Re: [Freeipa-users] Integrating Freeipa with Samba server through ldapsam or ipasam ? How to compile ipasam separetely on Centos 7 ?
On Wed, 11 Feb 2015, Israel Miranda wrote: I did follow http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA but first I was always getting NT_STATUS_UNSUCCESSFUL First I thought it was related to a bad parameter in my samba configuration, because http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA says it is about ipa v4 and I found this ticket https://fedorahosted.org/freeipa/ticket/3999 I thought the documentation was incomplete. Documentation regarding Samba integration is incomplete. We are working on improving it but nothing is ready for review yet. I debugged kerberos log file and I realized I was using just username instead of usern...@realm.com in windows 8 machine. It showed REALM as a groupname and I thought samba would do the translation but even on windows share logon you have to use usern...@realm.com otherwise it doesn´t work. Yes. When you are using cross-forest trust to AD this will happen automatically. If you are not using cross-forest trust to AD, this use case is not yet officially supported so I glad that it works for you. Also what about all those ldap objects I created earlier ? Are they worth or need for a kerberized CIFS server ? Because they are not mentioned in http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA You don't need to create any additional LDAP objects. What you need is basically following: 1. Run ipa-adtrust-install on all masters that will be serving AD users. Right now this means effectively all masters but we are working on separating the heavy parts (runnning smbd/winbindd on each master) soon. 2. Use http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA to configure your Fedora 21+ or RHEL7.1beta or later servers to host Samba. It is working flawlessly now. Thanks a lot for the tip, now my smb.conf is just like in the example of the howto and it is working through sssd-libwbclient accessing the keytab. I have detailed the steps and commands to create the ldap objects, there is a typo many places on the internet because it was reproduced from http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html Notice that it is against Fedora 17 which is way old now and obsolete. I also think should be documented somewhere that ipa-adtrust-install creates/populates the ipaNTHash, I couldn't find it anywhere, someone told me this on freenode. Given that you don't need to know about ipaNTHash to use http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA, all you need is documented there. I've added a note that IPA masters have to be configured with ipa-adtrust-install. And one more doubt. ipa config-mod --userobjectclasses=aaa,bbb,ccc or ipa config-mod --groupobjectclasses=aaa,bbb,ccc doesn't work on iPA 4. Is there a way of doing this on the command line on ipa 4 ? Use shell expansion. ipa object-command --attribute={value1,value2,value3,...} -- / Alexander Bokovoy pgpHYjaIFhrlr.pgp Description: PGP signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] ad relation with winsync
Hi, I now try to establish a winsync relation with a Windows 2008R2. I installed IDM 3.3 on RHEL7. When I try to create the replication: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd passwd --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com Directory Manager password: Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: Failed to connect to AD srever dc.company.com ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not found','desc': 'Connect error'} Failed to setup winsync replication Do you have an idea, what's wrong? Also is it possible to point to port 636 instead? Notes: - On the windows side, ssl has been activated (with pain) and ldp.exe manage to connect via ssl on the 636 port correctly (so the certificate is in place). I don't know how to check it is working properly on port 389, i.e. START_TLS works - I checked that the 2 box have the same time (ntp) - I nearly manage to make it working once, but I got another error during replication Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21
Edit: i acceditanlly forgot to send copy to the list, so resubmitting. I tried this command : getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N cn=mywebserver i've setup the 'dogtag-ipa' ca in certmonger like so : id=dogtag-ipa ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8) ca_is_default=0 ca_type=EXTERNAL ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -E https://fedora.box.net:8443/ca/ee/ca -A https://fedora.box.net:8443/ca/agent/ca/ -n CN=BOX.NET admin -d /var/lib/pki/pki-tomcat/alias/ -i /etc/ipa/ca.crt -v Since i haven't fully figured out how to setup authentication for certmonger yet, i've temporarily reused one from the dogtag's pki instance. Hopefully it's not a fatal mistake on my end. From the certmonger logs i get : lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: GET https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCertcert_request_type=pkcs10cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQK%2B%0A6O7LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0Axml=true lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: ?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus2/StatusErrorRequest Deferred - {0}/ErrorRequestId 49/RequestId/XMLResponse And the request #49 is placed in Dogtag's CA Agent services, and can be acknowledged/rejected correctly. It's just that certmonger is stuck and doesn't notice the successful delivery. Machine is in isolated network, so there is probably no issue wrt using box.net as test domain. 2015-02-10 18:40 GMT+01:00 Dmitri Pal d...@redhat.com: On 02/10/2015 12:35 PM, marcin kowalski wrote: Hi all, i'm getting dogtag figured out slowly, and i noticed one odd thing. I've setup certmonger to request an arbitrary certificate through dogtag, and while the request seems to go into the dogtag system, certmonger acts as if communication with the CA failed. The certificate is considered in need of user attention because the process got stuck. Request ID ‘20150210125814’: status: NEED_GUIDANCE stuck: yes key pair storage: type=FILE,location=’/etc/pki/testkey’ certificate: type=FILE,location=’/etc/pki/testcert’ CA: dogtag-ipa issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes [root@fedora pki]# systemctl status -l certmonger (….) lut 10 13:57:04 fedora.box.net certmonger[7845]: Request for certificate to be stored in file “/etc/pki/testcert” rejected by CA. The request is present in dogtag and is valid, can be accepted/rejected, etc. Even though certmonger never notices that. I wonder if there is some obvious mistake in my setup, or perhaps there is known bug in interaction of both components on F21 (i'm using only standard repositories). When i post the query from certmonger's agent defined in ca definition through curl, i get no errors. What would be the best way to debug this issue? Can you post your certmonger get-cert command? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21
I forgot to add - usually removing the -v bit in ca external helper definition produces the aforementioned 'rejected by CA' message, instead of verbose output. 2015-02-11 10:00 GMT+01:00 marcin kowalski yoshi...@gmail.com: Edit: i acceditanlly forgot to send copy to the list, so resubmitting. I tried this command : getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N cn=mywebserver i've setup the 'dogtag-ipa' ca in certmonger like so : id=dogtag-ipa ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8) ca_is_default=0 ca_type=EXTERNAL ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -E https://fedora.box.net:8443/ca/ee/ca -A https://fedora.box.net:8443/ca/agent/ca/ -n CN=BOX.NET admin -d /var/lib/pki/pki-tomcat/alias/ -i /etc/ipa/ca.crt -v Since i haven't fully figured out how to setup authentication for certmonger yet, i've temporarily reused one from the dogtag's pki instance. Hopefully it's not a fatal mistake on my end. From the certmonger logs i get : lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: GET https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCertcert_request_type=pkcs10cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQK%2B%0A6O7LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0Axml=true lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: ?xml version=1.0 encoding=UTF-8 standalone=no?XMLResponseStatus2/StatusErrorRequest Deferred - {0}/ErrorRequestId 49/RequestId/XMLResponse And the request #49 is placed in Dogtag's CA Agent services, and can be acknowledged/rejected correctly. It's just that certmonger is stuck and doesn't notice the successful delivery. Machine is in isolated network, so there is probably no issue wrt using box.net as test domain. 2015-02-10 18:40 GMT+01:00 Dmitri Pal d...@redhat.com: On 02/10/2015 12:35 PM, marcin kowalski wrote: Hi all, i'm getting dogtag figured out slowly, and i noticed one odd thing. I've setup certmonger to request an arbitrary certificate through dogtag, and while the request seems to go into the dogtag system, certmonger acts as if communication with the CA failed. The certificate is considered in need of user attention because the process got stuck. Request ID ‘20150210125814’: status: NEED_GUIDANCE stuck: yes key pair storage: type=FILE,location=’/etc/pki/testkey’ certificate: type=FILE,location=’/etc/pki/testcert’ CA: dogtag-ipa issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes [root@fedora pki]# systemctl status -l certmonger (….) lut 10 13:57:04 fedora.box.net certmonger[7845]: Request for certificate to be stored in file “/etc/pki/testcert” rejected by CA. The request is present in dogtag and is valid, can be accepted/rejected, etc. Even though certmonger never notices that. I wonder if there is some obvious mistake in my setup, or perhaps there is known bug in interaction of both components on F21 (i'm using only standard repositories). When i post the query from certmonger's agent defined in ca definition through curl, i get no errors. What would be the best way to debug this issue? Can you post your certmonger get-cert command? -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Integrating Freeipa with Samba server through ldapsam or ipasam ? How to compile ipasam separetely on Centos 7 ?
On Tue, 10 Feb 2015, Israel Miranda wrote: I have a freeipa installation of v4 on Fedora 21. I have a separate fileserver with freeipa packages installed from mkosek-freeipa-epel-7.repo on centos 7. I have: * created sambaSAMAccount,sambaGroupMapping UserObjects * created an entry for DNA plugin to populate them cn=SambaGroupSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config * added a CoS template for sambaGroupType * added a CoS definition for sambaGroupType * used ipa-adtrust-install to create and populate ipaNTHash * checked with the creation of these attributes with an ldap browser all ok * put the fileserver machine on the domain * added necessary permission, previleges and roles * installed kerberos keytab on the fileserver * was able to retrieve ipaNTHash attribute with the keytab from samba server and now the only thing missing is to integrate the fileserver with the ipaserver. I don´t mind in using ipasam, but to install in on my centos7 fileserver, which only has samba installed and nothing else, it also pulls the whole freeipa-server package, and this is overkill just to get ipasam.so. So I'd like some help in compiling it separately. I am using standard samba server distributed with centos 7. So I tried to use passdb backend = ldapsam:ldap//ipaserver but samba tries to bind using admin user, and doesn't use keytab, even though I put dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab in smb.conf. ldapsam currently does not yet support keytab use. With CentOS7/mkosek COPR repo you don't need to use any special passdb module anymore, just follow http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA So please help me in getting these two things done: 1. use samba with freeipa through ldap( I know it is worse than ipasam, but would be nice to know how to integrate freeipa with samba with ldap on systems where ipasam might not be available ) Don't do that, use sssd-libwbclient integration. It requires pretty fresh sssd version (1.12.2+) but systems you mentioned (F21 and CentOS7 with mkosek COPR repo) have it. 2. compile an ipasam.so module so we can work on creating an rpm package in the future, since it is necessary to install ipasam.so separately. No need to that when using sssd-libwbclient integration. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ad relation with winsync
I reply to myself. This was certainly a Windows configurarion issue. I went further: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd passwd --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: AD Suffix is: DC=company,DC=com The user for Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com ipa: INFO: Added new sync agreement, waiting for it to become ready. . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0 end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [srv7idm2.ipa.company.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] So apparently I manage to connect to AD but something went wrong after? How can I debug it? Regards, Nicolas Zin - Mail original - De: Nicolas Zin nicolas@savoirfairelinux.com À: freeipa-users@redhat.com Envoyé: Mercredi 11 Février 2015 12:06:47 Objet: [Freeipa-users] ad relation with winsync Hi, I now try to establish a winsync relation with a Windows 2008R2. I installed IDM 3.3 on RHEL7. When I try to create the replication: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd passwd --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com Directory Manager password: Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: Failed to connect to AD srever dc.company.com ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not found','desc': 'Connect error'} Failed to setup winsync replication Do you have an idea, what's wrong? Also is it possible to point to port 636 instead? Notes: - On the windows side, ssl has been activated (with pain) and ldp.exe manage to connect via ssl on the 636 port correctly (so the certificate is in place). I don't know how to check it is working properly on port 389, i.e. START_TLS works - I checked that the 2 box have the same time (ntp) - I nearly manage to make it working once, but I got another error during replication Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Where and how are passwords stored?
Ok, after a few awkward questions from an auditor, I am starting to face the uncomfortable truth that my understanding about how FreeIPA works is a lot fuzzier than I would like. Specifically, the question I could not answer - where are the passwords stored and how are they encrypted? My understanding is that all authentication is handled by Kerberos server, which stores its data in LDAP - but where and how is a bit of a mystery to me. Any way to dump out the password hashes? Thanks, -M -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Where and how are passwords stored?
On 02/12/2015 01:25 AM, Michael Lasevich wrote: Ok, after a few awkward questions from an auditor, I am starting to face the uncomfortable truth that my understanding about how FreeIPA works is a lot fuzzier than I would like. Specifically, the question I could not answer - where are the passwords stored and how are they encrypted? My understanding is that all authentication is handled by Kerberos server, which stores its data in LDAP - but where and how is a bit of a mystery to me. Any way to dump out the password hashes? Passwords are stored in LDAP in two different attributes per entry. One with LDAP password hash and another is Kerberos password hash allowing authentication either with Kerebros or LDAP. Both follow best practices in terms of using hash algorithms. The attributes themselves are protected by the access control instructions (ACI) so only a super priviledged admin or user himself can interact with this attribute. During normal operations it is not fetched and read. The core of the DS processes it behind the closed doors so it is possible to reset but not to read. This is how LDAP works and not different from any modern directory server. Thanks, -M -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ad relation with winsync
On 02/12/2015 12:37 AM, Nicolas Zin wrote: That was that: in the logs (/var/log/dirsrv/slapd-HQ-EMIRATES-COM/errors) I got: slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect error) errno 0 (Success) And when i did LDAPTLS_CACERTDIR=/etc/dirsrv/... ldapsearch ..., it began to be interesting: ldap_start_tls: Connect error (-11) additionnal info: TLS: hostname does not match CN in peer certificate So I correct my problem: put the correct hostname in the ipa-replica-manage ( and not the ip). And it connects! Next step: having the replication working. The customer dont want to give to my sync user Replicating directory changes, Account Operator and Enterprise Read-Only Domain Controller attributs and just want a oneway replication. For the one way replication, I followed the documentation But I don't see any imported users. Do you have an idea? Are some of the Windows attributs necessary even for a one way (windows to linux) synchronisation? Regards, Nicolas - Mail original - De: Rich Megginson rmegg...@redhat.com À: freeipa-users@redhat.com Envoyé: Mercredi 11 Février 2015 18:57:43 Objet: Re: [Freeipa-users] ad relation with winsync On 02/11/2015 04:18 AM, Nicolas Zin wrote: I reply to myself. This was certainly a Windows configurarion issue. I went further: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd passwd --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v Directory Manager password: Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: AD Suffix is: DC=company,DC=com The user for Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com ipa: INFO: Added new sync agreement, waiting for it to become ready. . . ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error: Connect error: start: 0 end: 0 ipa: INFO: Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [srv7idm2.ipa.company.com] reports: Update failed! Status: [-11 - LDAP error: Connect error] So apparently I manage to connect to AD but something went wrong after? How can I debug it? You can test it like this: # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H ldap://fqdn.of.ad.host -s base -b DC=company,DC=com -D cn=Administrator,cn=Users,dc=company,dc=com -w password Regards, Nicolas Zin - Mail original - De: Nicolas Zin nicolas@savoirfairelinux.com À: freeipa-users@redhat.com Envoyé: Mercredi 11 Février 2015 12:06:47 Objet: [Freeipa-users] ad relation with winsync Hi, I now try to establish a winsync relation with a Windows 2008R2. I installed IDM 3.3 on RHEL7. When I try to create the replication: ipa-replica-manage connect --winsync --binddb cn=Administrator,cn=Users,dc=company,dc=com --bindpwd passwd --passsync whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com Directory Manager password: Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database for srv7idm2.ipa.company.com ipa: INFO: Failed to connect to AD srever dc.company.com ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not found','desc': 'Connect error'} Failed to setup winsync replication Do you have an idea, what's wrong? Also is it possible to point to port 636 instead? Notes: - On the windows side, ssl has been activated (with pain) and ldp.exe manage to connect via ssl on the 636 port correctly (so the certificate is in place). I don't know how to check it is working properly on port 389, i.e. START_TLS works - I checked that the 2 box have the same time (ntp) - I nearly manage to make it working once, but I got another error during replication The is is treated as the ultimate source so adds should go only from AD to IPA but you need the modify to work both ways otherwise your account state will get out of sync. Whatever is required by docs is the minimal privilege you need to have to sync users. However did you consider trust? It us a two way trust but it acts as a one way trust. Nicolas Zin nicolas@savoirfairelinux.com Ligne directe: 514-276-5468 poste 135 Fax : 514-276-5465 7275 Saint Urbain Bureau 200 Montréal, QC, H2R 2Y5 -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project