[Freeipa-users] SSSD Cacheing issues

[Todd Maugh]

Hello Guys,

 Im having a problem with a one off my clients, t seems the sssd cache keeps 
having a problem and is blocking users from authenticating, I am able to solve 
it by stopping sssd clearing out the cache in /var/lib/sss/db with a rm -rf * 
and then restarting the sssd.


I'm not sure what logs to look at I checked out the var/log/sssd and they are 
all 0  file size and gave me nothing to look at.

Has any one seen this before, does any one have any clues on trouble shooting.

Thanks

-Todd Maugh
tma...@boingo.com
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] force uninstall from Ubunutu 12.04

[Todd Maugh]

Thank you that was it!!!

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Tuesday, April 01, 2014 6:11 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] force uninstall from Ubunutu 12.04

Todd Maugh wrote:
 Has any one been able to successfully uninstall a client from Ubuntu 
 12.04

 I have the install down for these boxes. But I need to transfer an 
 ubunutu client from our old ipa server to the new

 The error I get during uninstall is

 Failed to remove krb5/LDAP Configuration

 Even if I remove the /etc/ipa/default.conf

 When I go to renenroll client it says

 IPA client is already configured on this system.

 Run the uninstall blah blah blah

 Any suggestions? Does any one know the magic file to remove?

The files in /var/lib/ipa/sysrestore

rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

[Todd Maugh]

I set my debug level to 5 and these were the messages I got. I checked the 
sshd_config and it seems to be using gsapi what lines should be uncommented or 
entered or set to true or yes for Pam. I tried the one pam line I saw to true. 
But it made no difference

-Original Message-
From: Sumit Bose [mailto:sb...@redhat.com] 
Sent: Tuesday, April 01, 2014 12:19 AM
To: Todd Maugh
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and 
enrolled to new server cant authenticate

On Mon, Mar 31, 2014 at 11:05:18PM +, Todd Maugh wrote:
 
 [root@black-62 sssd]# tail -f sssd_ops.boingo.com.log (Mon Mar 31 
 22:58:01 2014) [sssd[be[ops.boingo.com]]] [be_resolve_server_done] 
 (4): Found address for server idm-master-els.ops.boingo.com: 
 [172.22.170.46] TTL 7200 (Mon Mar 31 22:58:01 2014) 
 [sssd[be[ops.boingo.com]]] [sasl_bind_send] (4): Executing sasl bind mech: 
 GSSAPI, user: host/black-62.qa.boingo.com (Mon Mar 31 22:58:02 2014) 
 [sssd[be[ops.boingo.com]]] [child_sig_handler] (4): child [13134] finished 
 successfully.
 (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [fo_set_port_status] 
 (4): Marking port 0 of server 'idm-master-els.ops.boingo.com' as 'working'
 (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] 
 [set_server_common_status] (4): Marking server 
 'idm-master-els.ops.boingo.com' as 'working'
 (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [be_run_online_cb] (3): 
 Going online. Running callbacks.
 (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] 
 [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 
 22:58:02 2014) [sssd[be[ops.boingo.com]]] 
 [delayed_online_authentication_callback] (5): Backend is online, starting 
 delayed online authentication.
 (Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] 
 [be_get_account_info] (4): Got request for 
 [4097][1][name=tmp.UiK3X6] (Mon Mar 31 22:59:01 2014) 
 [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. 
 Returned 0,0,Success (Mon Mar 31 23:00:01 2014) 
 [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for 
 [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:00:01 2014) 
 [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. 
 Returned 0,0,Success (Mon Mar 31 23:01:01 2014) 
 [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for 
 [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:01:01 2014) 
 [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. 
 Returned 0,0,Success (Mon Mar 31 23:02:01 2014) 
 [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for 
 [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:02:01 2014) 
 [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. 
 Returned 0,0,Success (Mon Mar 31 23:03:01 2014) 
 [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for 
 [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:03:01 2014) 
 [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed. 
 Returned 0,0,Success

The log does not show any authentication or PAM related activities.
Please increase the debug_level and check for PAM related messages like e.g. 
[pam_print_data] (0x0100): command: PAM_AUTHENTICATE.

If there are no such messages, please check your PAM configuration as Dmitri 
suggested.

HTH

bye,
Sumit

 
 I see this in the sssd Logs  but still not authenticating
 
 will check out AVC and SELinux very frustrating
 
 
 
 From: Rob Crittenden rcrit...@redhat.com
 Sent: Monday, March 31, 2014 3:52 PM
 To: Todd Maugh; freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled 
 and enrolled to new server cant authenticate
 
 Todd Maugh wrote:
  HBAC rules are set to allow_all enabled
 
 Ok. I'd start with increasing the sssd log level and see what it says.
 
 I gather that basic nss works since you can kinit as other users.
 
 You may want to check for SELinux AVCs as well.
 
 rob
 
 
  -Original Message-
  From: Rob Crittenden [mailto:rcrit...@redhat.com]
  Sent: Monday, March 31, 2014 3:44 PM
  To: Todd Maugh; freeipa-users@redhat.com
  Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled 
  and enrolled to new server cant authenticate
 
  Todd Maugh wrote:
  Hi,
 
  I have a rhel5 client  I had problems with my IPA environment and 
  had to rebuild
 
  I'm on the latest version of IPA with a red hat 6 server
 
  I successfully enrolled the client to the new server (same domain, 
  same
  realm) I had removed all old certs, sysrestores, and 
  ipa/default.conf
 
  I can ssh to the box as root, and then either su or kinit to any 
  IPA user with out issue
 
  But when I try to ssh as the ipauser to the box it gives me 
  permission denied, please try again
 
  I cleared out the sssd cache and restarted sssd
 
  Is there something I'm missing or a log to check?
 
  I need to worked

Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

[Todd Maugh]

I am seeing this error in /var/log/secure

[r...@black-64.qa ~]# tail /var/log/secure
Apr  1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh
Apr  1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): received for user 
tmaugh: 4 (System error)
Apr  1 17:54:07 black-64 sshd[3649]: Failed password for tmaugh from 
10.194.1.250 port 44697 ssh2
Apr  1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh
Apr  1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): received for user 
tmaugh: 4 (System error)
Apr  1 17:54:14 black-64 sshd[3649]: Failed password for tmaugh from 
10.194.1.250 port 44697 ssh2
Apr  1 17:54:15 black-64 sshd[3650]: Connection closed by 10.194.1.250
Apr  1 17:54:15 black-64 sshd[3649]: PAM 1 more authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250  user=tmaugh
Apr  1 17:56:49 black-64 sshd[3713]: Accepted publickey for root from 
10.194.1.250 port 38249 ssh2
Apr  1 17:56:49 black-64 sshd[3713]: pam_unix(sshd:session): session opened for 
user root by (uid=0)





From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on 
behalf of Todd Maugh tma...@boingo.com
Sent: Tuesday, April 01, 2014 7:17 AM
To: Sumit Bose
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and 
enrolled to new server cant authenticate

I set my debug level to 5 and these were the messages I got. I checked the 
sshd_config and it seems to be using gsapi what lines should be uncommented or 
entered or set to true or yes for Pam. I tried the one pam line I saw to true. 
But it made no difference

-Original Message-
From: Sumit Bose [mailto:sb...@redhat.com]
Sent: Tuesday, April 01, 2014 12:19 AM
To: Todd Maugh
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and 
enrolled to new server cant authenticate

On Mon, Mar 31, 2014 at 11:05:18PM +, Todd Maugh wrote:

 [root@black-62 sssd]# tail -f sssd_ops.boingo.com.log (Mon Mar 31
 22:58:01 2014) [sssd[be[ops.boingo.com]]] [be_resolve_server_done]
 (4): Found address for server idm-master-els.ops.boingo.com:
 [172.22.170.46] TTL 7200 (Mon Mar 31 22:58:01 2014) 
 [sssd[be[ops.boingo.com]]] [sasl_bind_send] (4): Executing sasl bind mech: 
 GSSAPI, user: host/black-62.qa.boingo.com (Mon Mar 31 22:58:02 2014) 
 [sssd[be[ops.boingo.com]]] [child_sig_handler] (4): child [13134] finished 
 successfully.
 (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [fo_set_port_status] 
 (4): Marking port 0 of server 'idm-master-els.ops.boingo.com' as 'working'
 (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] 
 [set_server_common_status] (4): Marking server 
 'idm-master-els.ops.boingo.com' as 'working'
 (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [be_run_online_cb] (3): 
 Going online. Running callbacks.
 (Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]]
 [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Mon Mar 31 
 22:58:02 2014) [sssd[be[ops.boingo.com]]] 
 [delayed_online_authentication_callback] (5): Backend is online, starting 
 delayed online authentication.
 (Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]]
 [be_get_account_info] (4): Got request for
 [4097][1][name=tmp.UiK3X6] (Mon Mar 31 22:59:01 2014)
 [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed.
 Returned 0,0,Success (Mon Mar 31 23:00:01 2014)
 [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for
 [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:00:01 2014)
 [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed.
 Returned 0,0,Success (Mon Mar 31 23:01:01 2014)
 [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for
 [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:01:01 2014)
 [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed.
 Returned 0,0,Success (Mon Mar 31 23:02:01 2014)
 [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for
 [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:02:01 2014)
 [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed.
 Returned 0,0,Success (Mon Mar 31 23:03:01 2014)
 [sssd[be[ops.boingo.com]]] [be_get_account_info] (4): Got request for
 [4097][1][name=tmp.UiK3X6] (Mon Mar 31 23:03:01 2014)
 [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): Request processed.
 Returned 0,0,Success

The log does not show any authentication or PAM related activities.
Please increase the debug_level and check for PAM related messages like e.g. 
[pam_print_data] (0x0100): command: PAM_AUTHENTICATE.

If there are no such messages, please check your PAM configuration as Dmitri 
suggested.

HTH

bye,
Sumit


 I see this in the sssd Logs  but still not authenticating

 will check

Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

[Todd Maugh]

here is my sssd.conf 

[r...@black-64.qa ~]# cat /etc/sssd/sssd.conf 
[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/NAME] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the domains attribute below and uncomment it.
# domains = LDAP

domains = ops.boingo.com
[nss]

[pam]

# Example LDAP domain
# [domain/LDAP]
# id_provider = ldap
# auth_provider = ldap
# ldap_schema can be set to rfc2307, which stores group member names in the
# memberuid attribute, or to rfc2307bis, which stores group member DNs in
# the member attribute. If you do not know this value, ask your LDAP
# administrator.
# ldap_schema = rfc2307
# ldap_uri = ldap://ldap.mydomain.org
# ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
# enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
# cache_credentials = true

# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For Unix and map LDAP attributes onto
# msSFU30* attribute names.
# [domain/AD]
# id_provider = ldap
# auth_provider = krb5
# chpass_provider = krb5
#
# ldap_uri = ldap://your.ad.example.com
# ldap_search_base = dc=example,dc=com
# ldap_schema = rfc2307bis
# ldap_sasl_mech = GSSAPI
# ldap_user_object_class = user
# ldap_group_object_class = group
# ldap_user_home_directory = unixHomeDirectory
# ldap_user_principal = userPrincipalName
# ldap_account_expire_policy = ad
# ldap_force_upper_case_realm = true
#
# krb5_server = your.ad.example.com
# krb5_realm = EXAMPLE.COM
[domain/ops.boingo.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ops.boingo.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, idm-master-els.ops.boingo.com
ldap_tls_cacert = /etc/ipa/ca.crt




From: Todd Maugh
Sent: Tuesday, April 01, 2014 10:58 AM
To: Sumit Bose
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] uninstalled IPA client and reinstalled and 
enrolled to new server cant authenticate

I am seeing this error in /var/log/secure

[r...@black-64.qa ~]# tail /var/log/secure
Apr  1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh
Apr  1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): received for user 
tmaugh: 4 (System error)
Apr  1 17:54:07 black-64 sshd[3649]: Failed password for tmaugh from 
10.194.1.250 port 44697 ssh2
Apr  1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): authentication 
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh
Apr  1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): received for user 
tmaugh: 4 (System error)
Apr  1 17:54:14 black-64 sshd[3649]: Failed password for tmaugh from 
10.194.1.250 port 44697 ssh2
Apr  1 17:54:15 black-64 sshd[3650]: Connection closed by 10.194.1.250
Apr  1 17:54:15 black-64 sshd[3649]: PAM 1 more authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250  user=tmaugh
Apr  1 17:56:49 black-64 sshd[3713]: Accepted publickey for root from 
10.194.1.250 port 38249 ssh2
Apr  1 17:56:49 black-64 sshd[3713]: pam_unix(sshd:session): session opened for 
user root by (uid=0)





From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on 
behalf of Todd Maugh tma...@boingo.com
Sent: Tuesday, April 01, 2014 7:17 AM
To: Sumit Bose
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and 
enrolled to new server cant authenticate

I set my debug level to 5 and these were the messages I got. I checked the 
sshd_config and it seems to be using gsapi what lines should be uncommented or 
entered or set to true or yes for Pam. I tried the one pam line I saw to true. 
But it made no difference

-Original Message-
From: Sumit Bose [mailto:sb...@redhat.com]
Sent: Tuesday, April 01, 2014 12:19 AM
To: Todd Maugh
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and 
enrolled to new server cant authenticate

On Mon, Mar 31, 2014 at 11:05:18PM +, Todd Maugh wrote:

 [root@black-62 sssd]# tail -f sssd_ops.boingo.com.log (Mon Mar 31
 22:58:01 2014) [sssd[be[ops.boingo.com]]] [be_resolve_server_done]
 (4): Found address for server idm-master-els.ops.boingo.com:
 [172.22.170.46] TTL 7200 (Mon Mar 31 22:58:01 2014) 
 [sssd[be[ops.boingo.com]]] [sasl_bind_send] (4

Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

[Todd Maugh]

]]] [child_sig_handler] (4): 
child [7939] finished successfully.
(Tue Apr  1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [fo_set_port_status] (4): 
Marking port 0 of server 'idm-master-els.ops.boingo.com' as 'working'
(Tue Apr  1 20:49:57 2014) [sssd[be[ops.boingo.com]]] 
[set_server_common_status] (4): Marking server 'idm-master-els.ops.boingo.com' 
as 'working'
(Tue Apr  1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [be_run_online_cb] (3): 
Going online. Running callbacks.
(Tue Apr  1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 20:49:57 2014) [sssd[be[ops.boingo.com]]] 
[delayed_online_authentication_callback] (5): Backend is online, starting 
delayed online authentication.
(Tue Apr  1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4099][1][name=csteinke]
(Tue Apr  1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [sdap_initgr_nested_send] 
(4): User entry lacks original memberof ?
(Tue Apr  1 20:49:57 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 20:50:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 20:50:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 20:50:38 2014) [sssd[be[ops.boingo.com]]] [sbus_dispatch] (3): 
Connection is not open for dispatching.
(Tue Apr  1 20:50:38 2014) [sssd[be[ops.boingo.com]]] [be_client_destructor] 
(4): Removed PAM client
(Tue Apr  1 20:50:38 2014) [sssd[be[ops.boingo.com]]] [sbus_dispatch] (3): 
Connection is not open for dispatching.
(Tue Apr  1 20:50:38 2014) [sssd[be[ops.boingo.com]]] [be_client_destructor] 
(4): Removed NSS client
(Tue Apr  1 20:50:38 2014) [sssd[be[ops.boingo.com]]] [remove_krb5_info_files] 
(5): Could not remove [/var/lib/sss/pubconf/kpasswdinfo.OPS.BOINGO.COM], [2][No 
such file or directory]




From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on 
behalf of Jakub Hrozek jhro...@redhat.com
Sent: Tuesday, April 01, 2014 1:19 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and 
enrolled to new server cant authenticate

On Tue, Apr 01, 2014 at 05:58:00PM +, Todd Maugh wrote:
 I am seeing this error in /var/log/secure

 [r...@black-64.qa ~]# tail /var/log/secure
 Apr  1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): authentication 
 failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh
 Apr  1 17:54:05 black-64 sshd[3649]: pam_sss(sshd:auth): received for user 
 tmaugh: 4 (System error)
 Apr  1 17:54:07 black-64 sshd[3649]: Failed password for tmaugh from 
 10.194.1.250 port 44697 ssh2
 Apr  1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): authentication 
 failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250 user=tmaugh
 Apr  1 17:54:12 black-64 sshd[3649]: pam_sss(sshd:auth): received for user 
 tmaugh: 4 (System error)

System Error means something like Unhandled exception from pam_sss.
In general, this shouldn't happen, although System Error is not always
indicative of a bug in SSSD. We use System Error as the default return
code if no other condition matches, so sometimes we just fail to
translate the error code properly -- at one point, we used to return
System Error on clock skew for instance.

Could you attach or paste (to me directly if needed) the domain log file
and also the krb5_child.log ?

 Apr  1 17:54:14 black-64 sshd[3649]: Failed password for tmaugh from 
 10.194.1.250 port 44697 ssh2
 Apr  1 17:54:15 black-64 sshd[3650]: Connection closed by 10.194.1.250
 Apr  1 17:54:15 black-64 sshd[3649]: PAM 1 more authentication failure; 
 logname= uid=0 euid=0 tty=ssh ruser= rhost=10.194.1.250  user=tmaugh
 Apr  1 17:56:49 black-64 sshd[3713]: Accepted publickey for root from 
 10.194.1.250 port 38249 ssh2
 Apr  1 17:56:49 black-64 sshd[3713]: pam_unix(sshd:session): session opened 
 for user root by (uid=0)

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

[Todd Maugh]

Ok so On 2 of the servers I found that UsePAM  was not even in the sshd_conf

when I put that in I was fine

but 3 other servers  that have it in the sshd_conf  are exhibiting the password 
not accepted error

then I went and cleared the sssd cache and IM back in business


thank you for the help




From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on 
behalf of Todd Maugh tma...@boingo.com
Sent: Tuesday, April 01, 2014 1:58 PM
To: Jakub Hrozek; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and 
enrolled to new server cant authenticate

/var/log/sssd/krb5_child.log is empty

here is the sssd domain logsssd_ops.boingo.com.log


97][1][name=tmp.UiK3X6]
(Tue Apr  1 19:28:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:29:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:29:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:30:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:30:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:31:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:31:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:32:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:32:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:33:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:33:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:34:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:34:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:35:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:35:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:36:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:36:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:37:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:37:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:38:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:38:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:39:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:39:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:40:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:40:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:40:10 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4099][1][name=tmaugh]
(Tue Apr  1 19:40:10 2014) [sssd[be[ops.boingo.com]]] [sdap_initgr_nested_send] 
(4): User entry lacks original memberof ?
(Tue Apr  1 19:40:10 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:41:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:41:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:42:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:42:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Tue Apr  1 19:43:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Tue Apr  1 19:43:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success

[Freeipa-users] force uninstall from Ubunutu 12.04

[Todd Maugh]

Has any one been able to successfully uninstall a client from Ubuntu 12.04

I have the install down for these boxes. But I need to transfer an ubunutu 
client from our old ipa server to the new

The error I get during uninstall is
Failed to remove krb5/LDAP Configuration


Even if I remove the /etc/ipa/default.conf

When I go to renenroll client it says

IPA client is already configured on this system.

Run the uninstall blah blah blah


Any suggestions? Does any one know the magic file to remove?


Thanks again

Your favorite questioner Todd




Todd Maugh
Sr System Engineer
Boingo Wireless
tma...@boingo.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

[Todd Maugh]

Hi,

I have a rhel5 client  I had problems with my IPA environment and had to rebuild

I'm on the latest version of IPA with a red hat 6 server

I successfully enrolled the client to the new server (same domain, same realm) 
I had removed all old certs, sysrestores, and ipa/default.conf

I can ssh to the box as root, and then either su or kinit to any IPA user with 
out issue

But when I try to ssh as the ipauser to the box it gives me permission denied, 
please try again

I cleared out the sssd cache and restarted sssd

Is there something I'm missing or a log to check?

I need to worked this out before I move forward enrolling other previously 
enrolled clients.

Thanks

Todd Maugh
Sr System Engineer
Boingo Wireless
tma...@boingo.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] cant authenticate using freeipa userid on ubuntu12.04

[Todd Maugh]

I have found this to be my only way to get Ubuntu to work with ipa as clients

Add the IDM servers to the hosts file

echo {ip address of idmserver}   {fqdn of idm server   
/etc/hosts

Set the Hostname for the box

echo ubuntu-idm-02.boingo.com  /etc/hostname

Add ipa and sssd repos to box

apt-add-repository http://ppa.launchpad.net/freeipa/ppa/ubuntu

apt-add-repository 
'http://ppa.launchpad.net/sssd/updates/ubuntu'

apt-get update

Install the Ipa Client

apt-get install -y freeipa-client


Realm: YOUR REALM

DOMAIN: YOUR DOMAIN

SERVER: FQDN OF YOUR IDMSERVER

user to enroll: admin

password : YOUR PASSWORD


Make some modifications to ubuntu

mkdir -p /etc/pki/nssdb

certutil -N --empty-password -d /etc/pki/nssdb 

mkdir -p /var/run/ipa

Clear out original install 

rm -f /etc/ipa/default.conf

Move aside and re version the python version

cp /usr/share/pyshared/ipapython/version.py 
/usr/share/pyshared/ipapython/version.py.bak

sed -i s/API_VERSION=.*/API_VERSION=u'2.49'/g 
/usr/share/pyshared/ipapython/version.py

install the ipa

ipa-client-install


restart sssd

service sssd restart



you should then have a walking talking Ubuntu client

-Original Message-
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Rob Crittenden
Sent: Monday, March 31, 2014 1:58 PM
To: Gustavo Berman; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] cant authenticate using freeipa userid on 
ubuntu12.04

Gustavo Berman wrote:

 Sabin Ranjit sabinranjit@... writes:



  hi,
  i followed this page for the installation of freeipa client over the
  ubuntu 12.04
 server.http://www.redhat.com/archives/freeipa-users/2013-June/msg00091
 .html
  everything seem to go as mentioned in the page. when i get at the
  freeipa server with the command ipa host-find
  i can even see my ubuntu server listed there with Keytab: 
 True. The
 problem is that im not being able
to authenticate with the username listed in the freeipa server.
if i try to run : su ldapuserid ubuntu errors unknown id:
ldapuserid
i cant even ssh to the ubuntu server with the ldapuserid.
what can be the possible solutions?
please help. thanks.
regards,
sabin



 Hi Sabin
 Please try my howto:
 http://askubuntu.com/questions/295075/freeipa-client-on-ubuntu

 I assembled it from that same mail and other sources

 Tavo.

Sabin, if you can confirm these steps maybe we can add this to the Howto 
section on freeipa.org. Except for the localhost thing (probably
unnecessary) and maybe messing with the version (we might agree to disagree on 
that) this looks really good.

cheers

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

[Todd Maugh]

HBAC rules are set to allow_all enabled 

-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Monday, March 31, 2014 3:44 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and 
enrolled to new server cant authenticate

Todd Maugh wrote:
 Hi,

 I have a rhel5 client  I had problems with my IPA environment and had 
 to rebuild

 I'm on the latest version of IPA with a red hat 6 server

 I successfully enrolled the client to the new server (same domain, 
 same
 realm) I had removed all old certs, sysrestores, and ipa/default.conf

 I can ssh to the box as root, and then either su or kinit to any IPA 
 user with out issue

 But when I try to ssh as the ipauser to the box it gives me permission 
 denied, please try again

 I cleared out the sssd cache and restarted sssd

 Is there something I'm missing or a log to check?

 I need to worked this out before I move forward enrolling other 
 previously enrolled clients.

Check your HBAC rules.

rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] uninstalled IPA client and reinstalled and enrolled to new server cant authenticate

[Todd Maugh]

[root@black-62 sssd]# tail -f sssd_ops.boingo.com.log
(Mon Mar 31 22:58:01 2014) [sssd[be[ops.boingo.com]]] [be_resolve_server_done] 
(4): Found address for server idm-master-els.ops.boingo.com: [172.22.170.46] 
TTL 7200
(Mon Mar 31 22:58:01 2014) [sssd[be[ops.boingo.com]]] [sasl_bind_send] (4): 
Executing sasl bind mech: GSSAPI, user: host/black-62.qa.boingo.com
(Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [child_sig_handler] (4): 
child [13134] finished successfully.
(Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [fo_set_port_status] (4): 
Marking port 0 of server 'idm-master-els.ops.boingo.com' as 'working'
(Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] 
[set_server_common_status] (4): Marking server 'idm-master-els.ops.boingo.com' 
as 'working'
(Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [be_run_online_cb] (3): 
Going online. Running callbacks.
(Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Mon Mar 31 22:58:02 2014) [sssd[be[ops.boingo.com]]] 
[delayed_online_authentication_callback] (5): Backend is online, starting 
delayed online authentication.
(Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Mon Mar 31 22:59:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Mon Mar 31 23:00:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Mon Mar 31 23:00:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Mon Mar 31 23:01:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Mon Mar 31 23:01:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Mon Mar 31 23:02:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Mon Mar 31 23:02:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success
(Mon Mar 31 23:03:01 2014) [sssd[be[ops.boingo.com]]] [be_get_account_info] 
(4): Got request for [4097][1][name=tmp.UiK3X6]
(Mon Mar 31 23:03:01 2014) [sssd[be[ops.boingo.com]]] [acctinfo_callback] (4): 
Request processed. Returned 0,0,Success

I see this in the sssd Logs  but still not authenticating

will check out AVC and SELinux very frustrating



From: Rob Crittenden rcrit...@redhat.com
Sent: Monday, March 31, 2014 3:52 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and 
enrolled to new server cant authenticate

Todd Maugh wrote:
 HBAC rules are set to allow_all enabled

Ok. I'd start with increasing the sssd log level and see what it says.

I gather that basic nss works since you can kinit as other users.

You may want to check for SELinux AVCs as well.

rob


 -Original Message-
 From: Rob Crittenden [mailto:rcrit...@redhat.com]
 Sent: Monday, March 31, 2014 3:44 PM
 To: Todd Maugh; freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] uninstalled IPA client and reinstalled and 
 enrolled to new server cant authenticate

 Todd Maugh wrote:
 Hi,

 I have a rhel5 client  I had problems with my IPA environment and had
 to rebuild

 I'm on the latest version of IPA with a red hat 6 server

 I successfully enrolled the client to the new server (same domain,
 same
 realm) I had removed all old certs, sysrestores, and ipa/default.conf

 I can ssh to the box as root, and then either su or kinit to any IPA
 user with out issue

 But when I try to ssh as the ipauser to the box it gives me permission
 denied, please try again

 I cleared out the sssd cache and restarted sssd

 Is there something I'm missing or a log to check?

 I need to worked this out before I move forward enrolling other
 previously enrolled clients.

 Check your HBAC rules.

 rob



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] HELP

[Todd Maugh]

My Master IPA server has been lost,


My replica is still up and functioning.


what is the best way to proceed?


Do I rebuild my master and add it has a replica?


how do I get my master back in line with my IPA env?


the Master needs to be rebuilt from scratch


red hat 6.5 latest version of IPA
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Client enrollment failing

[Todd Maugh]

Hello,

So I'm on some red hat clients and I have seen this a few times when attempting 
to enroll them as clients.

Enrolled in IPA realm OPS.BOINGO.COM
Failed to obtain host TGT.
Installation failed. Rolling back changes.
IPA client is not configured on this system.


as any one seen this or know how to troubleshoot it?

thanks in advance you guys are the best!

-Todd
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees)

[Todd Maugh]

I'm trying to sync all of my AD to IPA, I don't need to retain any of the 
original windows directory structure once in IPA.

I cannot find where to set ipaWinSyncUserFlatten to true (so I'm assuming it's 
on true by default)

I really need to be able to sync more than just the cn=users subtree

And I can find no documentation or help on line.


Has anyone had any success or practice with this?

Thanks

-Todd

Todd Maugh
Sr System Engineer
Boingo Wireless
tma...@boingo.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees)

[Todd Maugh]

Thanks Rich,

I am able to create a successful winsync agreement from the top level.

Unfortunately, when I do this. I do not see any of the accounts from the sub 
trees populate my ipa server.

Is it possible to have all the subtrees (ous) live under cn=users. If I make 
this change to AD would IPA then sync all the accounts from the subtrees? I 
cant believe I am the first person with this issue or need.

Thanks again in advance.


From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Monday, March 17, 2014 2:44 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Has one successfully synched the entirety of their 
AD to IPA (multiple OUs and or Subtrees)

On 03/17/2014 03:33 PM, Todd Maugh wrote:
I'm trying to sync all of my AD to IPA, I don't need to retain any of the 
original windows directory structure once in IPA.

I cannot find where to set ipaWinSyncUserFlatten to true (so I'm assuming it's 
on true by default)

Yes, it is true by default.
dn: cn=ipa-winsync,cn=plugins,cn=config



I really need to be able to sync more than just the cn=users subtree

There really isn't explicit support for this.  If it doesn't work to set your 
AD subtree to your root suffix (e.g. dc=domain,dc=com), then it's simply not 
going to work until 389 adds support for that.



And I can find no documentation or help on line.

Because there probably isn't any.




Has anyone had any success or practice with this?

See above.


Thanks

-Todd

Todd Maugh
Sr System Engineer
Boingo Wireless
tma...@boingo.commailto:tma...@boingo.com





___

Freeipa-users mailing list

Freeipa-users@redhat.commailto:Freeipa-users@redhat.com

https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Has one successfully synched the entirety of their AD to IPA (multiple OUs and or Subtrees)

[Todd Maugh]

Thanks again Rich is there some good Documentation on setting up the trust?

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Monday, March 17, 2014 3:03 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Has one successfully synched the entirety of their 
AD to IPA (multiple OUs and or Subtrees)

On 03/17/2014 03:52 PM, Todd Maugh wrote:
Thanks Rich,

I am able to create a successful winsync agreement from the top level.

Unfortunately, when I do this. I do not see any of the accounts from the sub 
trees populate my ipa server.

Ok, so it doesn't work.



Is it possible to have all the subtrees (ous) live under cn=users.If I make 
this change to AD would IPA then sync all the accounts from the subtrees?

Yes.


I cant believe I am the first person with this issue or need.

You are certainly not - we have a couple of 389 to address this and similar 
issues with winsync.

https://fedorahosted.org/389/ticket/460

Unfortunately, this fix has been targeted for F20 (389-ds-base-1.3.2), and we 
don't have plans to backport to EL6.

Note that winsync is always going to be more or less painful - it is not, was 
never designed to be, and never will be a full blown meta-directory solution.  
For more information:

https://fedorahosted.org/389/query?component=Sync+Servicestatus=acceptedstatus=assignedstatus=newstatus=reopenedcol=idcol=summarycol=statuscol=typecol=prioritycol=milestonecol=componentorder=priorityreport=16

That's why we recommend that the best long term solution is cross domain trust 
- that removes winsync from the picture.



Thanks again in advance.


From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Monday, March 17, 2014 2:44 PM
To: Todd Maugh; freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Has one successfully synched the entirety of their 
AD to IPA (multiple OUs and or Subtrees)

On 03/17/2014 03:33 PM, Todd Maugh wrote:
I'm trying to sync all of my AD to IPA, I don't need to retain any of the 
original windows directory structure once in IPA.

I cannot find where to set ipaWinSyncUserFlatten to true (so I'm assuming it's 
on true by default)

Yes, it is true by default.
dn: cn=ipa-winsync,cn=plugins,cn=config




I really need to be able to sync more than just the cn=users subtree

There really isn't explicit support for this.  If it doesn't work to set your 
AD subtree to your root suffix (e.g. dc=domain,dc=com), then it's simply not 
going to work until 389 adds support for that.




And I can find no documentation or help on line.

Because there probably isn't any.





Has anyone had any success or practice with this?

See above.



Thanks

-Todd

Todd Maugh
Sr System Engineer
Boingo Wireless
tma...@boingo.commailto:tma...@boingo.com






___

Freeipa-users mailing list

Freeipa-users@redhat.commailto:Freeipa-users@redhat.com

https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Password sync woes

[Todd Maugh]

Thank you Rich, must have been a type-o in my install, I gutted it restarted it 
and am All good now thank you

From: Rich Megginson [mailto:rmegg...@redhat.com]
Sent: Thursday, March 13, 2014 4:24 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Password sync woes

On 03/13/2014 05:18 PM, Todd Maugh wrote:
Sorry Guys me again.

So I have my winsync agreement up

and I know have my password sync setup

the cert has been imported

SSL is configured properly,

but when I go to change a password in AD

I see this error in passsync.log

LDAP error in QueryUsername
32: No such object

It means your suffix/base DN that you used in PassSync setup is incorrect.
You can check the access log to see what it is doing - 
/var/log/dirsrv/slapd-YOUR-DOMAIN/access - look for connections from the IP 
address of your AD machine.
Note that the suffix/base DN that you used in PassSync setup is the suffix/base 
DN of your IdM server, which is not necessarily the same as your AD server.




any thoughts on this?

thanks

-Todd




___

Freeipa-users mailing list

Freeipa-users@redhat.commailto:Freeipa-users@redhat.com

https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] winsync agreement for multiple subtrees

[Todd Maugh]

good morning, every day it's something new.

so turns out my AD admin has built ad with user accounts spread out over 
multiple subtrees' and I need to handle them all.

is there a way to sync everything under dc=bwinc,dc=local. instead of doing 
cn=users,dc=bwinc,dc=local

does this make sense?

thank you

-Todd Maugh

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement for multiple subtrees

[Todd Maugh]

I did find this similar request that I thought looked to be owned by Rich  
Megginson

https://fedorahosted.org/389/ticket/460

Rich Can you shed any light on this, or the command I would use to winsync 
multiple subtrees?



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.com]
Sent: Friday, March 14, 2014 10:13 AM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] winsync agreement for multiple subtrees

good morning, every day it's something new.

so turns out my AD admin has built ad with user accounts spread out over 
multiple subtrees' and I need to handle them all.

is there a way to sync everything under dc=bwinc,dc=local. instead of doing 
cn=users,dc=bwinc,dc=local

does this make sense?

thank you

-Todd Maugh

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] winsync agreement for multiple subtrees

[Todd Maugh]

I actually hadnt tried yet to sync from the top level directory

would I just leave the CN out to try that? 

From: Rich Megginson [rmegg...@redhat.com]
Sent: Friday, March 14, 2014 11:12 AM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: winsync agreement for multiple subtrees

On 03/14/2014 12:06 PM, Todd Maugh wrote:
 I did find this similar request that I thought looked to be owned by Rich  
 Megginson

 https://fedorahosted.org/389/ticket/460

 Rich Can you shed any light on this, or the command I would use to winsync 
 multiple subtrees?

If you can't sync from the top level entry e.g. if you can't sync using
dc=bwinc,dc=local as your AD subtree, then you can't do it. It may or
may not work for you, I don't know, you'll just have to try it.



 
 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
 behalf of Todd Maugh [tma...@boingo.com]
 Sent: Friday, March 14, 2014 10:13 AM
 To: freeipa-users@redhat.com
 Subject: [Freeipa-users] winsync agreement for multiple subtrees

 good morning, every day it's something new.

 so turns out my AD admin has built ad with user accounts spread out over 
 multiple subtrees' and I need to handle them all.

 is there a way to sync everything under dc=bwinc,dc=local. instead of doing 
 cn=users,dc=bwinc,dc=local

 does this make sense?

 thank you

 -Todd Maugh

 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] IPA / AD Trust

[Todd Maugh]

Does IPA support a trust with AD yet.

I've seen that this is coming in a future release but I havent found something 
that said it has been released.

-Todd
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] quick question

[Todd Maugh]

does IDM work with AD 2012 or only 2008

-Todd
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

[Todd Maugh]

Ok I got the credentials error worked out, my ad admin had the IDMadmin account 
in the wrong OU

but now i get this


Added CA certificate ADC13-ELS.CA.cer to certificate database for 
idm-master-els.ops.boingo.com
ipa: INFO: AD Suffix is: DC=BWINC,DC=local
The user for the Windows PassSync service is 
uid=passsync,cn=sysaccounts,cn=etc,dc=ops,dc=boingo,dc=com
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: -11  - LDAP error: 
Connect error: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[idm-master-els.ops.boingo.com] reports: Update failed! Status: [-11  - LDAP 
error: Connect error]
Failed to start replication



not sure where to look for more errors about this



From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, March 12, 2014 4:23 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 05:07 PM, Todd Maugh wrote:
so to verify this

I am able to log in to the AD server as idmadmin with the password I'm using in 
the winsync agreement.

I guess you mean that login to Windows using the standard Windows login dialog 
is working correctly?  And that this is still not working correctly:

[r...@idm-master-els.ops.boingo.commailto:r...@idm-master-els.ops.boingo.com 
ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D cn=idmadmin,cn=Users,dc=bwinc,dc=local -w XX s 
base -b cn=Users,dc=bwinc,dc=local

Do you have the Windows administrator password?  If so, can you try something 
like this:

[r...@idm-master-els.ops.boingo.commailto:r...@idm-master-els.ops.boingo.com 
ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D cn=administrator,cn=Users,dc=bwinc,dc=local -w 
XX s base -b cn=Users,dc=bwinc,dc=local

Is AD configured to allow external LDAP binds?

is there a log I can  look at to see what it is getting tripped up on.

I suppose you could try somewhere in the Windows Event Viewer . . .


I double checked all the security groups  for the AD user and they all look good



From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Wednesday, March 12, 2014 3:47 PM
To: Todd Maugh; freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 04:39 PM, Todd Maugh wrote:
thanks Rich,

when I run that  I get the following:


[r...@idm-master-els.ops.boingo.commailto:r...@idm-master-els.ops.boingo.com 
ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D cn=idmadmin,cn=Users,dc=bwinc,dc=local -w XX s 
base -b cn=Users,dc=bwinc,dc=local
ldap_bind: Invalid credentials (49)

Invalid credentials almost always means your password XX is not correct 
for user cn=idmadmin,cn=Users,dc=bwinc,dc=local

additional info: 80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580




From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Wednesday, March 12, 2014 3:30 PM
To: Todd Maugh; freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 04:18 PM, Todd Maugh wrote:
Hello.

I'm using latest IPA build on red hat 6.5

I retrieved my CA cert from the AD Domain controller

I try to set up my winsyncagreement and I am getting this



[r...@idm-master-els.ops.boingo.commailto:r...@idm-master-els.ops.boingo.com 
ipa]$ ipa-replica-manage connect --winsync --binddn cn=idmadmin, cn=Users, 
dc=bwinc, dc=local --bindpw XX --passsync XX 
--cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local
Directory Manager password:

Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to certificate 
database for idm-master-els.ops.boingo.com
ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local
ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'}
Failed to setup winsync replication


not sure where to look for the logs for this to see what the invalivd 
credentials are or wether this might still be a cert issue or a log in issue or 
what not?

You can test with ldapsearch like this:

$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D cn=idmadmin,cn=Users,dc=bwinc,dc=local -w XX 
-s base -b cn=Users,dc=bwinc,dc=local



Thanks in advance for the help

-Todd





___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com

Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

[Todd Maugh]

ok so I ran that and Get this output


[r...@idm-master-els.ops.boingo.com cacerts]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D cn=idmadmin,cn=Users,dc=bwinc,dc=local -w XX  
-s base -b cn=Users,dc=bwinc,dc=local
dn: cn=Users,dc=bwinc,dc=local
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=BWINC,DC=local
instanceType: 4
whenCreated: 20060824234034.0Z
whenChanged: 20140306190741.0Z
uSNCreated: 17702
uSNChanged: 17702
showInAdvancedViewOnly: FALSE
name: Users
objectGUID:: kCZ7CbnIZk+0GpmCr3PCfw==
systemFlags: -1946157056
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=BWINC,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20140306234416.0Z
dSCorePropagationData: 20140306234348.0Z
dSCorePropagationData: 20140306225101.0Z
dSCorePropagationData: 20140306225055.0Z
dSCorePropagationData: 1601010100.0Z


From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, March 12, 2014 3:47 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 04:39 PM, Todd Maugh wrote:
thanks Rich,

when I run that  I get the following:


[r...@idm-master-els.ops.boingo.commailto:r...@idm-master-els.ops.boingo.com 
ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D cn=idmadmin,cn=Users,dc=bwinc,dc=local -w XX s 
base -b cn=Users,dc=bwinc,dc=local
ldap_bind: Invalid credentials (49)

Invalid credentials almost always means your password XX is not correct 
for user cn=idmadmin,cn=Users,dc=bwinc,dc=local

additional info: 80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580




From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Wednesday, March 12, 2014 3:30 PM
To: Todd Maugh; freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 04:18 PM, Todd Maugh wrote:
Hello.

I'm using latest IPA build on red hat 6.5

I retrieved my CA cert from the AD Domain controller

I try to set up my winsyncagreement and I am getting this



[r...@idm-master-els.ops.boingo.commailto:r...@idm-master-els.ops.boingo.com 
ipa]$ ipa-replica-manage connect --winsync --binddn cn=idmadmin, cn=Users, 
dc=bwinc, dc=local --bindpw XX --passsync XX 
--cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local
Directory Manager password:

Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to certificate 
database for idm-master-els.ops.boingo.com
ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local
ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'}
Failed to setup winsync replication


not sure where to look for the logs for this to see what the invalivd 
credentials are or wether this might still be a cert issue or a log in issue or 
what not?

You can test with ldapsearch like this:

$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D cn=idmadmin,cn=Users,dc=bwinc,dc=local -w XX 
-s base -b cn=Users,dc=bwinc,dc=local



Thanks in advance for the help

-Todd





___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

[Todd Maugh]

Ok the error I see repeated in the log is

[13/Mar/2014:18:41:21 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:43:11 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:43:14 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:43:20 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:43:32 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:43:56 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:44:30 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -1 (Can't contact LDAP server) errno 0 (Success)
[13/Mar/2014:18:44:33 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:44:44 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:46:20 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:47:29 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:47:32 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:47:38 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:47:50 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:48:11 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:48:14 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:48:20 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:48:32 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:48:56 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[r...@idm-master-els.ops.boingo.com cacerts]$


From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, March 13, 2014 11:43 AM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/13/2014 12:29 PM, Todd Maugh wrote:
ok so I ran that and Get this output

Ok.  Next, take a look at /var/log/dirsrv/slapd-OPS-BOINGO-COM/errors



[r...@idm-master-els.ops.boingo.commailto:r...@idm-master-els.ops.boingo.com 
cacerts]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ 
-h adc13-els.bwinc.local -D cn=idmadmin,cn=Users,dc=bwinc,dc=local -w 
XX  -s base -b cn=Users,dc=bwinc,dc=local
dn: cn=Users,dc=bwinc,dc=local
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=BWINC,DC=local
instanceType: 4
whenCreated: 20060824234034.0Z
whenChanged: 20140306190741.0Z
uSNCreated: 17702
uSNChanged: 17702
showInAdvancedViewOnly: FALSE
name: Users
objectGUID:: kCZ7CbnIZk+0GpmCr3PCfw==
systemFlags: -1946157056
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=BWINC,DC=local
isCriticalSystemObject: TRUE
dSCorePropagationData: 20140306234416.0Z
dSCorePropagationData: 20140306234348.0Z
dSCorePropagationData: 20140306225101.0Z
dSCorePropagationData: 20140306225055.0Z
dSCorePropagationData: 1601010100.0Z


From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Wednesday, March 12, 2014 3:47 PM
To: Todd Maugh; freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 04:39 PM, Todd Maugh wrote:
thanks Rich,

when I run that  I get the following:


[r...@idm-master-els.ops.boingo.commailto:r...@idm-master-els.ops.boingo.com 
ipa]$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D cn=idmadmin,cn=Users,dc=bwinc,dc=local -w XX s 
base -b cn=Users,dc=bwinc,dc=local
ldap_bind: Invalid credentials (49)

Invalid credentials almost always means your password XX is not correct 
for user cn=idmadmin,cn=Users,dc=bwinc,dc=local

additional info: 80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580




From: Rich Megginson [rmegg...@redhat.commailto:rmegg

Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

[Todd Maugh]

--no CoS Templates found, which 
should be added before the CoS Definition.
[13/Mar/2014:19:53:20 +] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests
[13/Mar/2014:19:53:20 +] - Listening on All Interfaces port 636 for LDAPS 
requests
[13/Mar/2014:19:53:20 +] - Listening on 
/var/run/slapd-OPS-BOINGO-COM.socket for LDAPI requests
[13/Mar/2014:19:53:22 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:19:53:22 +] NSMMReplicationPlugin - 
agmt=cn=meToadc13-els.bwinc.local (adc13-els:389): Replication bind with 
SIMPLE auth failed: LDAP error -11 (Connect error) (TLS error -8179:Peer's 
Certificate issuer is not recognized.)
[13/Mar/2014:19:53:22 +] - Entry 
cn=meToadc13-els.bwinc.local,cn=replica,cn=dc\3Dops\2Cdc\3Dboingo\2Cdc\3Dcom,cn=mapping
 tree,cn=config -- attribute nsDS5ReplicatedAttributeListTotal not allowed
[13/Mar/2014:19:53:22 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:19:53:22 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:19:53:24 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:19:53:24 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:19:53:25 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)



From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, March 13, 2014 12:05 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/13/2014 12:50 PM, Todd Maugh wrote:
Ok the error I see repeated in the log is

[13/Mar/2014:18:41:21 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:43:11 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:43:14 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:43:20 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:43:32 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:43:56 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:44:30 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -1 (Can't contact LDAP server) errno 0 (Success)
[13/Mar/2014:18:44:33 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:44:44 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:46:20 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:47:29 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:47:32 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:47:38 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:47:50 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:48:11 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:48:14 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:48:20 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:48:32 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:18:48:56 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[r...@idm-master-els.ops.boingo.commailto:r...@idm-master-els.ops.boingo.com 
cacerts]$

Are all of these associated with the winsync agreement?



From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Thursday, March 13, 2014 11:43 AM
To: Todd Maugh; freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/13/2014 12:29 PM, Todd Maugh wrote:
ok so I ran that and Get this output

Ok.  Next, take a look at /var/log/dirsrv/slapd-OPS

Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

[Todd Maugh]

ldap_int_select
read1msg: ld 0x25c4210 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 43 contents:
read1msg: ld 0x25c4210 msgid 3 message type search-entry
ldap_get_dn_ber
ber_scanf fmt ({ml{) ber:
dn: cn=Users,dc=bwinc,dc=local
ber_scanf fmt ({xx) ber:
ldap_get_attribute_ber
ldap_msgfree
ldap_result ld 0x25c4210 msgid -1
wait4msg ld 0x25c4210 msgid -1 (infinite timeout)
wait4msg continue ld 0x25c4210 msgid -1 all 0
** ld 0x25c4210 Connections:
* host: adc13-els.bwinc.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Mar 13 20:44:41 2014


** ld 0x25c4210 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x25c4210 request count 1 (abandoned 0)
** ld 0x25c4210 Response Queue:
   Empty
  ld 0x25c4210 response count 0
ldap_chkResponseList ld 0x25c4210 msgid -1 all 0
ldap_chkResponseList returns ld 0x25c4210 NULL
read1msg: ld 0x25c4210 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x25c4210 msgid 3 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x25c4210 0 new referrals
read1msg:  mark request completed, ld 0x25c4210 msgid 3
request done: ld 0x25c4210 msgid 3
res_errno: 0, res_error: , res_matched: 
ldap_free_request (origid 3, msgid 3)

ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed


From: Rich Megginson [rmegg...@redhat.com]
Sent: Thursday, March 13, 2014 1:29 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/13/2014 01:58 PM, Todd Maugh wrote:
I believe they are.

so here is the out put of the log. it was showing those errors, I deleted the 
wynsync agreement and then restarted ipa and then readded the winsync and the 
errors returned. could this be a cert issue?

[13/Mar/2014:19:48:20 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:19:48:44 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:19:49:32 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[13/Mar/2014:19:51:08 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)

here I removed the winsync agreement :ipa-replica-manage del 
adc13-els.bwinc.local
then restartd ipa

ipactl restart

[13/Mar/2014:19:51:50 +] NSMMReplicationPlugin - agmt_delete: begin
[13/Mar/2014:19:51:59 +] - slapd shutting down - signaling operation threads
[13/Mar/2014:19:51:59 +] - slapd shutting down - waiting for 29 threads to 
terminate
[13/Mar/2014:19:51:59 +] - slapd shutting down - closing down internal 
subsystems and plugins
[13/Mar/2014:19:51:59 +] - Waiting for 4 database threads to stop
[13/Mar/2014:19:51:59 +] - All database threads now stopped
[13/Mar/2014:19:51:59 +] - slapd stopped.
[13/Mar/2014:19:52:14 +] - 389-Directory/1.2.11.15 B2013.337.1530 starting 
up
[13/Mar/2014:19:52:14 +] schema-compat-plugin - warning: no entries set up 
under cn=computers, cn=compat,dc=ops,dc=boingo,dc=com
[13/Mar/2014:19:52:14 +] schema-compat-plugin - warning: no entries set up 
under cn=ng, cn=compat,dc=ops,dc=boingo,dc=com
[13/Mar/2014:19:52:14 +] schema-compat-plugin - warning: no entries set up 
under ou=sudoers,dc=ops,dc=boingo,dc=com
[13/Mar/2014:19:52:14 +] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found, which 
should be added before the CoS Definition.
[13/Mar/2014:19:52:14 +] set_krb5_creds - Could not get initial credentials 
for principal 
[ldap/idm-master-els.ops.boingo@ops.boingo.commailto:ldap/idm-master-els.ops.boingo@ops.boingo.com]
 in keytab [FILE:/etc/dirsrv/ds.keytabUrlBlockedError.aspx]: -1765328324 
(Generic error (see e-text))
[13/Mar/2014:19:52:14 +] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=ops,dc=boingo,dc=com--no CoS Templates found, which 
should be added before the CoS Definition.
[13/Mar/2014:19:52:14 +] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local 
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (Credentials cache file 
'/tmp/krb5cc_495' not found)) errno 0 (Success)
[13/Mar/2014:19:52:14 +] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[13/Mar/2014:19:52:14 +] NSMMReplicationPlugin - 
agmt=cn=meToidm-rep01-els.ops.boingo.com (idm-rep01-els:389): Replication 
bind with GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic 
failure: GSSAPI Error

Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

[Todd Maugh]

I'm curious if the ldap.conf is wrong: heres what it looks like

#File modified by ipa-client-install

URI ldaps://idm-master-els.ops.boingo.com
BASE dc=ops,dc=boingo,dc=com
TLS_CACERT /etc/openldap/cacerts/
TLS_REQCERT allow


From: Todd Maugh
Sent: Thursday, March 13, 2014 1:47 PM
To: Rich Megginson; freeipa-users@redhat.com
Subject: RE: [Freeipa-users] [freeipa] Issues with Winsync agreement

thank you Rich for all your help as I am inclined to think its a cert issue as 
well

so I ran the new command, and there are some lines that stick out to me in 
reference to the cert:

[r...@idm-master-els.ops.boingo.com ~]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -d 1 -xLLLZZ -h 
adc13-els.bwinc.local -D cn=idmadmin,cn=Users,dc=bwinc,dc=local -w 
g0_b0ing0 -s base -b cn=Users,dc=bwinc,dc=local objectclass=* dn
ldap_create
ldap_url_parse_ext(ldap://adc13-els.bwinc.local)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP adc13-els.bwinc.local:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 172.22.170.13:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x25c4210 msgid 1
wait4msg ld 0x25c4210 msgid 1 (infinite timeout)
wait4msg continue ld 0x25c4210 msgid 1 all 1
** ld 0x25c4210 Connections:
* host: adc13-els.bwinc.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Mar 13 20:44:41 2014


** ld 0x25c4210 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x25c4210 request count 1 (abandoned 0)
** ld 0x25c4210 Response Queue:
   Empty
  ld 0x25c4210 response count 0
ldap_chkResponseList ld 0x25c4210 msgid 1 all 1
ldap_chkResponseList returns ld 0x25c4210 NULL
ldap_int_select
read1msg: ld 0x25c4210 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
read1msg: ld 0x25c4210 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x25c4210 0 new referrals
read1msg:  mark request completed, ld 0x25c4210 msgid 1
request done: ld 0x25c4210 msgid 1
res_errno: 0, res_error: , res_matched: 
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: certdb config: configDir='/etc/dirsrv/slapd-OPS-BOINGO-COM' 
tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/dirsrv/slapd-OPS-BOINGO-COM prefix .
TLS: error: the certificate file /etc/openldap/cacerts/ is not a file.
TLS: /etc/openldap/cacerts/ is not a valid CA certificate file - error 
-5953:Cannot perform a normal file operation on a directory.
TLS: certificate [CN=ADC13-ELS.BWINC.local] is not valid - error -8179:Peer's 
Certificate issuer is not recognized..
TLS certificate verification: subject: CN=ADC13-ELS.BWINC.local, issuer: 
CN=BoingoWirelessCA,DC=BWINC,DC=local, cipher: AES-128, security level: high, 
secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, 
cache not reusable: 0
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 61 bytes to sd 3
ldap_result ld 0x25c4210 msgid 2
wait4msg ld 0x25c4210 msgid 2 (infinite timeout)
wait4msg continue ld 0x25c4210 msgid 2 all 1
** ld 0x25c4210 Connections:
* host: adc13-els.bwinc.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Mar 13 20:44:41 2014


** ld 0x25c4210 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x25c4210 request count 1 (abandoned 0)
** ld 0x25c4210 Response Queue:
   Empty
  ld 0x25c4210 response count 0
ldap_chkResponseList ld 0x25c4210 msgid 2 all 1
ldap_chkResponseList returns ld 0x25c4210 NULL
ldap_int_select
read1msg: ld 0x25c4210 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x25c4210 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x25c4210 0 new referrals
read1msg:  mark request completed, ld 0x25c4210 msgid 2
request done: ld 0x25c4210 msgid 2
res_errno: 0, res_error: , res_matched: 
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: objectclass=*
put_filter: default
put_simple_filter: objectclass=*
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 69 bytes to sd 3
ldap_result ld 0x25c4210 msgid -1
wait4msg ld 0x25c4210 msgid -1 (infinite timeout)
wait4msg continue ld 0x25c4210 msgid -1 all 0
** ld 0x25c4210 Connections:
* host: adc13-els.bwinc.local  port: 389

[Freeipa-users] Password sync woes

[Todd Maugh]

Sorry Guys me again.

So I have my winsync agreement up

and I know have my password sync setup

the cert has been imported

SSL is configured properly,

but when I go to change a password in AD

I see this error in passsync.log

LDAP error in QueryUsername
32: No such object


any thoughts on this?

thanks

-Todd

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] How to remove the CA cert from an IDM replica

[Todd Maugh]

I need to remove the CA certs on a box from a previous IDM install

what is the command to do this

error im getting is

A CA is already configured on this system.


Thanks

-Todd
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] How to remove the CA cert from an IDM replica

[Todd Maugh]

Red Hat 6.5

latest Ipa from yum




From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: Wednesday, March 12, 2014 2:16 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How to remove the CA cert from an IDM replica

On 03/12/2014 05:10 PM, Todd Maugh wrote:
I need to remove the CA certs on a box from a previous IDM install

what is the command to do this

error im getting is

A CA is already configured on this system.



Which OS and which version?

Thanks

-Todd



___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/http://www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] How to remove the CA cert from an IDM replica

[Todd Maugh]

Im seeing this error:

where is the install log located

[root@idm-rep02-w1c-aws ipa]# ipa-replica-install --setup-ca 
/var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg --skip-conncheck
Directory Manager (existing master) password: 

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
A CA is already configured on this system.
[root@idm-rep02-w1c-aws ipa]# ipa-replica-install  
/var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg --skip-conncheck
Directory Manager (existing master) password: 

Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv): Estimated time 1 minute
  [1/31]: creating directory server user
  [2/31]: creating directory server instance
  [3/31]: adding default schema
  [4/31]: enabling memberof plugin
  [5/31]: enabling winsync plugin
  [6/31]: configuring replication version plugin
  [7/31]: enabling IPA enrollment plugin
  [8/31]: enabling ldapi
  [9/31]: disabling betxn plugins
  [10/31]: configuring uniqueness plugin
  [11/31]: configuring uuid plugin
  [12/31]: configuring modrdn plugin
  [13/31]: enabling entryUSN plugin
  [14/31]: configuring lockout plugin
  [15/31]: creating indices
  [16/31]: enabling referential integrity plugin
  [17/31]: configuring ssl for ds instance
  [18/31]: configuring certmap.conf
  [19/31]: configure autobind for root
  [20/31]: configure new location for managed entries
  [21/31]: restarting directory server
  [22/31]: setting up initial replication
Starting replication, please wait until this has completed.
[idm-master-els.ops.boingo.com] reports: Update failed! Status: [-1  - LDAP 
error: Can't contact LDAP server]

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Simo Sorce [s...@redhat.com]
Sent: Wednesday, March 12, 2014 2:23 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How to remove the CA cert from an IDM replica

On Wed, 2014-03-12 at 21:10 +, Todd Maugh wrote:
 I need to remove the CA certs on a box from a previous IDM install

 what is the command to do this

 error im getting is

 A CA is already configured on this system.

rm /etc/ipa/ca.crt

Simo.

--
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] How to remove the CA cert from an IDM replica

[Todd Maugh]

but dont I have to remove it from the cert DB?

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Simo Sorce [s...@redhat.com]
Sent: Wednesday, March 12, 2014 2:23 PM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How to remove the CA cert from an IDM replica

On Wed, 2014-03-12 at 21:10 +, Todd Maugh wrote:
 I need to remove the CA certs on a box from a previous IDM install

 what is the command to do this

 error im getting is

 A CA is already configured on this system.

rm /etc/ipa/ca.crt

Simo.

--
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] How to remove the CA cert from an IDM replica

[Todd Maugh]

skipping the con check due to a clock skew error

From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, March 12, 2014 2:39 PM
To: Todd Maugh; Simo Sorce; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How to remove the CA cert from an IDM replica

Todd Maugh wrote:
 Im seeing this error:

 where is the install log located

 [root@idm-rep02-w1c-aws ipa]# ipa-replica-install --setup-ca 
 /var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg 
 --skip-conncheck
 Directory Manager (existing master) password:

 Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
 Done configuring NTP daemon (ntpd).
 A CA is already configured on this system.

# /usr/bin/pkiremove -pki_instance_root=/var/lib
-pki_instance_name=pki-ca --force

 [root@idm-rep02-w1c-aws ipa]# ipa-replica-install  
 /var/lib/ipa/replica-info-idm-rep02-w1c-aws.ops.boingo.com.gpg 
 --skip-conncheck
 Directory Manager (existing master) password:

 Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
 Done configuring NTP daemon (ntpd).
 Configuring directory server (dirsrv): Estimated time 1 minute
[1/31]: creating directory server user
[2/31]: creating directory server instance
[3/31]: adding default schema
[4/31]: enabling memberof plugin
[5/31]: enabling winsync plugin
[6/31]: configuring replication version plugin
[7/31]: enabling IPA enrollment plugin
[8/31]: enabling ldapi
[9/31]: disabling betxn plugins
[10/31]: configuring uniqueness plugin
[11/31]: configuring uuid plugin
[12/31]: configuring modrdn plugin
[13/31]: enabling entryUSN plugin
[14/31]: configuring lockout plugin
[15/31]: creating indices
[16/31]: enabling referential integrity plugin
[17/31]: configuring ssl for ds instance
[18/31]: configuring certmap.conf
[19/31]: configure autobind for root
[20/31]: configure new location for managed entries
[21/31]: restarting directory server
[22/31]: setting up initial replication
 Starting replication, please wait until this has completed.
 [idm-master-els.ops.boingo.com] reports: Update failed! Status: [-1  - LDAP 
 error: Can't contact LDAP server]

Why are you skipping the conncheck? It looks like there is a firewall issue.

rob


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] [freeipa] Issues with Winsync agreement

[Todd Maugh]

Hello.

I'm using latest IPA build on red hat 6.5

I retrieved my CA cert from the AD Domain controller

I try to set up my winsyncagreement and I am getting this



[r...@idm-master-els.ops.boingo.com ipa]$ ipa-replica-manage connect --winsync 
--binddn cn=idmadmin, cn=Users, dc=bwinc, dc=local --bindpw XX 
--passsync XX --cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer 
adc13-els.bwinc.local
Directory Manager password:

Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to certificate 
database for idm-master-els.ops.boingo.com
ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local
ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'}
Failed to setup winsync replication


not sure where to look for the logs for this to see what the invalivd 
credentials are or wether this might still be a cert issue or a log in issue or 
what not?


Thanks in advance for the help

-Todd


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

[Todd Maugh]

thanks Rich,

when I run that  I get the following:


[r...@idm-master-els.ops.boingo.com ipa]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-OPS-BOINGO-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D cn=idmadmin,cn=Users,dc=bwinc,dc=local -w XX s 
base -b cn=Users,dc=bwinc,dc=local
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580




From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, March 12, 2014 3:30 PM
To: Todd Maugh; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] [freeipa] Issues with Winsync agreement

On 03/12/2014 04:18 PM, Todd Maugh wrote:
Hello.

I'm using latest IPA build on red hat 6.5

I retrieved my CA cert from the AD Domain controller

I try to set up my winsyncagreement and I am getting this



[r...@idm-master-els.ops.boingo.commailto:r...@idm-master-els.ops.boingo.com 
ipa]$ ipa-replica-manage connect --winsync --binddn cn=idmadmin, cn=Users, 
dc=bwinc, dc=local --bindpw XX --passsync XX 
--cacert=/etc/openldap/cacerts/ADC13-ELS.CA.cer adc13-els.bwinc.local
Directory Manager password:

Added CA certificate /etc/openldap/cacerts/ADC13-ELS.CA.cer to certificate 
database for idm-master-els.ops.boingo.com
ipa: INFO: Failed to connect to AD server adc13-els.bwinc.local
ipa: INFO: The error was: {'info': '80090308: LdapErr: DSID-0C0903C5, comment: 
AcceptSecurityContext error, data 52e, v2580', 'desc': 'Invalid credentials'}
Failed to setup winsync replication


not sure where to look for the logs for this to see what the invalivd 
credentials are or wether this might still be a cert issue or a log in issue or 
what not?

You can test with ldapsearch like this:

$ LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-DOMAIN-COM ldapsearch -xLLLZZ -h 
adc13-els.bwinc.local -D cn=idmadmin,cn=Users,dc=bwinc,dc=local -w XX 
-s base -b cn=Users,dc=bwinc,dc=local



Thanks in advance for the help

-Todd





___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] adding ubuntu client to red hat server

[Todd Maugh]

Hello,

 Another day another issue it seems :)

so  I'm trying to set up an ubunutu client I get almost all the way through the 
install and it fails with a version error. Ive hear this is a known bug and 
there is a fix out there. although Im not sure how to apply the fix or get the 
older client install.

my error is as follows:

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml'
host_mod: 2.58 client incompatible with 2.49 server at 
u'https://se-idm-01.boingo.com/ipa/xml'
Failed to upload host SSH public keys.


Please help

Thanks

-Todd
tma...@boingo.com
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] adding ubuntu client to red hat server

[Todd Maugh]

thanks IM trying that but running in to an issue where it says im still 
installed I run the uninstall command and I get this

root@se-idm-ubuntu-client-01:~# ipa-client-install --uninstall
Unconfigured automount client failed: [Errno 2] No such file or directory
certmonger failed to start: [Errno 2] No such file or directory: 
'/var/run/ipa/services.list'
certmonger failed to stop: [Errno 2] No such file or directory: 
'/var/run/ipa/services.list'
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration:

isnt there a conf file I can remove or a a way to force the uninstall?



From: Will Sheldon [m...@willsheldon.com]
Sent: Friday, February 21, 2014 9:32 AM
To: Todd Maugh
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] adding ubuntu client to red hat server


I ran into this, there was a post bout it a little while back. It seems that 
you can modify ipapython/version.py to revert the version number for enrolment, 
then revert it. with no ill effects.

 My script looks like:

#revert reported version of ipapython so keys will upload properly (backup 
first tho)
cp /usr/share/pyshared/ipapython/version.py 
/usr/share/pyshared/ipapython/version.py.bak
sed -i s/API_VERSION=.*/API_VERSION=u'2.49'/g 
/usr/share/pyshared/ipapython/version.py

# install!
ipa-client-install -d -U --enable-dns-updates --hostname=$FQDN --mkhomedir 
--password=$PASS

#revert change to the ipapython version back again
#rm -f /usr/share/pyshared/ipapython/version.py  mv 
/usr/share/pyshared/ipapython/version.py.bak 
/usr/share/pyshared/ipapython/version.py




Kind regards,

Will Sheldon
+1.778-689-1244


On Friday, February 21, 2014 at 9:20 AM, Todd Maugh wrote:

Hello,

 Another day another issue it seems :)

so  I'm trying to set up an ubunutu client I get almost all the way through the 
install and it fails with a version error. Ive hear this is a known bug and 
there is a fix out there. although Im not sure how to apply the fix or get the 
older client install.

my error is as follows:

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml'
host_mod: 2.58 client incompatible with 2.49 server at 
u'https://se-idm-01.boingo.com/ipa/xml'
Failed to upload host SSH public keys.


Please help

Thanks

-Todd
tma...@boingo.commailto:tma...@boingo.com
___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] adding ubuntu client to red hat server

[Todd Maugh]

OK I got it to go through with this

but i don't understand the errors cause it didn't seem to work.

Domain boingo.com is already configured in existing SSSD config, creating a new 
one.
The old /etc/sssd/sssd.conf is backed up and will be restored during uninstall.
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm BOINGO.COM
trying https://se-idm-01.boingo.com/ipa/xml
Forwarding 'env' to server u'https://se-idm-01.boingo.com/ipa/xml'
Hostname (se-idm-ubuntu-client-01.boingo.com) not found in DNS
Failed to update DNS records.
certmonger failed to stop: [Errno 2] No such file or directory: 
'/var/run/ipa/services.list'
Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml'
Could not update DNS SSHFP records.



From: Will Sheldon [m...@willsheldon.com]
Sent: Friday, February 21, 2014 9:46 AM
To: Todd Maugh
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] adding ubuntu client to red hat server

I also ran into this problem. I ended up using vm’s to test and just reverting 
to snapshots.

I believe that the install script checks for presence a couple of files that 
you can delete to be able retry though, have a look in the install script. 
(Also, did you try with ‘—force'?)


Kind regards,

Will Sheldon
+1.778-689-1244


On Friday, February 21, 2014 at 9:42 AM, Todd Maugh wrote:

thanks IM trying that but running in to an issue where it says im still 
installed I run the uninstall command and I get this

root@se-idm-ubuntu-client-01:~# ipa-client-install --uninstall
Unconfigured automount client failed: [Errno 2] No such file or directory
certmonger failed to start: [Errno 2] No such file or directory: 
'/var/run/ipa/services.list'
certmonger failed to stop: [Errno 2] No such file or directory: 
'/var/run/ipa/services.list'
Disabling client Kerberos and LDAP configurations
Failed to remove krb5/LDAP configuration:

isnt there a conf file I can remove or a a way to force the uninstall?



From: Will Sheldon [m...@willsheldon.commailto:m...@willsheldon.com]
Sent: Friday, February 21, 2014 9:32 AM
To: Todd Maugh
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] adding ubuntu client to red hat server


I ran into this, there was a post bout it a little while back. It seems that 
you can modify ipapython/version.py to revert the version number for enrolment, 
then revert it. with no ill effects.

 My script looks like:

#revert reported version of ipapython so keys will upload properly (backup 
first tho)
cp /usr/share/pyshared/ipapython/version.py 
/usr/share/pyshared/ipapython/version.py.bak
sed -i s/API_VERSION=.*/API_VERSION=u'2.49'/g 
/usr/share/pyshared/ipapython/version.py

# install!
ipa-client-install -d -U --enable-dns-updates --hostname=$FQDN --mkhomedir 
--password=$PASS

#revert change to the ipapython version back again
#rm -f /usr/share/pyshared/ipapython/version.py  mv 
/usr/share/pyshared/ipapython/version.py.bak 
/usr/share/pyshared/ipapython/version.py




Kind regards,

Will Sheldon
+1.778-689-1244


On Friday, February 21, 2014 at 9:20 AM, Todd Maugh wrote:

Hello,

 Another day another issue it seems :)

so  I'm trying to set up an ubunutu client I get almost all the way through the 
install and it fails with a version error. Ive hear this is a known bug and 
there is a fix out there. although Im not sure how to apply the fix or get the 
older client install.

my error is as follows:

Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_dsa_key.pub
Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml'
host_mod: 2.58 client incompatible with 2.49 server at 
u'https://se-idm-01.boingo.com/ipa/xml'
Failed to upload host SSH public keys.


Please help

Thanks

-Todd
tma...@boingo.commailto:tma...@boingo.com
___
Freeipa-users mailing list
Freeipa-users@redhat.commailto:Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Ubuntu Client HELL

[Todd Maugh]

thanks Rob! the main issue I am having is that the install is not completing 
and setting this ubuntu host up as a client.

I cleared out the old cert as you suggested, the ssh keys were copied over from 
a previous attempt. IM not using IPA as DNS and I understand the ntp part.


so now my install finishes up like this:

Forwarding 'host_mod' to server u'https://se-idm-01.boingo.com/ipa/xml'
NSSConnection init se-idm-01.boingo.com
Connecting: 66.103.90.130:0
handshake complete, peer = 66.103.90.130:443
received Set-Cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; 
Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; 
Secure; HttpOnly'
storing cookie 'ipa_session=8df7bbb20b25f2d7ede3c6df88f4832b; 
Domain=se-idm-01.boingo.com; Path=/ipa; Expires=Fri, 21 Feb 2014 20:25:02 GMT; 
Secure; HttpOnly' for principal 
host/se-idm-ubuntu-client-01.boingo@boingo.com
Starting external process
args=keyctl search @s user 
ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com
Process finished, return code=1
stdout=
stderr=keyctl_search: Required key not available

Starting external process
args=keyctl search @s user 
ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com
Process finished, return code=1
stdout=
stderr=keyctl_search: Required key not available

Starting external process
args=keyctl padd user 
ipa_session_cookie:host/se-idm-ubuntu-client-01.boingo@boingo.com @s
Process finished, return code=0
stdout=700576616

stderr=
Caught fault 4202 from server https://se-idm-01.boingo.com/ipa/xml: no 
modifications to be performed
Writing nsupdate commands to /etc/ipa/.dns_update.txt:
zone boingo.com.
update delete se-idm-ubuntu-client-01.boingo.com. IN SSHFP
send
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 1 
AD5C9E4F7AEA55418455D54D84862A2B6EC16AB4
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 1 2 
B1BE4E3E3B4A79CFFCE5B3BBCC31DFB9979F6A1D97EF4E3EF8F8295C2595033A
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 1 
D456E5C237736406CB5F4B4C24C836217B6D977E
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 2 2 
8125272934E18BFDDA77D5B03BBBF600A0833C37669C568A3476D623A191C457
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 1 
270551D349212B7112D4A9079FF490C8D6733041
update add se-idm-ubuntu-client-01.boingo.com. 1200 IN SSHFP 3 2 
0BC5F5FA7155A03BD9B05DDD5882FD907A0FC8C6D6F6F3341521D4F7B57D3662
send

Starting external process
args=/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt
Process finished, return code=1
stdout=
stderr=tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor 
code may provide more information, Minor = Server 
DNS/ns-1454.awsdns-53@boingo.com not found in Kerberos database.

nsupdate failed: Command '/usr/bin/nsupdate -g /etc/ipa/.dns_update.txt' 
returned non-zero exit status 1
Could not update DNS SSHFP records.
Starting external process
args=/usr/sbin/service nscd status
Process finished, return code=1
stdout=
stderr=nscd: unrecognized service

Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'
Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state'



thanks in advance for any help

-Todd











































From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rob Crittenden [rcrit...@redhat.com]
Sent: Friday, February 21, 2014 11:57 AM
To: freeipa-users
Subject: Re: [Freeipa-users] Ubuntu Client HELL

Todd Maugh wrote:
 IM in limbo here trying to solve this issue

It would help if you said what issue you were having...

And what version of the client you are running.

Trolling through the log I see a couple of things:

ntpdate failed, but that can happen if you already have ntpd configured
on your client. We have a ticket open on that.

The DNS update failed, presumably because you aren't using IPA for DNS.
Not a big deal.

The certmonger failure is due to a bad uninstall in the past. It is
still tracking an old cert. You can clear it with:

# ipa-getcert list
# ipa-getcert stop-tracking -i request id

The SSH keys are failing to load because they already exist in the host
entry. I guess it was pre-created, or left over from a previous attempt?
It doesn't appear to be a fatal error.

rob


 here is my out put with the debug

 root@se-idm-ubuntu-client-01:/var/lib/ipa-client/sysrestore#
 ipa-client-install -d --no-dns-sshfp
 --hostname=se-idm-ubuntu-client-01.boingo.com --force-join
 --domain=boingo.com --server=se-idm-01.boingo.com
 /usr/sbin/ipa-client-install was invoked with options: {'domain':
 'boingo.com', 'force': False, 'krb5_offline_passwords': True, 'primary':
 False, 'realm_name': None, 'force_ntpd': False, 'create_sshfp': False,
 'conf_sshd': True, 'conf_ntp': True, 'on_master': False, 'ntp_server':
 None, 'ca_cert_file': None, 'principal': None, 'keytab': None,
 'hostname': 'se-idm-ubuntu-client

[Freeipa-users] Setting up sudo

[Todd Maugh]

the documentation is kinda vague on some parts

from the documentation:

Because the sudo information is not available anonymously over LDAP by default, 
Identity Management defines a default sudo user, 
uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo 
configuration file, /etc/sud-ldap.conf.

so is this user supposed to already pre defined. or do I need to create the 
user, and then modify them

thanks

-Todd
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Setting up sudo

[Todd Maugh]

and If I am configuring the sud-ldap.conf


what should it look like does any one have an example?



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.com]
Sent: Thursday, February 13, 2014 3:17 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Setting up sudo

the documentation is kinda vague on some parts

from the documentation:

Because the sudo information is not available anonymously over LDAP by default, 
Identity Management defines a default sudo user, 
uid=sudo,cn=sysaccounts,cn=etc,$SUFFIX, which can be set in the LDAP/sudo 
configuration file, /etc/sud-ldap.conf.

so is this user supposed to already pre defined. or do I need to create the 
user, and then modify them

thanks

-Todd
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] trouble creating a replica in the cloud

[Todd Maugh]

thanks Guys, turns out this was a redhat bug in the 6.4 image of the aws 
instance, so I built in 6.5

and was able to get past it, but now I'm  failing with this:

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-install.log for details:
ObjectclassViolation: missing attribute idnsSOAserial required by object 
class idnsZone

i tried attaching the log file but unfortunately its 30 mb trying to compress




From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, February 12, 2014 10:36 AM
To: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] trouble creating a replica in the cloud

Dmitri Pal wrote:
 On 02/11/2014 05:02 PM, Todd Maugh wrote:
 Hey Guys,

 So I have my master and replica up in my datacenter.

 I have a client, I have a winsync agreement, I have a password sync.

 It's working lovely.

 So Now I have spun up an AWS instance of redh hat 6.5  (same as my
 master and first replica)

 I run the ipa replica and it fails


 ipa-replica-install --setup-ca --setup-dns --no-forwarders
 /var/lib/ipa/replica-info-se-idm-03.boingo.com.gpg
 Directory Manager (existing master) password:

 Run connection check to master
 Check connection from replica to remote master 'se-idm-01.boingo.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK

 The following list of ports use UDP protocol and would need to be
 checked manually:
Kerberos KDC: UDP (88): SKIPPED
Kerberos Kpasswd: UDP (464): SKIPPED

 Connection from replica to master is OK.
 Start listening on required ports for remote master check
 Get credentials to log in to remote master
 ad...@boingo.com password:

 Execute check on remote master
 Check connection from master to remote replica 'se-idm-03.boingo.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos KDC: UDP (88): OK
Kerberos Kpasswd: TCP (464): OK
Kerberos Kpasswd: UDP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK

 Connection from master to replica is OK.

 Connection check OK
 Configuring NTP daemon (ntpd)
   [1/4]: stopping ntpd
   [2/4]: writing configuration
   [3/4]: configuring ntpd to start on boot
   [4/4]: starting ntpd
 Done configuring NTP daemon (ntpd).
 Configuring directory server for the CA (pkids): Estimated time 30 seconds
   [1/3]: creating directory server user
   [2/3]: creating directory server instance
 ipa : CRITICAL failed to create ds instance Command
 '/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3'
 returned non-zero exit status 1
   [3/3]: restarting directory server
 ipa : CRITICAL Failed to restart the directory server. See the
 installation log for details.
 Done configuring directory server for the CA (pkids).

 Your system may be partly configured.
 Run /usr/sbin/ipa-server-install --uninstall to clean up.
 Can't contact LDAP server


 I check the log file and this is what I get

 2014-02-11T19:55:48Z DEBUG calling setup-ds.pl
 2014-02-11T19:57:53Z DEBUG args=/usr/sbin/setup-ds.pl --silent
 --logfile - -f /tmp/tmpo9ROF3
 2014-02-11T19:57:53Z DEBUG stdout=[11/Feb/2014:14:57:53 -0500]
 createprlistensockets - PR_Bind() on All Interfaces port 7389 failed:
 Netscape Portable Runtime error -5966 (Access Denied.)
 [11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All
 Interfaces port 7389 failed: Netscape Portable Runtime error -5966
 (Access Denied.)
 [14/02/11:14:57:53] - [Setup] Info Could not start the directory
 server using command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'.
 The last line from the error log was '[11/Feb/2014:14:57:53 -0500] create
 prlistensockets - PR_Bind() on All Interfaces port 7389 failed:
 Netscape Portable Runtime error -5966 (Access Denied.)
 '.  Error: Unknown error 256
 Could not start the directory server using command
 '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'.  The last line from the
 error log was '[11/Feb/2014:14:57:53 -0500] createprlistensockets -
 PR_Bind() on All
 Interfaces port 7389 failed: Netscape Portable Runtime error -5966
 (Access Denied.)
 '.  Error: Unknown error 256
 [14/02/11:14:57:53] - [Setup] Fatal Error: Could not create directory
 server instance 'PKI-IPA'.
 Error: Could not create directory server instance 'PKI-IPA'.
 [14/02/11:14:57:53] - [Setup] Fatal Exiting . . .
 Log file is '-'

 Exiting . . .
 Log file is '-'




 Please help




 ___
 Freeipa-users

[Freeipa-users] trouble creating a replica in the cloud

[Todd Maugh]

Hey Guys,

So I have my master and replica up in my datacenter.

I have a client, I have a winsync agreement, I have a password sync.

It's working lovely.

So Now I have spun up an AWS instance of redh hat 6.5  (same as my master and 
first replica)

I run the ipa replica and it fails


ipa-replica-install --setup-ca --setup-dns --no-forwarders 
/var/lib/ipa/replica-info-se-idm-03.boingo.com.gpg
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'se-idm-01.boingo.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
ad...@boingo.com password:

Execute check on remote master
Check connection from master to remote replica 'se-idm-03.boingo.com':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos KDC: UDP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   Kerberos Kpasswd: UDP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

Connection from master to replica is OK.

Connection check OK
Configuring NTP daemon (ntpd)
  [1/4]: stopping ntpd
  [2/4]: writing configuration
  [3/4]: configuring ntpd to start on boot
  [4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server for the CA (pkids): Estimated time 30 seconds
  [1/3]: creating directory server user
  [2/3]: creating directory server instance
ipa : CRITICAL failed to create ds instance Command 
'/usr/sbin/setup-ds.pl --silent --logfile - -f /tmp/tmpo9ROF3' returned 
non-zero exit status 1
  [3/3]: restarting directory server
ipa : CRITICAL Failed to restart the directory server. See the 
installation log for details.
Done configuring directory server for the CA (pkids).

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Can't contact LDAP server


I check the log file and this is what I get

2014-02-11T19:55:48Z DEBUG calling setup-ds.pl
2014-02-11T19:57:53Z DEBUG args=/usr/sbin/setup-ds.pl --silent --logfile - -f 
/tmp/tmpo9ROF3
2014-02-11T19:57:53Z DEBUG stdout=[11/Feb/2014:14:57:53 -0500] 
createprlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape 
Portable Runtime error -5966 (Access Denied.)
[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All 
Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access 
Denied.)
[14/02/11:14:57:53] - [Setup] Info Could not start the directory server using 
command '/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'.  The last line from the 
error log was '[11/Feb/2014:14:57:53 -0500] create
prlistensockets - PR_Bind() on All Interfaces port 7389 failed: Netscape 
Portable Runtime error -5966 (Access Denied.)
'.  Error: Unknown error 256
Could not start the directory server using command 
'/usr/lib64/dirsrv/slapd-PKI-IPA/start-slapd'.  The last line from the error 
log was '[11/Feb/2014:14:57:53 -0500] createprlistensockets - PR_Bind() on All
Interfaces port 7389 failed: Netscape Portable Runtime error -5966 (Access 
Denied.)
'.  Error: Unknown error 256
[14/02/11:14:57:53] - [Setup] Fatal Error: Could not create directory server 
instance 'PKI-IPA'.
Error: Could not create directory server instance 'PKI-IPA'.
[14/02/11:14:57:53] - [Setup] Fatal Exiting . . .
Log file is '-'

Exiting . . .
Log file is '-'




Please help


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Creating password sync

[Todd Maugh]

Ok, So I have my replication agreement set up.

and I see accounts coming in to my IDM server from AD

I have followed this guide from redhat

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html

to set up my password sync.

I get no errors

but my passwords are not syncing!

Help! the documentation tells o fno way to verify or trouble shoot


Thank You

-Todd Maugh
tma...@boingo.com
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Creating password sync

[Todd Maugh]

also I have verified the password synchronization service is started and 
running on the windows 2008 R2 server


but I cant tell if or what it is doing because iM not getting passwords to my 
IDM

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.com]
Sent: Tuesday, February 04, 2014 9:04 AM
To: Rich Megginson; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: [Freeipa-users] Creating password sync

Ok, So I have my replication agreement set up.

and I see accounts coming in to my IDM server from AD

I have followed this guide from redhat

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html

to set up my password sync.

I get no errors

but my passwords are not syncing!

Help! the documentation tells o fno way to verify or trouble shoot


Thank You

-Todd Maugh
tma...@boingo.com
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Creating password sync

[Todd Maugh]

Im seeing these errors in the passsync.log

32: No such object
02/03/14 16:23:40: Ldap error in QueryUsername
32: No such object
02/03/14 16:57:48: Abandoning password change for scottb, backoff expired
02/03/14 16:57:48: Ldap bind error in Connect
32: No such object
02/03/14 16:57:48: Ldap error in QueryUsername
32: No such object
02/03/14 18:06:04: Abandoning password change for scottb, backoff expired
02/03/14 18:06:04: Ldap bind error in Connect
32: No such object
02/04/14 10:24:59: PassSync service initialized
02/04/14 10:24:59: PassSync service running
02/04/14 10:25:00: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: PassSync service stopped
02/04/14 10:58:38: PassSync service initialized
02/04/14 10:58:38: PassSync service running
02/04/14 10:58:39: Ldap bind error in Connect
32: No such object




From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 9:19 AM
To: Todd Maugh; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 10:17 AM, Todd Maugh wrote:
also I have verified the password synchronization service is started and 
running on the windows 2008 R2 server


but I cant tell if or what it is doing because iM not getting passwords to my 
IDM
http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging

You can also look at the 389 access log to see if you have connections from the 
windows box.


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com]
Sent: Tuesday, February 04, 2014 9:04 AM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: [Freeipa-users] Creating password sync

Ok, So I have my replication agreement set up.

and I see accounts coming in to my IDM server from AD

I have followed this guide from redhat

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html

to set up my password sync.

I get no errors

but my passwords are not syncing!

Help! the documentation tells o fno way to verify or trouble shoot


Thank You

-Todd Maugh
tma...@boingo.commailto:tma...@boingo.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Creating password sync

[Todd Maugh]

now I am getting this after rerunning the install and trying to reinstall my 
cert

LDAP bind error in connect
   81: Can't Contact LDAP Server


From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.com]
Sent: Tuesday, February 04, 2014 11:56 AM
To: Rich Megginson; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Creating password sync

Im seeing these errors in the passsync.log

32: No such object
02/03/14 16:23:40: Ldap error in QueryUsername
32: No such object
02/03/14 16:57:48: Abandoning password change for scottb, backoff expired
02/03/14 16:57:48: Ldap bind error in Connect
32: No such object
02/03/14 16:57:48: Ldap error in QueryUsername
32: No such object
02/03/14 18:06:04: Abandoning password change for scottb, backoff expired
02/03/14 18:06:04: Ldap bind error in Connect
32: No such object
02/04/14 10:24:59: PassSync service initialized
02/04/14 10:24:59: PassSync service running
02/04/14 10:25:00: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: PassSync service stopped
02/04/14 10:58:38: PassSync service initialized
02/04/14 10:58:38: PassSync service running
02/04/14 10:58:39: Ldap bind error in Connect
32: No such object




From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 9:19 AM
To: Todd Maugh; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 10:17 AM, Todd Maugh wrote:
also I have verified the password synchronization service is started and 
running on the windows 2008 R2 server


but I cant tell if or what it is doing because iM not getting passwords to my 
IDM
http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging

You can also look at the 389 access log to see if you have connections from the 
windows box.


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com]
Sent: Tuesday, February 04, 2014 9:04 AM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: [Freeipa-users] Creating password sync

Ok, So I have my replication agreement set up.

and I see accounts coming in to my IDM server from AD

I have followed this guide from redhat

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html

to set up my password sync.

I get no errors

but my passwords are not syncing!

Help! the documentation tells o fno way to verify or trouble shoot


Thank You

-Todd Maugh
tma...@boingo.commailto:tma...@boingo.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Creating password sync

[Todd Maugh]

my passhook.log file is empty

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.com]
Sent: Tuesday, February 04, 2014 11:56 AM
To: Rich Megginson; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Creating password sync

Im seeing these errors in the passsync.log

32: No such object
02/03/14 16:23:40: Ldap error in QueryUsername
32: No such object
02/03/14 16:57:48: Abandoning password change for scottb, backoff expired
02/03/14 16:57:48: Ldap bind error in Connect
32: No such object
02/03/14 16:57:48: Ldap error in QueryUsername
32: No such object
02/03/14 18:06:04: Abandoning password change for scottb, backoff expired
02/03/14 18:06:04: Ldap bind error in Connect
32: No such object
02/04/14 10:24:59: PassSync service initialized
02/04/14 10:24:59: PassSync service running
02/04/14 10:25:00: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: PassSync service stopped
02/04/14 10:58:38: PassSync service initialized
02/04/14 10:58:38: PassSync service running
02/04/14 10:58:39: Ldap bind error in Connect
32: No such object




From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 9:19 AM
To: Todd Maugh; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 10:17 AM, Todd Maugh wrote:
also I have verified the password synchronization service is started and 
running on the windows 2008 R2 server


but I cant tell if or what it is doing because iM not getting passwords to my 
IDM
http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging

You can also look at the 389 access log to see if you have connections from the 
windows box.


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com]
Sent: Tuesday, February 04, 2014 9:04 AM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: [Freeipa-users] Creating password sync

Ok, So I have my replication agreement set up.

and I see accounts coming in to my IDM server from AD

I have followed this guide from redhat

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html

to set up my password sync.

I get no errors

but my passwords are not syncing!

Help! the documentation tells o fno way to verify or trouble shoot


Thank You

-Todd Maugh
tma...@boingo.commailto:tma...@boingo.com

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Creating password sync

[Todd Maugh]

I have not changed any passwords in AD yet.

and the users I have in IDM  from AD, their passwords are not working



From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 12:40 PM
To: Todd Maugh; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 01:20 PM, Todd Maugh wrote:
my passhook.log file is empty

Have you changed any passwords in AD?


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com]
Sent: Tuesday, February 04, 2014 11:56 AM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Creating password sync

Im seeing these errors in the passsync.log

32: No such object
02/03/14 16:23:40: Ldap error in QueryUsername
32: No such object
02/03/14 16:57:48: Abandoning password change for scottb, backoff expired
02/03/14 16:57:48: Ldap bind error in Connect
32: No such object
02/03/14 16:57:48: Ldap error in QueryUsername
32: No such object
02/03/14 18:06:04: Abandoning password change for scottb, backoff expired
02/03/14 18:06:04: Ldap bind error in Connect
32: No such object
02/04/14 10:24:59: PassSync service initialized
02/04/14 10:24:59: PassSync service running
02/04/14 10:25:00: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: PassSync service stopped
02/04/14 10:58:38: PassSync service initialized
02/04/14 10:58:38: PassSync service running
02/04/14 10:58:39: Ldap bind error in Connect
32: No such object




From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 9:19 AM
To: Todd Maugh; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 10:17 AM, Todd Maugh wrote:
also I have verified the password synchronization service is started and 
running on the windows 2008 R2 server


but I cant tell if or what it is doing because iM not getting passwords to my 
IDM
http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging

You can also look at the 389 access log to see if you have connections from the 
windows box.


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com]
Sent: Tuesday, February 04, 2014 9:04 AM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: [Freeipa-users] Creating password sync

Ok, So I have my replication agreement set up.

and I see accounts coming in to my IDM server from AD

I have followed this guide from redhat

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html

to set up my password sync.

I get no errors

but my passwords are not syncing!

Help! the documentation tells o fno way to verify or trouble shoot


Thank You

-Todd Maugh
tma...@boingo.commailto:tma...@boingo.com


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Creating password sync

[Todd Maugh]

I tried changing the password for a user in AD

this is what the passsync log shows:

02/04/14 12:29:14: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:34: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:34: Ldap error in QueryUsername
81: Can't contact LDAP server
02/04/14 12:49:36: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:36: Ldap error in QueryUsername
81: Can't contact LDAP server


and you say this is one of many issues with passsync. do you recommend another 
option?



From: Todd Maugh
Sent: Tuesday, February 04, 2014 12:48 PM
To: Rich Megginson; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: RE: Creating password sync

but what about the cant contact LDAP server in the passsync log

and are you saying I should try to change one of the passwords in AD for it to 
go to IDM, or vice versa?

thanks



From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 12:45 PM
To: Todd Maugh; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 01:42 PM, Todd Maugh wrote:
I have not changed any passwords in AD yet.

Then passsync will not have sent anything.


and the users I have in IDM  from AD, their passwords are not working

Right.  This is one of the (many) problems with the passsync approach - there 
currently is no way to populate the initial passwords - that is, passsync/IdM 
cannot copy your passwords over from AD to IdM.




From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 12:40 PM
To: Todd Maugh; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 01:20 PM, Todd Maugh wrote:
my passhook.log file is empty

Have you changed any passwords in AD?


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com]
Sent: Tuesday, February 04, 2014 11:56 AM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Creating password sync

Im seeing these errors in the passsync.log

32: No such object
02/03/14 16:23:40: Ldap error in QueryUsername
32: No such object
02/03/14 16:57:48: Abandoning password change for scottb, backoff expired
02/03/14 16:57:48: Ldap bind error in Connect
32: No such object
02/03/14 16:57:48: Ldap error in QueryUsername
32: No such object
02/03/14 18:06:04: Abandoning password change for scottb, backoff expired
02/03/14 18:06:04: Ldap bind error in Connect
32: No such object
02/04/14 10:24:59: PassSync service initialized
02/04/14 10:24:59: PassSync service running
02/04/14 10:25:00: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: PassSync service stopped
02/04/14 10:58:38: PassSync service initialized
02/04/14 10:58:38: PassSync service running
02/04/14 10:58:39: Ldap bind error in Connect
32: No such object




From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 9:19 AM
To: Todd Maugh; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 10:17 AM, Todd Maugh wrote:
also I have verified the password synchronization service is started and 
running on the windows 2008 R2 server


but I cant tell if or what it is doing because iM not getting passwords to my 
IDM
http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging

You can also look at the 389 access log to see if you have connections from the 
windows box.


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com]
Sent: Tuesday, February 04, 2014 9:04 AM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: [Freeipa-users] Creating password sync

Ok, So I have my replication agreement set up.

and I see accounts coming in to my IDM server from AD

I have followed this guide from redhat

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html

to set up my password sync.

I get no errors

but my passwords are not syncing!

Help! the documentation tells o fno way to verify or trouble shoot


Thank You

-Todd Maugh
tma...@boingo.commailto:tma...@boingo.com

Re: [Freeipa-users] Creating password sync

[Todd Maugh]

but what about the cant contact LDAP server in the passsync log

and are you saying I should try to change one of the passwords in AD for it to 
go to IDM, or vice versa?

thanks



From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 12:45 PM
To: Todd Maugh; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 01:42 PM, Todd Maugh wrote:
I have not changed any passwords in AD yet.

Then passsync will not have sent anything.


and the users I have in IDM  from AD, their passwords are not working

Right.  This is one of the (many) problems with the passsync approach - there 
currently is no way to populate the initial passwords - that is, passsync/IdM 
cannot copy your passwords over from AD to IdM.




From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 12:40 PM
To: Todd Maugh; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 01:20 PM, Todd Maugh wrote:
my passhook.log file is empty

Have you changed any passwords in AD?


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com]
Sent: Tuesday, February 04, 2014 11:56 AM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Creating password sync

Im seeing these errors in the passsync.log

32: No such object
02/03/14 16:23:40: Ldap error in QueryUsername
32: No such object
02/03/14 16:57:48: Abandoning password change for scottb, backoff expired
02/03/14 16:57:48: Ldap bind error in Connect
32: No such object
02/03/14 16:57:48: Ldap error in QueryUsername
32: No such object
02/03/14 18:06:04: Abandoning password change for scottb, backoff expired
02/03/14 18:06:04: Ldap bind error in Connect
32: No such object
02/04/14 10:24:59: PassSync service initialized
02/04/14 10:24:59: PassSync service running
02/04/14 10:25:00: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: Ldap bind error in Connect
32: No such object
02/04/14 10:58:37: PassSync service stopped
02/04/14 10:58:38: PassSync service initialized
02/04/14 10:58:38: PassSync service running
02/04/14 10:58:39: Ldap bind error in Connect
32: No such object




From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 9:19 AM
To: Todd Maugh; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 10:17 AM, Todd Maugh wrote:
also I have verified the password synchronization service is started and 
running on the windows 2008 R2 server


but I cant tell if or what it is doing because iM not getting passwords to my 
IDM
http://port389.org/wiki/Howto:WindowsSync#PassSync_Logging

You can also look at the 389 access log to see if you have connections from the 
windows box.


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com]
Sent: Tuesday, February 04, 2014 9:04 AM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: [Freeipa-users] Creating password sync

Ok, So I have my replication agreement set up.

and I see accounts coming in to my IDM server from AD

I have followed this guide from redhat

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/pass-sync.html

to set up my password sync.

I get no errors

but my passwords are not syncing!

Help! the documentation tells o fno way to verify or trouble shoot


Thank You

-Todd Maugh
tma...@boingo.commailto:tma...@boingo.com



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Creating password sync

[Todd Maugh]

I tested a ssl connection from my ldap server to AD

this is the output


  openssl s_client -connect qatestdc2.boingoqa.local:636
CONNECTED(0003)
depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=27:certificate not trusted
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:
   i:/DC=local/DC=boingoqa/CN=SKYWARPCA
---
Server certificate
-BEGIN CERTIFICATE-
MIIGpzCCBI+gAwIBAgIKYTm2iQAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK
CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG
A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow
ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7
q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T
RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX
PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5
4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT
j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l
wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF
oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF
AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD
AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG
CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj
gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE
MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy
LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl
UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q
b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D
Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/
Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo
b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i
b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3
Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB
ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI
TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7
mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY
TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz
eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8
Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP
lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N
B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb
nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6
1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9
-END CERTIFICATE-
subject=
issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA
---
Acceptable client certificate CA names

/DC=local/DC=boingoqa/CN=SKYWARPCA
/CN=QATESTDC2.boingoqa.local
/DC=local/DC=boingoqa/CN=boingoqaca
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - 
For authorized use only/CN=VeriSign Class 3 Public Primary Certification 
Authority - G5
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits 
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority 
(2048)
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust 
Global Root
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/O=BOINGO.COM/CN=Certificate Authority
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft 
Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
---
SSL handshake has read 3480 bytes and written 601 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: AES128-SHA
Session-ID: 333C854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A
Session-ID-ctx:
Master-Key: 
63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1391547347
Timeout   : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---




From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.com]
Sent: Tuesday, February 04, 2014 12:53 PM
To: Rich Megginson; d

Re: [Freeipa-users] Creating password sync

[Todd Maugh]

trying to find a command to check that connection



From: Rich Megginson [rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 1:02 PM
To: Todd Maugh; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 01:57 PM, Todd Maugh wrote:
I tested a ssl connection from my ldap server to AD

Ok.  What about the ssl connection from the windows AD machine to your IdM ldap 
server?


this is the output


  openssl s_client -connect qatestdc2.boingoqa.local:636
CONNECTED(0003)
depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=27:certificate not trusted
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:
   i:/DC=local/DC=boingoqa/CN=SKYWARPCA
---
Server certificate
-BEGIN CERTIFICATE-
MIIGpzCCBI+gAwIBAgIKYTm2iQAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK
CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG
A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow
ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7
q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T
RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX
PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5
4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT
j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l
wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF
oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF
AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD
AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG
CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj
gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE
MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy
LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl
UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q
b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D
Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/
Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo
b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i
b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3
Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB
ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI
TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7
mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY
TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz
eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8
Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP
lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N
B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb
nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6
1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9
-END CERTIFICATE-
subject=
issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA
---
Acceptable client certificate CA names

/DC=local/DC=boingoqa/CN=SKYWARPCA
/CN=QATESTDC2.boingoqa.local
/DC=local/DC=boingoqa/CN=boingoqaca
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - 
For authorized use only/CN=VeriSign Class 3 Public Primary Certification 
Authority - G5
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits 
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority 
(2048)
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust 
Global Root
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/O=BOINGO.COM/CN=Certificate Authority
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft 
Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
---
SSL handshake has read 3480 bytes and written 601 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: AES128-SHA
Session-ID: 333C854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A
Session-ID-ctx:
Master-Key: 
63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47
Key-Arg   : None
Krb5 Principal: None

Re: [Freeipa-users] Creating password sync

[Todd Maugh]

.boingoqa.local
/DC=local/DC=boingoqa/CN=boingoqaca
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - 
For authorized use only/CN=VeriSign Class 3 Public Primary Certification 
Authority - G5
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits 
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority 
(2048)
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust 
Global Root
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/O=BOINGO.COM/CN=Certificate Authority
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft 
Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
---
SSL handshake has read 3480 bytes and written 601 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: AES128-SHA
Session-ID: 333C854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A
Session-ID-ctx:
Master-Key: 
63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1391547347
Timeout   : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---





From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com]
Sent: Tuesday, February 04, 2014 12:53 PM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Creating password sync

I tried changing the password for a user in AD

this is what the passsync log shows:

02/04/14 12:29:14: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:34: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:34: Ldap error in QueryUsername
81: Can't contact LDAP server
02/04/14 12:49:36: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:36: Ldap error in QueryUsername
81: Can't contact LDAP server


and you say this is one of many issues with passsync. do you recommend another 
option?



From: Todd Maugh
Sent: Tuesday, February 04, 2014 12:48 PM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: RE: Creating password sync

but what about the cant contact LDAP server in the passsync log

and are you saying I should try to change one of the passwords in AD for it to 
go to IDM, or vice versa?

thanks



From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 12:45 PM
To: Todd Maugh; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 01:42 PM, Todd Maugh wrote:
I have not changed any passwords in AD yet.

Then passsync will not have sent anything.


and the users I have in IDM  from AD, their passwords are not working

Right.  This is one of the (many) problems with the passsync approach - there 
currently is no way to populate the initial passwords - that is, passsync/IdM 
cannot copy your passwords over from AD to IdM.




From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 12:40 PM
To: Todd Maugh; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 01:20 PM, Todd Maugh wrote:
my passhook.log file is empty

Have you changed any passwords in AD?


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com]
Sent: Tuesday, February 04, 2014 11:56 AM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Creating password sync

Im seeing these errors in the passsync.log

32: No such object
02/03/14 16:23:40: Ldap error in QueryUsername
32: No such object
02/03/14 16:57:48: Abandoning password change

Re: [Freeipa-users] Creating password sync

[Todd Maugh]

nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6
1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9
-END CERTIFICATE-
subject=
issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA
---
Acceptable client certificate CA names

/DC=local/DC=boingoqa/CN=SKYWARPCA
/CN=QATESTDC2.boingoqa.local
/DC=local/DC=boingoqa/CN=boingoqaca
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - 
For authorized use only/CN=VeriSign Class 3 Public Primary Certification 
Authority - G5
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits 
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority 
(2048)
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust 
Global Root
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
/O=BOINGO.COM/CN=Certificate Authority
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft 
Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority
/CN=NT AUTHORITY
---
SSL handshake has read 3480 bytes and written 601 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher: AES128-SHA
Session-ID: 333C854E673466C6993943C1FBC7E65382AB7C486AFA750CB5F76D45302A
Session-ID-ctx:
Master-Key: 
63BF2A0621C3438C7CD8A0037B3769FC9182FF517B7D07265B8EE5F74FD90BBA0B8E56B9F466F3502F32C816076DAA47
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1391547347
Timeout   : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---





From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com]
Sent: Tuesday, February 04, 2014 12:53 PM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Creating password sync

I tried changing the password for a user in AD

this is what the passsync log shows:

02/04/14 12:29:14: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:34: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:34: Ldap error in QueryUsername
81: Can't contact LDAP server
02/04/14 12:49:36: Ldap bind error in Connect
81: Can't contact LDAP server
02/04/14 12:49:36: Ldap error in QueryUsername
81: Can't contact LDAP server


and you say this is one of many issues with passsync. do you recommend another 
option?



From: Todd Maugh
Sent: Tuesday, February 04, 2014 12:48 PM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: RE: Creating password sync

but what about the cant contact LDAP server in the passsync log

and are you saying I should try to change one of the passwords in AD for it to 
go to IDM, or vice versa?

thanks



From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 12:45 PM
To: Todd Maugh; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 01:42 PM, Todd Maugh wrote:
I have not changed any passwords in AD yet.

Then passsync will not have sent anything.


and the users I have in IDM  from AD, their passwords are not working

Right.  This is one of the (many) problems with the passsync approach - there 
currently is no way to populate the initial passwords - that is, passsync/IdM 
cannot copy your passwords over from AD to IdM.




From: Rich Megginson [rmegg...@redhat.commailto:rmegg...@redhat.com]
Sent: Tuesday, February 04, 2014 12:40 PM
To: Todd Maugh; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com
Subject: Re: Creating password sync

On 02/04/2014 01:20 PM, Todd Maugh wrote:
my passhook.log file is empty

Have you changed any passwords in AD?


From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com 
[freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.commailto:tma...@boingo.com]
Sent: Tuesday, February 04, 2014 11:56 AM
To: Rich Megginson; d...@redhat.commailto:d...@redhat.com
Cc: freeipa-users

Re: [Freeipa-users] Creating password sync

[Todd Maugh]

I would be so grateful for your notes as it looks like im most likely having a 
cert issue as well


I'm so damn close to having this thing working, (doesn't help to have your boss 
come by every 10 minutes)

I understand the changes concept now, if I can just get it to work

From: Steven Jones [steven.jo...@vuw.ac.nz]
Sent: Tuesday, February 04, 2014 2:11 PM
To: Todd Maugh; Rich Megginson; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: RE: Creating password sync

I am just doing this now and works fine for me.


The password has to be changed as there is no way to de-crypt the password in 
AD and send that.  So the .msi you install on each AD server intercepts the 
password change while its in plain text and sends it over to IPA, hence only 
changes.


I did have issues with certs, they were a pain in the ass to get right/trusted, 
looks like you might have a similar issue.


I had to work through Redhat support to get it right.


On a brighter note I did it on RHEL6.4 and upgraded the IPA servers to RHEL6.5 
and winsync and passync still work fine.


I'll send you my notes.


You could use trusts but frankly trusting AD with all its swiss cheese security 
seems a bit too risky.


regards

Steven



From: freeipa-users-boun...@redhat.com freeipa-users-boun...@redhat.com on 
behalf of Todd Maugh tma...@boingo.com
Sent: Wednesday, 5 February 2014 9:57 a.m.
To: Rich Megginson; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Creating password sync

I tested a ssl connection from my ldap server to AD

this is the output


  openssl s_client -connect qatestdc2.boingoqa.local:636
CONNECTED(0003)
depth=0
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify error:num=27:certificate not trusted
verify return:1
depth=0
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:
   i:/DC=local/DC=boingoqa/CN=SKYWARPCA
---
Server certificate
-BEGIN CERTIFICATE-
MIIGpzCCBI+gAwIBAgIKYTm2iQAAETANBgkqhkiG9w0BAQQFADBFMRUwEwYK
CZImiZPyLGQBGRYFbG9jYWwxGDAWBgoJkiaJk/IsZAEZFghib2luZ29xYTESMBAG
A1UEAxMJU0tZV0FSUENBMB4XDTE0MDIwNDE5MTcxNVoXDTE2MDIwNDE5MjcxNVow
ADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMBobXktKGUg/ynXMuQ7
q4KPRHSQkU7yD6wrpC+rzbjVYyg3LyE7+STlt0TbsataBciq5DExeByJIWvDn81T
RW2dqXYUhCPfH96rt6SpnZtWwLs2fBtFqnC4K7Wf7k3b3JHUiMw+V9Q6Nlo4w6HX
PygYAKVp/4L+SS0S55MRRYhTPgwE6nnj1HXbJuAwyNcn/xaqI5XIoSVYwXYNkaz5
4JibJ/bJvMqwfnIQH6JuTz2YgXSdebz6UzgsloYfJlpr15UoAvkRcjtdCN+I6ZGT
j9AJNhOCzqDn1M5nrwpDj6+AZjf49yXQ4MndZaCAcD3lUIZZfzBh8plBIhbR6P9l
wgsCAwEAAaOCAtwwggLYMD4GCSsGAQQBgjcVBwQxMC8GJysGAQQBgjcVCIb+j0KF
oOMAh/2TOIWXwCKG2tdBgUiB4aFdg/6GFQIBZQIBADAyBgNVHSUEKzApBgcrBgEF
AgMFBgorBgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQD
AgWgMEAGCSsGAQQBgjcVCgQzMDEwCQYHKwYBBQIDBTAMBgorBgEEAYI3FAICMAoG
CCsGAQUFBwMBMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBQ7uvQtzIM4rIkZ+9gx+qwj
gGfVVTAfBgNVHSMEGDAWgBR8X3Ffa9ODPVuv2VSdfoixzqhcgzCBzAYDVR0fBIHE
MIHBMIG+oIG7oIG4hoG1bGRhcDovLy9DTj1TS1lXQVJQQ0EsQ049UUFURVNUREMy
LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
Tj1Db25maWd1cmF0aW9uLERDPWJvaW5nb3FhLERDPWxvY2FsP2NlcnRpZmljYXRl
UmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Q
b2ludDCBvgYIKwYBBQUHAQEEgbEwga4wgasGCCsGAQUFBzAChoGebGRhcDovLy9D
Tj1TS1lXQVJQQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO
PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9pbmdvcWEsREM9bG9jYWw/
Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRo
b3JpdHkwQAYDVR0RAQH/BDYwNIIYUUFURVNUREMyLmJvaW5nb3FhLmxvY2Fsgg5i
b2luZ29xYS5sb2NhbIIIQk9JTkdPUUEwDQYJKoZIhvcNAQEEBQADggIBALZdnAQ3
Q89udt97z7fRhCEOe/169M4Veo7mxw5IJ7/kdv3+6OQr/6xXOgy67SpeEj14BPCB
ehEXHd1N8nSd5MxR73C65QxiC/jCR0VhHYIZyNkGke44EWl6o/7frHHXIkgKhSHI
TumCdHc1erfwlRaifPksYO8f5HpE1FABeBhmPau003My4uLbcwMPt+XS1AlGSRM7
mxE3JjnFp0iD+kNvDA7SlcOYxkNRyCG1ty4TOdWq9FIRf9m+f4dLXZ/ZR2kPi7GY
TBwCm4R8wqvi2UmNv2b/jhP39RqVEXMlFoVM2ciOSk5Za9zJ/0ykhHTImea92Pwz
eNfF89abIR7rADkPsulcTfAuwLfHbnfB2DUw75WaIesNLyc49sjgWLSk2B0trjc8
Z2FiVWYRBgLLrn5OKOHIzBD9fuGShTMU5I6U53Sr0CtoSvAX57wfkSdlydAH/MqP
lFBjzGWQA00ZiEgN0Cc1y47g50uHE8nUNoeVoxD0arBO8utvr7R6yL9caIvs+09N
B/idR3c8Sjb0c3g8pCFGLzDkM6iH/cklzh8hYaddbCiHzDruzbJv4ORLFo7dL/Sb
nZbit2qjoLUmnTSXAxE9A39qiX5f/cKUFnFB/kuiYKUoUFaWkLxmXd9zarIhkpA6
1adEmspCvWswrfVKhgrR1ELf4qNo1nEKOsi9
-END CERTIFICATE-
subject=
issuer=/DC=local/DC=boingoqa/CN=SKYWARPCA
---
Acceptable client certificate CA names

/DC=local/DC=boingoqa/CN=SKYWARPCA
/CN=QATESTDC2.boingoqa.local
/DC=local/DC=boingoqa/CN=boingoqaca
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID Root CA
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - 
For authorized use only/CN=VeriSign Class 3 Public Primary Certification 
Authority - G5
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits 
liab.)/OU=(c

[Freeipa-users] cant create winsync reolication

[Todd Maugh]

please help im stuck trying to finish this winsync agreement

[r...@se-idm-01.boingo.com slapd-BOINGO-COM]$ ipa-replica-manage connect 
--winsync --binddn cn=idm admin, cn=Users, dc=boingoqa, dc=local --bindpw 
*** --passsync  --cacert=/etc/openldap/cacerts/boingoqaCA.cer 
qatestdc2.boingoqa.local -v
Directory Manager password:

Added CA certificate /etc/openldap/cacerts/boingoqaCA.cer to certificate 
database for se-idm-01.boingo.com
ipa: INFO: AD Suffix is: DC=boingoqa,DC=local
The user for the Windows PassSync service is 
uid=passsync,cn=sysaccounts,cn=etc,dc=boingo,dc=com
Windows PassSync entry exists, not resetting password
ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
ipa: INFO: Replication Update in progress: FALSE: status: -11  - LDAP error: 
Connect error: start: 0: end: 0
ipa: INFO: Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[se-idm-01.boingo.com] reports: Update failed! Status: [-11  - LDAP error: 
Connect error]
Failed to start replication

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] cant create winsync reolication

[Todd Maugh]

RE:

I am not sure I was clear. It seems that you provided the LDAP trace for the 
ldapsearch commands you executed above. I was talking about the DS level logs 
for the replica management agreement establishment and the follow up 
replication.

here is the log  tailed while I deleted teh replication agreement, restarted 
the dirsrv and tried to setup the replication agreement



[31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:24 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:57 +] NSMMReplicationPlugin - agmt_delete: begin
[31/Jan/2014:19:14:09 +] - slapd shutting down - signaling operation threads
[31/Jan/2014:19:14:09 +] - slapd shutting down - waiting for 30 threads to 
terminate
[31/Jan/2014:19:14:09 +] - slapd shutting down - closing down internal 
subsystems and plugins
[31/Jan/2014:19:14:09 +] - Waiting for 4 database threads to stop
[31/Jan/2014:19:14:09 +] - All database threads now stopped
[31/Jan/2014:19:14:09 +] - slapd stopped.
[31/Jan/2014:19:14:12 +] - 389-Directory/1.2.11.15 B2013.337.1530 starting 
up
[31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up 
under cn=computers, cn=compat,dc=boingo,dc=com
[31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up 
under cn=ng, cn=compat,dc=boingo,dc=com
[31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up 
under ou=sudoers,dc=boingo,dc=com
[31/Jan/2014:19:14:12 +] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be 
added before the CoS Definition.
[31/Jan/2014:19:14:12 +] set_krb5_creds - Could not get initial credentials 
for principal [ldap/se-idm-01.boingo@boingo.com] in keytab 
[FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text))
[31/Jan/2014:19:14:12 +] - Skipping CoS Definition cn=Password 
Policy,cn=accounts,dc=boingo,dc=com--no CoS Templates found, which should be 
added before the CoS Definition.
[31/Jan/2014:19:14:12 +] slapd_ldap_sasl_interactive_bind - Error: could 
not perform interactive bind for id [] mech [GSSAPI]: LDAP error -2 (Local 
error) (SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  
Minor code may provide more information (Credentials cache file 
'/tmp/krb5cc_495' not found)) errno 0 (Success)
[31/Jan/2014:19:14:12 +] slapi_ldap_bind - Error: could not perform 
interactive bind for id [] mech [GSSAPI]: error -2 (Local error)
[31/Jan/2014:19:14:12 +] NSMMReplicationPlugin - 
agmt=cn=meTose-idm-02.boingo.com (se-idm-02:389): Replication bind with 
GSSAPI auth failed: LDAP error -2 (Local error) (SASL(-1): generic failure: 
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information 
(Credentials cache file '/tmp/krb5cc_495' not found))
[31/Jan/2014:19:14:12 +] - slapd started.  Listening on All Interfaces port 
389 for LDAP requests
[31/Jan/2014:19:14:12 +] - Listening on All Interfaces port 636 for LDAPS 
requests
[31/Jan/2014:19:14:12 +] - Listening on /var/run/slapd-BOINGO-COM.socket 
for LDAPI requests
[31/Jan/2014:19:14:16 +] NSMMReplicationPlugin - 
agmt=cn=meTose-idm-02.boingo.com (se-idm-02:389): Replication bind with 
GSSAPI auth resumed
[31/Jan/2014:19:15:18 +] - slapd shutting down - signaling operation threads
[31/Jan/2014:19:15:18 

Re: [Freeipa-users] cant create winsync reolication

[Todd Maugh]

[r...@se-idm-01.boingo.com cacerts]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H 
ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local 
-D  cn=idm admin,cn=users,dc=boingoqa,dc=local -W
Enter LDAP Password:
dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: IDM ADMIN
givenName: IDMADMIN
distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
instanceType: 4
whenCreated: 20140128182537.0Z
whenChanged: 20140131014315.0Z
displayName: IDMADMIN
uSNCreated: 31968
memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local
memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local
memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local
uSNChanged: 38786
name: IDM ADMIN
objectGUID:: jai63JfDvUuOGcURntA7hg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130356008006093750
primaryGroupID: 513
objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: idmadmin
sAMAccountType: 805306368
userPrincipalName: idmadmin@boingoqa.local
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local
dSCorePropagationData: 20140129224024.0Z
dSCorePropagationData: 1601010100.0Z
lastLogonTimestamp: 130356060672110578



From: Rich Megginson [rmegg...@redhat.com]
Sent: Friday, January 31, 2014 12:39 PM
To: Todd Maugh; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] cant create winsync reolication

On 01/31/2014 12:16 PM, Todd Maugh wrote:
RE:

I am not sure I was clear. It seems that you provided the LDAP trace for the 
ldapsearch commands you executed above. I was talking about the DS level logs 
for the replica management agreement establishment and the follow up 
replication.

here is the log  tailed while I deleted teh replication agreement, restarted 
the dirsrv and tried to setup the replication agreement

Note that 389 does not use /etc/openldap/cacerts - it uses 
/etc/dirsrv/slapd-YOUR-DOMAIN, so try this:

LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H 
ldap://qatestdc2.boingoqa.localUrlBlockedError.aspx -b cn=idm 
admin,cn=users,dc=boingoqa,dc=local -D  cn=idm 
admin,cn=users,dc=boingoqa,dc=local -W




[31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:24 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:57 +] NSMMReplicationPlugin - agmt_delete: begin
[31/Jan/2014:19:14:09 +] - slapd shutting down - signaling operation threads
[31/Jan/2014:19:14:09 +] - slapd shutting down - waiting for 30 threads to 
terminate
[31/Jan/2014:19:14:09 +] - slapd shutting down - closing down internal 
subsystems and plugins
[31/Jan/2014:19:14:09 +] - Waiting for 4 database threads to stop
[31/Jan/2014:19:14:09 +] - All database threads now stopped
[31/Jan/2014:19:14:09 +] - slapd stopped.
[31/Jan/2014:19:14:12 +] - 389-Directory/1.2.11.15 B2013.337.1530 starting 
up
[31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up 
under cn=computers, cn=compat,dc=boingo,dc=com
[31/Jan/2014:19:14:12 +] schema-compat-plugin - warning: no entries set up 
under cn=ng, cn

Re: [Freeipa-users] cant create winsync reolication

[Todd Maugh]

thank you for the reply. here is the out put of the first command. I'm going to 
run the second now and will reply with that as well
 LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -d 1 -LLLx -ZZ -H 
ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local 
-D  cn=idm admin,cn=users,dc=boingoqa,dc=local -W 'objectclass=*' dn
ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local)
ldap_create
ldap_url_parse_ext(ldap://qatestdc2.boingoqa.local:389/??base)
ldap_extended_operation_s
ldap_extended_operation
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP qatestdc2.boingoqa.local:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.194.55.48:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 31 bytes to sd 3
ldap_result ld 0x260a160 msgid 1
wait4msg ld 0x260a160 msgid 1 (infinite timeout)
wait4msg continue ld 0x260a160 msgid 1 all 1
** ld 0x260a160 Connections:
* host: qatestdc2.boingoqa.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Jan 31 21:07:43 2014


** ld 0x260a160 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x260a160 request count 1 (abandoned 0)
** ld 0x260a160 Response Queue:
   Empty
  ld 0x260a160 response count 0
ldap_chkResponseList ld 0x260a160 msgid 1 all 1
ldap_chkResponseList returns ld 0x260a160 NULL
ldap_int_select
read1msg: ld 0x260a160 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
read1msg: ld 0x260a160 msgid 1 message type extended-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x260a160 0 new referrals
read1msg:  mark request completed, ld 0x260a160 msgid 1
request done: ld 0x260a160 msgid 1
res_errno: 0, res_error: , res_matched: 
ldap_free_request (origid 1, msgid 1)
ldap_parse_extended_result
ber_scanf fmt ({eAA) ber:
ber_scanf fmt (a) ber:
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (x) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
TLS: certdb config: configDir='/etc/dirsrv/slapd-BOINGO-COM/' 
tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/dirsrv/slapd-BOINGO-COM/ prefix .
TLS: loaded CA certificate file /etc/ipa/ca.crt.
TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error 
-8179:Peer's Certificate issuer is not recognized..
TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: 
CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, 
secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, 
cache not reusable: 0
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 65 bytes to sd 3
ldap_result ld 0x260a160 msgid 2
wait4msg ld 0x260a160 msgid 2 (infinite timeout)
wait4msg continue ld 0x260a160 msgid 2 all 1
** ld 0x260a160 Connections:
* host: qatestdc2.boingoqa.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Jan 31 21:07:50 2014


** ld 0x260a160 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x260a160 request count 1 (abandoned 0)
** ld 0x260a160 Response Queue:
   Empty
  ld 0x260a160 response count 0
ldap_chkResponseList ld 0x260a160 msgid 2 all 1
ldap_chkResponseList returns ld 0x260a160 NULL
ldap_int_select
read1msg: ld 0x260a160 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 16 contents:
read1msg: ld 0x260a160 msgid 2 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x260a160 0 new referrals
read1msg:  mark request completed, ld 0x260a160 msgid 2
request done: ld 0x260a160 msgid 2
res_errno: 0, res_error: , res_matched: 
ldap_free_request (origid 2, msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_search_ext
put_filter: objectclass=*
put_filter: default
put_simple_filter: objectclass=*
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 85 bytes to sd 3
ldap_result ld 0x260a160 msgid -1
wait4msg ld 0x260a160 msgid -1 (infinite timeout)
wait4msg continue ld 0x260a160 msgid -1 all 0
** ld 0x260a160 Connections:
* host: qatestdc2.boingoqa.local  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Jan 31 21:07:50 2014


** ld 0x260a160 Outstanding Requests:
 * msgid 3,  origid 3, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x260a160 request count 1 (abandoned 0)
** ld 0x260a160 Response Queue:
   Empty
  ld 0x260a160 response count 0
ldap_chkResponseList ld 0x260a160 msgid -1 all 0
ldap_chkResponseList returns ld 0x260a160 NULL
ldap_int_select
read1msg: ld 0x260a160 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 59 contents:
read1msg: ld 0x260a160 msgid 3 message type 

Re: [Freeipa-users] cant create winsync reolication

[Todd Maugh]

For the second Command I do not have an account called directory manager, so I 
do not have a password

ldapsearch -LLLx -b cn=config -D  cn=directory manager -W 
'objectclass=nsdswindowsreplicationagreement' dn
Enter LDAP Password:
ldap_bind: Invalid credentials (49)



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.com]
Sent: Friday, January 31, 2014 12:55 PM
To: Rich Megginson; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] cant create winsync reolication



[r...@se-idm-01.boingo.com cacerts]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H 
ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local 
-D  cn=idm admin,cn=users,dc=boingoqa,dc=local -W
Enter LDAP Password:
dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: IDM ADMIN
givenName: IDMADMIN
distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
instanceType: 4
whenCreated: 20140128182537.0Z
whenChanged: 20140131014315.0Z
displayName: IDMADMIN
uSNCreated: 31968
memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local
memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local
memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local
uSNChanged: 38786
name: IDM ADMIN
objectGUID:: jai63JfDvUuOGcURntA7hg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130356008006093750
primaryGroupID: 513
objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: idmadmin
sAMAccountType: 805306368
userPrincipalName: idmadmin@boingoqa.local
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local
dSCorePropagationData: 20140129224024.0Z
dSCorePropagationData: 1601010100.0Z
lastLogonTimestamp: 130356060672110578



From: Rich Megginson [rmegg...@redhat.com]
Sent: Friday, January 31, 2014 12:39 PM
To: Todd Maugh; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] cant create winsync reolication

On 01/31/2014 12:16 PM, Todd Maugh wrote:
RE:

I am not sure I was clear. It seems that you provided the LDAP trace for the 
ldapsearch commands you executed above. I was talking about the DS level logs 
for the replica management agreement establishment and the follow up 
replication.

here is the log  tailed while I deleted teh replication agreement, restarted 
the dirsrv and tried to setup the replication agreement

Note that 389 does not use /etc/openldap/cacerts - it uses 
/etc/dirsrv/slapd-YOUR-DOMAIN, so try this:

LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H 
ldap://qatestdc2.boingoqa.localUrlBlockedError.aspx -b cn=idm 
admin,cn=users,dc=boingoqa,dc=local -D  cn=idm 
admin,cn=users,dc=boingoqa,dc=local -W




[31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:24 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:57 +] NSMMReplicationPlugin - agmt_delete: begin
[31/Jan/2014:19:14:09 +] - slapd shutting down - signaling operation threads
[31/Jan/2014:19:14:09 +] - slapd shutting down - waiting for 30 threads

Re: [Freeipa-users] cant create winsync reolication

[Todd Maugh]

I used the IPA directory manager password and got no output

[r...@se-idm-01.boingo.com cacerts]$ ldapsearch -LLLx -b cn=config -D  
cn=directory manager -W 'objectclass=nsdswindowsreplicationagreement' dn
Enter LDAP Password:




From: Todd Maugh
Sent: Friday, January 31, 2014 1:11 PM
To: Rich Megginson; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] cant create winsync reolication

For the second Command I do not have an account called directory manager, so I 
do not have a password

ldapsearch -LLLx -b cn=config -D  cn=directory manager -W 
'objectclass=nsdswindowsreplicationagreement' dn
Enter LDAP Password:
ldap_bind: Invalid credentials (49)



From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Todd Maugh [tma...@boingo.com]
Sent: Friday, January 31, 2014 12:55 PM
To: Rich Megginson; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] cant create winsync reolication



[r...@se-idm-01.boingo.com cacerts]$ 
LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-BOINGO-COM/ ldapsearch -LLLx -ZZ -H 
ldap://qatestdc2.boingoqa.local -b cn=idm admin,cn=users,dc=boingoqa,dc=local 
-D  cn=idm admin,cn=users,dc=boingoqa,dc=local -W
Enter LDAP Password:
dn: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: IDM ADMIN
givenName: IDMADMIN
distinguishedName: CN=IDM ADMIN,CN=Users,DC=boingoqa,DC=local
instanceType: 4
whenCreated: 20140128182537.0Z
whenChanged: 20140131014315.0Z
displayName: IDMADMIN
uSNCreated: 31968
memberOf: CN=Domain Controllers,CN=Users,DC=boingoqa,DC=local
memberOf: CN=Account Operators,CN=Builtin,DC=boingoqa,DC=local
memberOf: CN=Enterprise Admins,CN=Users,DC=boingoqa,DC=local
uSNChanged: 38786
name: IDM ADMIN
objectGUID:: jai63JfDvUuOGcURntA7hg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130356008006093750
primaryGroupID: 513
objectSid:: AQUAAAUV0+/GU55mz3h0hQ48RwYAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: idmadmin
sAMAccountType: 805306368
userPrincipalName: idmadmin@boingoqa.local
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=boingoqa,DC=local
dSCorePropagationData: 20140129224024.0Z
dSCorePropagationData: 1601010100.0Z
lastLogonTimestamp: 130356060672110578



From: Rich Megginson [rmegg...@redhat.com]
Sent: Friday, January 31, 2014 12:39 PM
To: Todd Maugh; d...@redhat.com
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] cant create winsync reolication

On 01/31/2014 12:16 PM, Todd Maugh wrote:
RE:

I am not sure I was clear. It seems that you provided the LDAP trace for the 
ldapsearch commands you executed above. I was talking about the DS level logs 
for the replica management agreement establishment and the follow up 
replication.

here is the log  tailed while I deleted teh replication agreement, restarted 
the dirsrv and tried to setup the replication agreement

Note that 389 does not use /etc/openldap/cacerts - it uses 
/etc/dirsrv/slapd-YOUR-DOMAIN, so try this:

LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-YOUR-DOMAIN ldapsearch -LLLx -ZZ -H 
ldap://qatestdc2.boingoqa.localUrlBlockedError.aspx -b cn=idm 
admin,cn=users,dc=boingoqa,dc=local -D  cn=idm 
admin,cn=users,dc=boingoqa,dc=local -W




[31/Jan/2014:19:07:37 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:12 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:13 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:08:25 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:10:01 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:11:51 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:11:54 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:00 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:12 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:12:36 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:12 +] slapi_ldap_bind - Error: could not send startTLS 
request: error -11 (Connect error) errno 0 (Success)
[31/Jan/2014:19:13:13 +] slapi_ldap_bind - Error

Re: [Freeipa-users] cant create winsync reolication

[Todd Maugh]

Ok that time i got output

[r...@se-idm-01.boingo.com slapd-BOINGO-COM]$ ldapsearch -LLLx -b cn=config 
-D  cn=directory manager -W 'objectclass=nsds5replicationagreement'
Enter LDAP Password:
dn: cn=meTose-idm-02.boingo.com,cn=replica,cn=dc\3Dboingo\2Cdc\3Dcom,cn=mappin
 g tree,cn=config
cn: meTose-idm-02.boingo.com
objectClass: nsds5replicationagreement
objectClass: top
nsDS5ReplicaTransportInfo: LDAP
description: me to se-idm-02.boingo.com
nsDS5ReplicaRoot: dc=boingo,dc=com
nsDS5ReplicaHost: se-idm-02.boingo.com
nsds5replicaTimeout: 120
nsDS5ReplicaPort: 389
nsDS5ReplicatedAttributeList: (objectclass=*) $ EXCLUDE memberof idnssoaserial
  entryusn krblastsuccessfulauth krblastfailedauth krbloginfailedcount
nsDS5ReplicaBindMethod: SASL/GSSAPI
nsDS5ReplicatedAttributeListTotal: (objectclass=*) $ EXCLUDE entryusn krblasts
 uccessfulauth krblastfailedauth krbloginfailedcount
nsds50ruv: {replicageneration} 52e153690004
nsds50ruv: {replica 3 ldap://se-idm-02.boingo.com:389} 52e1537200010003 52
 ebf4230003
nsds50ruv: {replica 4 ldap://se-idm-01.boingo.com:389} 52e153d500020004 52
 ebf6280004
nsruvReplicaLastModified: {replica 3 ldap://se-idm-02.boingo.com:389} 
nsruvReplicaLastModified: {replica 4 ldap://se-idm-01.boingo.com:389} 
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20140131210414Z
nsds5replicaLastUpdateEnd: 20140131210414Z
nsds5replicaChangesSentSinceStartup:: NDozLzAg
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental upd
 ate succeeded
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] cant create winsync reolication

[Todd Maugh]

asked:   Can you provide your /etc/openldap/ldap.conf?


answer:

/etc/openldap/ldap.con
#File modified by ipa-client-install

URI ldaps://se-idm-01.boingo.com
BASE dc=boingo,dc=com
TLS_CACERT /etc/ipa/ca.crt
TLS_CACERTDIR /etc/openldap/cacerts/
TLS_REQCERT allow
ping

TLS: certificate [CN=QATESTDC2.boingoqa.local] is not valid - error 
-8179:Peer's Certificate issuer is not recognized..

This is saying QATESTDC2.boingoqa.local cannot be resolved - or the IP address 
does not match.

This is usually a problem, but perhaps you have set your ldap.conf to continue 
despite this problem?
PING qatestdc2.boingoqa.local (10.194.55.48) 56(84) bytes of data.
64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=1 ttl=124 
time=0.559 ms
64 bytes from qatestdc2.boingoqa.local (10.194.55.48): icmp_seq=2 ttl=124 
time=0.660 ms
^C
--- qatestdc2.boingoqa.local ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1070ms
rtt min/avg/max/mdev = 0.559/0.609/0.660/0.056 ms




TLS certificate verification: subject: CN=QATESTDC2.boingoqa.local, issuer: 
CN=SKYWARPCA,DC=boingoqa,DC=local, cipher: AES-128, security level: high, 
secret key bits: 128, total key bits: 128, cache hits: 0, cache misses: 0, 
cache not reusable: 0
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users