Re: [Freeipa-users] Integrating Freeipa with Samba server through ldapsam or ipasam ? How to compile ipasam separetely on Centos 7 ?
On Wed, 11 Feb 2015, Israel Miranda wrote:
I did follow
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
but first I was always getting NT_STATUS_UNSUCCESSFUL
First I thought it was related to a bad parameter in my samba
configuration, because
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
says it is about ipa v4 and I found this ticket
https://fedorahosted.org/freeipa/ticket/3999 I thought the
documentation was incomplete.
Documentation regarding Samba integration is incomplete. We are working
on improving it but nothing is ready for review yet.
I debugged kerberos log file and I realized I was using just username
instead of usern...@realm.com in windows 8 machine. It showed REALM as
a groupname and I thought samba would do the translation but even on
windows share logon you have to use usern...@realm.com otherwise it
doesn´t work.
Yes. When you are using cross-forest trust to AD this will happen
automatically. If you are not using cross-forest trust to AD, this use
case is not yet officially supported so I glad that it works for you.
Also what about all those ldap objects I created earlier ?
Are they worth or need for a kerberized CIFS server ?
Because they are not mentioned in
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
You don't need to create any additional LDAP objects.
What you need is basically following:
1. Run ipa-adtrust-install on all masters that will be serving AD users.
Right now this means effectively all masters but we are working on
separating the heavy parts (runnning smbd/winbindd on each master) soon.
2. Use
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
to configure your Fedora 21+ or RHEL7.1beta or later servers to host
Samba.
It is working flawlessly now. Thanks a lot for the tip, now my
smb.conf is just like in the example of the howto and it is working
through sssd-libwbclient accessing the keytab.
I have detailed the steps and commands to create the ldap objects,
there is a typo many places on the internet because it was reproduced
from http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html
Notice that it is against Fedora 17 which is way old now and obsolete.
I also think should be documented somewhere that ipa-adtrust-install
creates/populates the ipaNTHash, I couldn't find it anywhere, someone
told me this on freenode.
Given that you don't need to know about ipaNTHash to use
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA,
all you need is documented there. I've added a note that IPA masters
have to be configured with ipa-adtrust-install.
And one more doubt.
ipa config-mod --userobjectclasses=aaa,bbb,ccc
or ipa config-mod --groupobjectclasses=aaa,bbb,ccc
doesn't work on iPA 4.
Is there a way of doing this on the command line on ipa 4 ?
Use shell expansion.
ipa object-command --attribute={value1,value2,value3,...}
--
/ Alexander Bokovoy
pgpHYjaIFhrlr.pgp
Description: PGP signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
[Freeipa-users] ad relation with winsync
Hi,
I now try to establish a winsync relation with a Windows 2008R2.
I installed IDM 3.3 on RHEL7.
When I try to create the replication:
ipa-replica-manage connect --winsync --binddb
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd passwd --passsync
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com
Directory Manager password:
Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database
for srv7idm2.ipa.company.com
ipa: INFO: Failed to connect to AD srever dc.company.com
ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not
found','desc': 'Connect error'}
Failed to setup winsync replication
Do you have an idea, what's wrong?
Also is it possible to point to port 636 instead?
Notes:
- On the windows side, ssl has been activated (with pain) and ldp.exe manage to
connect via ssl on the 636 port correctly (so the certificate is in place). I
don't know how to check it is working properly on port 389, i.e. START_TLS works
- I checked that the 2 box have the same time (ntp)
- I nearly manage to make it working once, but I got another error during
replication
Nicolas Zin
nicolas@savoirfairelinux.com
Ligne directe: 514-276-5468 poste 135
Fax : 514-276-5465
7275 Saint Urbain
Bureau 200
Montréal, QC, H2R 2Y5
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21
Edit: i acceditanlly forgot to send copy to the list, so resubmitting.
I tried this command :
getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N
cn=mywebserver
i've setup the 'dogtag-ipa' ca in certmonger like so :
id=dogtag-ipa
ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8)
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit -E
https://fedora.box.net:8443/ca/ee/ca -A
https://fedora.box.net:8443/ca/agent/ca/ -n CN=BOX.NET admin -d
/var/lib/pki/pki-tomcat/alias/ -i /etc/ipa/ca.crt -v
Since i haven't fully figured out how to setup authentication for
certmonger yet, i've temporarily reused one from the dogtag's pki instance.
Hopefully it's not a fatal mistake on my end.
From the certmonger logs i get :
lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: GET
https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCertcert_request_type=pkcs10cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQK%2B%0A6O7LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0Axml=true
lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: ?xml
version=1.0 encoding=UTF-8
standalone=no?XMLResponseStatus2/StatusErrorRequest Deferred -
{0}/ErrorRequestId 49/RequestId/XMLResponse
And the request #49 is placed in Dogtag's CA Agent services, and can be
acknowledged/rejected correctly. It's just that certmonger is stuck and
doesn't notice the successful delivery.
Machine is in isolated network, so there is probably no issue wrt using
box.net as test domain.
2015-02-10 18:40 GMT+01:00 Dmitri Pal d...@redhat.com:
On 02/10/2015 12:35 PM, marcin kowalski wrote:
Hi all, i'm getting dogtag figured out slowly, and i noticed one odd
thing.
I've setup certmonger to request an arbitrary certificate through dogtag,
and while the request seems to go into the dogtag system, certmonger acts
as if communication with the CA failed. The certificate is considered in
need of user attention because the process got stuck.
Request ID ‘20150210125814’:
status: NEED_GUIDANCE
stuck: yes
key pair storage: type=FILE,location=’/etc/pki/testkey’
certificate: type=FILE,location=’/etc/pki/testcert’
CA: dogtag-ipa
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
[root@fedora pki]# systemctl status -l certmonger
(….)
lut 10 13:57:04 fedora.box.net certmonger[7845]: Request for certificate
to be stored in file “/etc/pki/testcert” rejected by CA.
The request is present in dogtag and is valid, can be accepted/rejected,
etc. Even though certmonger never notices that. I wonder if there is some
obvious mistake in my setup, or perhaps there is known bug in interaction
of both components on F21 (i'm using only standard repositories).
When i post the query from certmonger's agent defined in ca definition
through curl, i get no errors.
What would be the best way to debug this issue?
Can you post your certmonger get-cert command?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] slight problem when integrating certmonger with dogtag on fedora 21
I forgot to add - usually removing the -v bit in ca external helper
definition produces the aforementioned 'rejected by CA' message, instead of
verbose output.
2015-02-11 10:00 GMT+01:00 marcin kowalski yoshi...@gmail.com:
Edit: i acceditanlly forgot to send copy to the list, so resubmitting.
I tried this command :
getcert request -c dogtag-ipa -f /etc/pki/testcert -k /etc/pki/testkey -N
cn=mywebserver
i've setup the 'dogtag-ipa' ca in certmonger like so :
id=dogtag-ipa
ca_aka=Dogtag (IPA,renew,agent) (certmonger 0.76.8)
ca_is_default=0
ca_type=EXTERNAL
ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
-E https://fedora.box.net:8443/ca/ee/ca -A
https://fedora.box.net:8443/ca/agent/ca/ -n CN=BOX.NET admin -d
/var/lib/pki/pki-tomcat/alias/ -i /etc/ipa/ca.crt -v
Since i haven't fully figured out how to setup authentication for
certmonger yet, i've temporarily reused one from the dogtag's pki instance.
Hopefully it's not a fatal mistake on my end.
From the certmonger logs i get :
lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: GET
https://fedora.box.net:8443/ca/ee/ca/profileSubmit?profileId=caServerCertcert_request_type=pkcs10cert_request=-BEGIN+NEW+CERTIFICATE+REQUEST-%0AMIICyTCCAbECAQAwFjEUMBIGA1UEAxMLbXl3ZWJzZXJ2ZXIwggEiMA0GCSqGSIb3%0ADQEBAQUAA4IBDwAwggEKAoIBAQDLZKK8dUqmiY2YAS2LrNE9DsB7QVhuATEcXkrc%0AB121jafN9BMyNSGQjWlpb15P4xqaXHrplQl60d4sSZA1d4GAxoywDUvoUA7R%2FrJ7%0AVcFyA7R5mRzK%2BfNUg%2FdLqTrnWM6GC1ecYwUwAmI%2FOFa5OomQczdGoV1ippguR2Un%0ArCCdXImZtni845FI1Wx745GP4mH2od7otSqGeLiQR9I6RLdrcs%2FC%2FWhWqPgUmyxp%0AEb%2BFS%2FAGPXG1nE2eT64z2OLQLJWfOT1uYRClsrQ9Bw96Cv20KPupEr4BPwfX%2BQzs%0AR7p9E%2BW1TuQhqX2NrWl4V%2F0tqc0omXGQZx62jCZM0m%2B2eoYJAgMBAAGgbjArBgkq%0AhkiG9w0BCRQxHh4cADIAMAAxADUAMAAyADEAMQAwADgANQAyADEAODA%2FBgkqhkiG%0A9w0BCQ4xMjAwMAwGA1UdEwEB%2FwQCMAAwIAYDVR0OAQEABBYEFEEoeB59tZYgOLSg%0AHV3fzBtlQCiaMA0GCSqGSIb3DQEBCwUAA4IBAQCpc3v8wp6csgKN3H8TfXe5Ay5h%0ATTqKyN2iLQKurTlTbwv%2FhZsE3ketuSfEOCJpE7Z58jlLB7VlMl6Uyl2MrOmC7Ro5%0Ai13LpVvVd%2FLsCedhM%2BTlYPtsk68DVcf1XKZARH6MIRmiDWSr0gajeP6bZK8znQK%2B%0A6O7LaHKv1HaVcjxTZ%2Fdep3OF7aYtsz5tnyoaP1D2CI2WRRGnwjX4bBmr%2FQIZe7ba%0AOQt1yznFPjonEwVaOg3wkx0uaxdkyMz3MZC8nJxYCvBnNgV72tbA6As93laQaTQ2%0A24HhzdEWnJ019W72qJdTDpPg4DtloU0W%2BJYiIIpCfQIn1%2FjJLOnJcWiGPDDd%0A-END+NEW+CERTIFICATE+REQUEST-%0Axml=true
lut 11 09:52:19 fedora.box.net dogtag-ipa-renew-agent-submit[2887]: ?xml
version=1.0 encoding=UTF-8
standalone=no?XMLResponseStatus2/StatusErrorRequest Deferred -
{0}/ErrorRequestId 49/RequestId/XMLResponse
And the request #49 is placed in Dogtag's CA Agent services, and can be
acknowledged/rejected correctly. It's just that certmonger is stuck and
doesn't notice the successful delivery.
Machine is in isolated network, so there is probably no issue wrt using
box.net as test domain.
2015-02-10 18:40 GMT+01:00 Dmitri Pal d...@redhat.com:
On 02/10/2015 12:35 PM, marcin kowalski wrote:
Hi all, i'm getting dogtag figured out slowly, and i noticed one odd
thing.
I've setup certmonger to request an arbitrary certificate through dogtag,
and while the request seems to go into the dogtag system, certmonger acts
as if communication with the CA failed. The certificate is considered in
need of user attention because the process got stuck.
Request ID ‘20150210125814’:
status: NEED_GUIDANCE
stuck: yes
key pair storage: type=FILE,location=’/etc/pki/testkey’
certificate: type=FILE,location=’/etc/pki/testcert’
CA: dogtag-ipa
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
[root@fedora pki]# systemctl status -l certmonger
(….)
lut 10 13:57:04 fedora.box.net certmonger[7845]: Request for certificate
to be stored in file “/etc/pki/testcert” rejected by CA.
The request is present in dogtag and is valid, can be accepted/rejected,
etc. Even though certmonger never notices that. I wonder if there is some
obvious mistake in my setup, or perhaps there is known bug in interaction
of both components on F21 (i'm using only standard repositories).
When i post the query from certmonger's agent defined in ca definition
through curl, i get no errors.
What would be the best way to debug this issue?
Can you post your certmonger get-cert command?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Integrating Freeipa with Samba server through ldapsam or ipasam ? How to compile ipasam separetely on Centos 7 ?
On Tue, 10 Feb 2015, Israel Miranda wrote: I have a freeipa installation of v4 on Fedora 21. I have a separate fileserver with freeipa packages installed from mkosek-freeipa-epel-7.repo on centos 7. I have: * created sambaSAMAccount,sambaGroupMapping UserObjects * created an entry for DNA plugin to populate them cn=SambaGroupSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config * added a CoS template for sambaGroupType * added a CoS definition for sambaGroupType * used ipa-adtrust-install to create and populate ipaNTHash * checked with the creation of these attributes with an ldap browser all ok * put the fileserver machine on the domain * added necessary permission, previleges and roles * installed kerberos keytab on the fileserver * was able to retrieve ipaNTHash attribute with the keytab from samba server and now the only thing missing is to integrate the fileserver with the ipaserver. I don´t mind in using ipasam, but to install in on my centos7 fileserver, which only has samba installed and nothing else, it also pulls the whole freeipa-server package, and this is overkill just to get ipasam.so. So I'd like some help in compiling it separately. I am using standard samba server distributed with centos 7. So I tried to use passdb backend = ldapsam:ldap//ipaserver but samba tries to bind using admin user, and doesn't use keytab, even though I put dedicated keytab file = FILE:/etc/samba/samba.keytab kerberos method = dedicated keytab in smb.conf. ldapsam currently does not yet support keytab use. With CentOS7/mkosek COPR repo you don't need to use any special passdb module anymore, just follow http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA So please help me in getting these two things done: 1. use samba with freeipa through ldap( I know it is worse than ipasam, but would be nice to know how to integrate freeipa with samba with ldap on systems where ipasam might not be available ) Don't do that, use sssd-libwbclient integration. It requires pretty fresh sssd version (1.12.2+) but systems you mentioned (F21 and CentOS7 with mkosek COPR repo) have it. 2. compile an ipasam.so module so we can work on creating an rpm package in the future, since it is necessary to install ipasam.so separately. No need to that when using sssd-libwbclient integration. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ad relation with winsync
I reply to myself.
This was certainly a Windows configurarion issue. I went further:
ipa-replica-manage connect --winsync --binddb
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd passwd --passsync
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v
Directory Manager password:
Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database
for srv7idm2.ipa.company.com
ipa: INFO: AD Suffix is: DC=company,DC=com
The user for Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com
ipa: INFO: Added new sync agreement, waiting for it to become ready. . .
ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error:
Connect error: start: 0 end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[srv7idm2.ipa.company.com] reports: Update failed! Status: [-11 - LDAP error:
Connect error]
So apparently I manage to connect to AD but something went wrong after?
How can I debug it?
Regards,
Nicolas Zin
- Mail original -
De: Nicolas Zin nicolas@savoirfairelinux.com
À: freeipa-users@redhat.com
Envoyé: Mercredi 11 Février 2015 12:06:47
Objet: [Freeipa-users] ad relation with winsync
Hi,
I now try to establish a winsync relation with a Windows 2008R2.
I installed IDM 3.3 on RHEL7.
When I try to create the replication:
ipa-replica-manage connect --winsync --binddb
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd passwd --passsync
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com
Directory Manager password:
Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database
for srv7idm2.ipa.company.com
ipa: INFO: Failed to connect to AD srever dc.company.com
ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not
found','desc': 'Connect error'}
Failed to setup winsync replication
Do you have an idea, what's wrong?
Also is it possible to point to port 636 instead?
Notes:
- On the windows side, ssl has been activated (with pain) and ldp.exe manage to
connect via ssl on the 636 port correctly (so the certificate is in place). I
don't know how to check it is working properly on port 389, i.e. START_TLS works
- I checked that the 2 box have the same time (ntp)
- I nearly manage to make it working once, but I got another error during
replication
Nicolas Zin
nicolas@savoirfairelinux.com
Ligne directe: 514-276-5468 poste 135
Fax : 514-276-5465
7275 Saint Urbain
Bureau 200
Montréal, QC, H2R 2Y5
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
[Freeipa-users] Where and how are passwords stored?
Ok, after a few awkward questions from an auditor, I am starting to face the uncomfortable truth that my understanding about how FreeIPA works is a lot fuzzier than I would like. Specifically, the question I could not answer - where are the passwords stored and how are they encrypted? My understanding is that all authentication is handled by Kerberos server, which stores its data in LDAP - but where and how is a bit of a mystery to me. Any way to dump out the password hashes? Thanks, -M -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Where and how are passwords stored?
On 02/12/2015 01:25 AM, Michael Lasevich wrote: Ok, after a few awkward questions from an auditor, I am starting to face the uncomfortable truth that my understanding about how FreeIPA works is a lot fuzzier than I would like. Specifically, the question I could not answer - where are the passwords stored and how are they encrypted? My understanding is that all authentication is handled by Kerberos server, which stores its data in LDAP - but where and how is a bit of a mystery to me. Any way to dump out the password hashes? Passwords are stored in LDAP in two different attributes per entry. One with LDAP password hash and another is Kerberos password hash allowing authentication either with Kerebros or LDAP. Both follow best practices in terms of using hash algorithms. The attributes themselves are protected by the access control instructions (ACI) so only a super priviledged admin or user himself can interact with this attribute. During normal operations it is not fetched and read. The core of the DS processes it behind the closed doors so it is possible to reset but not to read. This is how LDAP works and not different from any modern directory server. Thanks, -M -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ad relation with winsync
On 02/12/2015 12:37 AM, Nicolas Zin wrote:
That was that:
in the logs (/var/log/dirsrv/slapd-HQ-EMIRATES-COM/errors) I got:
slapi_ldap_bind - Error: could not send startTLS request: error -11 (Connect
error) errno 0 (Success)
And when i did LDAPTLS_CACERTDIR=/etc/dirsrv/... ldapsearch ..., it began to
be interesting:
ldap_start_tls: Connect error (-11)
additionnal info: TLS: hostname does not match CN in peer certificate
So I correct my problem: put the correct hostname in the ipa-replica-manage (
and not the ip). And it connects!
Next step: having the replication working. The customer dont want to give to my sync user Replicating directory
changes, Account Operator and Enterprise Read-Only Domain Controller attributs and just
want a oneway replication.
For the one way replication, I followed the documentation
But I don't see any imported users. Do you have an idea? Are some of the
Windows attributs necessary even for a one way (windows to linux)
synchronisation?
Regards,
Nicolas
- Mail original -
De: Rich Megginson rmegg...@redhat.com
À: freeipa-users@redhat.com
Envoyé: Mercredi 11 Février 2015 18:57:43
Objet: Re: [Freeipa-users] ad relation with winsync
On 02/11/2015 04:18 AM, Nicolas Zin wrote:
I reply to myself.
This was certainly a Windows configurarion issue. I went further:
ipa-replica-manage connect --winsync --binddb
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd passwd --passsync
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com -v
Directory Manager password:
Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database
for srv7idm2.ipa.company.com
ipa: INFO: AD Suffix is: DC=company,DC=com
The user for Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=company,dc=com
ipa: INFO: Added new sync agreement, waiting for it to become ready. . .
ipa: INFO: Replication Update in progress: FALSE: status: -11 - LDAP error:
Connect error: start: 0 end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[srv7idm2.ipa.company.com] reports: Update failed! Status: [-11 - LDAP error:
Connect error]
So apparently I manage to connect to AD but something went wrong after?
How can I debug it?
You can test it like this:
# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN ldapsearch -xLLLZZ -H
ldap://fqdn.of.ad.host -s base -b DC=company,DC=com -D
cn=Administrator,cn=Users,dc=company,dc=com -w password
Regards,
Nicolas Zin
- Mail original -
De: Nicolas Zin nicolas@savoirfairelinux.com
À: freeipa-users@redhat.com
Envoyé: Mercredi 11 Février 2015 12:06:47
Objet: [Freeipa-users] ad relation with winsync
Hi,
I now try to establish a winsync relation with a Windows 2008R2.
I installed IDM 3.3 on RHEL7.
When I try to create the replication:
ipa-replica-manage connect --winsync --binddb
cn=Administrator,cn=Users,dc=company,dc=com --bindpwd passwd --passsync
whatever --cacert /etc/openssl/cacerets/adRootCa.crt dc.company.com
Directory Manager password:
Added CA certificate /etc/openldap/cacerts/adRootCA.crt to certificate database
for srv7idm2.ipa.company.com
ipa: INFO: Failed to connect to AD srever dc.company.com
ipa: INFO: The error was: {'info': 'TLS error -8157:Certificate extension not
found','desc': 'Connect error'}
Failed to setup winsync replication
Do you have an idea, what's wrong?
Also is it possible to point to port 636 instead?
Notes:
- On the windows side, ssl has been activated (with pain) and ldp.exe manage to
connect via ssl on the 636 port correctly (so the certificate is in place). I
don't know how to check it is working properly on port 389, i.e. START_TLS works
- I checked that the 2 box have the same time (ntp)
- I nearly manage to make it working once, but I got another error during
replication
The is is treated as the ultimate source so adds should go only from AD
to IPA but you need the modify to work both ways otherwise your account
state will get out of sync.
Whatever is required by docs is the minimal privilege you need to have
to sync users.
However did you consider trust?
It us a two way trust but it acts as a one way trust.
Nicolas Zin
nicolas@savoirfairelinux.com
Ligne directe: 514-276-5468 poste 135
Fax : 514-276-5465
7275 Saint Urbain
Bureau 200
Montréal, QC, H2R 2Y5
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
