crt then I ran this cd C:\Program Files\Red Hat Directory Password Synchronization certutil.exe -d . -A -n SE-IDM-01.BOINGO.com CA -t CT,, -a -i IDMCA.crt How did you specify that you want to check to see if the server FQDN is the same as the cn in the IdM ldap server cert subject DN? I do not believe that I did this, as I am not sure how Host supports SSL, SSL cipher strength = 256 bits Established connection to se-idm-01.boingo.com:636http://se-idm-01.boingo.com:636. Retrieving base DSA information... Getting 1 entries: Dn: (RootDSE) dataversion: 020140131234000; defaultnamingcontext: dc=boingo,dc=com; lastusn: 5177; namingContexts: dc=boingo,dc=com; netscapemdsuffix: cn=ldap://dc=se-idm-01,dc=boingo,dc=com:389UrlBlockedError.aspx; objectClass: top; supportedControl (21): 2.16.840.1.113730.3.4.2; 2.16.840.1.113730.3.4.3; 2.16.840.1.113730.3.4.4; 2.16.840.1.113730.3.4.5; 1.2.840.113556.1.4.473 = ( SORT ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.16; 2.16.840.1.113730.3.4.15; 2.16.840.1.113730.3.4.17; 2.16.840.1.113730.3.4.19; 1.3.6.1.4.1.42.2.27.8.5.1; 1.3.6.1.4.1.42.2.27.9.5.2; 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.3.6.1.4.1.42.2.27.9.5.8; 1.3.6.1.4.1.4203.666.5.16; 2.16.840.1.113730.3.4.14; 2.16.840.1.113730.3.4.20; 1.3.6.1.4.1.1466.29539.12; 2.16.840.1.113730.3.4.12; 2.16.840.1.113730.3.4.18; 2.16.840.1.113730.3.4.13; supportedExtension (17): 2.16.840.1.113730.3.5.7; 2.16.840.1.113730.3.5.8; 2.16.840.1.113730.3.5.10; 2.16.840.1.113730.3.8.10.3; 1.3.6.1.4.1.4203.1.11.1; 2.16.840.1.113730.3.8.10.1; 2.16.840.1.113730.3.5.3; 2.16.840.1.113730.3.5.12; 2.16.840.1.113730.3.5.5; 2.16.840.1.113730.3.5.6; 2.16.840.1.113730.3.5.9; 2.16.840.1.113730.3.5.4; 2.16.840.1.113730.3.6.5; 2.16.840.1.113730.3.6.6; 2.16.840.1.113730.3.6.7; 2.16.840.1.113730.3.6.8; 1.3.6.1.4.1.1466.20037 = ( START_TLS ); supportedLDAPVersion (2): 2; 3; supportedSASLMechanisms (7): EXTERNAL; ANONYMOUS; PLAIN; LOGIN; DIGEST-MD5; GSSAPI; CRAM-MD5; vendorName: 389 Project; vendorVersion: 389-Directory/1.2.11.15http://1.2.11.15 B2013.337.1530; this is the output openssl s_client -connect qatestdc2.boingoqa.local:636 CONNECTED(0003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=27:certificate not trusted verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s: i:/DC=local/DC=boingoqa/CN=SKYWARPCA --- Server certificate -BEGIN CERTIFICATE- MIIGpzCCBI+gAwIBAgIKYTm2iQAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7 q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5 4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3 Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7 mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8 Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb
[Freeipa-users] Deny SSH access from selected host
Hello I have an ipa-server-2.2.0-16.el6.x86_64 server serving different version of ipa-clients and so far it has been good. I have noticed that some of our DEVs have started to ssh into some of the systems that I had no intention of making available through ssh. I have tried to revoke specific group ssh permission from a certain host and I don't seem to be having luck. I have only looked under policy and IPA server tabs but these two tabs seem like they can only add more access/role from the default user. Would it be possible to deny ssh access per host without pulling a host off FreeIPA management? Thanks in advance William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Creating password sync
I am just doing this now and works fine for me. The password has to be changed as there is no way to de-crypt the password in AD and send that. So the .msi you install on each AD server intercepts the password change while its in plain text and sends it over to IPA, hence only changes. I did have issues with certs, they were a pain in the ass to get right/trusted, looks like you might have a similar issue. I had to work through Redhat support to get it right. On a brighter note I did it on RHEL6.4 and upgraded the IPA servers to RHEL6.5 and winsync and passync still work fine. I'll send you my notes. You could use trusts but frankly trusting AD with all its swiss cheese security seems a bit too risky. regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Todd Maugh tma...@boingo.com Sent: Wednesday, 5 February 2014 9:57 a.m. To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Creating password sync I tested a ssl connection from my ldap server to AD this is the output openssl s_client -connect qatestdc2.boingoqa.local:636 CONNECTED(0003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=27:certificate not trusted verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s: i:/DC=local/DC=boingoqa/CN=SKYWARPCA --- Server certificate -BEGIN CERTIFICATE- MIIGpzCCBI+gAwIBAgIKYTm2iQAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7 q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5 4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3 Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7 mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8 Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6 1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9 -END CERTIFICATE- subject= issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA --- Acceptable client certificate CA names /DC=local/DC=boingoqa/CN=SKYWARPCA /CN=QATESTDC2.boingoqa.local /DC=local/DC=boingoqa/CN=boingoqaca /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root /O=BOINGO.COM/CN=Certificate Authority /OU=Copyright (c) 1997 Microsoft
Re: [Freeipa-users] Creating password sync
I would be so grateful for your notes as it looks like im most likely having a cert issue as well I'm so damn close to having this thing working, (doesn't help to have your boss come by every 10 minutes) I understand the changes concept now, if I can just get it to work From: Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, February 04, 2014 2:11 PM To: Todd Maugh; Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: RE: Creating password sync I am just doing this now and works fine for me. The password has to be changed as there is no way to de-crypt the password in AD and send that. So the .msi you install on each AD server intercepts the password change while its in plain text and sends it over to IPA, hence only changes. I did have issues with certs, they were a pain in the ass to get right/trusted, looks like you might have a similar issue. I had to work through Redhat support to get it right. On a brighter note I did it on RHEL6.4 and upgraded the IPA servers to RHEL6.5 and winsync and passync still work fine. I'll send you my notes. You could use trusts but frankly trusting AD with all its swiss cheese security seems a bit too risky. regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Todd Maugh tma...@boingo.com Sent: Wednesday, 5 February 2014 9:57 a.m. To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Creating password sync I tested a ssl connection from my ldap server to AD this is the output openssl s_client -connect qatestdc2.boingoqa.local:636 CONNECTED(0003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=27:certificate not trusted verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s: i:/DC=local/DC=boingoqa/CN=SKYWARPCA --- Server certificate -BEGIN CERTIFICATE- MIIGpzCCBI+gAwIBAgIKYTm2iQAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7 q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5 4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3 Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7 mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8 Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6 1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9 -END CERTIFICATE- subject= issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA --- Acceptable client certificate CA names /DC=local/DC=boingoqa/CN=SKYWARPCA /CN=QATESTDC2.boingoqa.local /DC=local/DC=boingoqa/CN=boingoqaca /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c)
Re: [Freeipa-users] Creating password sync
notes just sent regards Steven From: Todd Maugh tma...@boingo.com Sent: Wednesday, 5 February 2014 11:15 a.m. To: Steven Jones; Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: RE: Creating password sync I would be so grateful for your notes as it looks like im most likely having a cert issue as well I'm so damn close to having this thing working, (doesn't help to have your boss come by every 10 minutes) I understand the changes concept now, if I can just get it to work From: Steven Jones [steven.jo...@vuw.ac.nz] Sent: Tuesday, February 04, 2014 2:11 PM To: Todd Maugh; Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: RE: Creating password sync I am just doing this now and works fine for me. The password has to be changed as there is no way to de-crypt the password in AD and send that. So the .msi you install on each AD server intercepts the password change while its in plain text and sends it over to IPA, hence only changes. I did have issues with certs, they were a pain in the ass to get right/trusted, looks like you might have a similar issue. I had to work through Redhat support to get it right. On a brighter note I did it on RHEL6.4 and upgraded the IPA servers to RHEL6.5 and winsync and passync still work fine. I'll send you my notes. You could use trusts but frankly trusting AD with all its swiss cheese security seems a bit too risky. regards Steven From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on behalf of Todd Maugh tma...@boingo.com Sent: Wednesday, 5 February 2014 9:57 a.m. To: Rich Megginson; d...@redhat.com Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Creating password sync I tested a ssl connection from my ldap server to AD this is the output openssl s_client -connect qatestdc2.boingoqa.local:636 CONNECTED(0003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=27:certificate not trusted verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s: i:/DC=local/DC=boingoqa/CN=SKYWARPCA --- Server certificate -BEGIN CERTIFICATE- MIIGpzCCBI+gAwIBAgIKYTm2iQAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7 q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5 4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/ Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3 Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7 mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8 Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6 1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9 -END CERTIFICATE- subject= issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA --- Acceptable client certificate CA names /DC=local/DC=boingoqa/CN=SKYWARPCA /CN=QATESTDC2.boingoqa.local /DC=local/DC=boingoqa/CN=boingoqaca /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c)
Re: [Freeipa-users] CentOS IPA Client using Fedora IPA Server - SSO Fails from AD Trust domain
On Tue, 04 Feb 2014, Mark Gardner wrote: I'm trying to configure our CentOS IPA Client for Single Sign On from our trusted AD domain. SSO works fine when I ssh to the IPA server, but not to the CentOS Client. It prompts for password which it accepts, so it's getting the authentication from the AD domain. Fedora 20 IPA Server CentOS 6.5 IPA Client Win 2012 AD Domain Server Setup as IPA as a subdomain of AD. AD Domain: test.local IPA Domain: hosted.test.local Anybody run into this? Suggestions? Each client needs to be configured to accept AD users' SSO. Check that /etc/krb5.conf contains auth_to_local rules mapping principals from AD to their names as returned by SSSD. SSH daemon is picky about principal/name mapping. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deny SSH access from selected host
On Tue, 04 Feb 2014, William Muriithi wrote: Hello I have an ipa-server-2.2.0-16.el6.x86_64 server serving different version of ipa-clients and so far it has been good. I have noticed that some of our DEVs have started to ssh into some of the systems that I had no intention of making available through ssh. I have tried to revoke specific group ssh permission from a certain host and I don't seem to be having luck. I have only looked under policy and IPA server tabs but these two tabs seem like they can only add more access/role from the default user. Would it be possible to deny ssh access per host without pulling a host off FreeIPA management? from-host part of the rule is not enforced by default due to the fact that it is pretty easy to fake that one on connection. You can try to create more specific rules allowing access to the systems. With allow_all rule disabled these would help -- when there is no rule for that user to access an SSH service on the host, it will not be able to do so. Are you using allow_all rule right now? http://www.freeipa.org/page/Howto/HBAC_and_allow_all -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users