Re: [Freeipa-users] Fwd: Re: AD -- FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol
Hi I have completed changed the scenario and I managed to install freeipa-server 4.1 (Somebody publish the right repo for Centos and it worked really well) --Let me double check a couple of things. You wrote you installed PassSync on Windows 2013 (which could be a typo?) We support Windows Server 2008 R2 and 2012 R2. We also confirmed it works on Windows Server 2003 R2. Yes, sorry, that was a typo. So, starting again from scratch, new machine, the whole installation process went well, not issues there but: * FreeIPA is supposed to generate a PassSync user by running ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man ipa-replica-manage). I tried 5 times, the user was never created on the ipa server, I had to create it manually (I gave it admin permissions so it could create/delete/update users). Doing that, the password sync worked all right. We submit a password reset in AD and that propagated all right, tested and it worked fine. / * In one scenario I uninstalled freeipa (still kept the packages), installed again and something went wrong with the kerberos keys. After creating the AD -- LDAP certs and successfully syncing the passwords, I could read in the /var/log/messages a password decryption issue (kerberos related) everytime I tried to log as any user. I have tried uninstalling freeipa and also uninstalling removing the product completely and re-installing. it did not matter if I tried to rebuild the kerberos keys, the issue was always there, so I have to start afresh with a new box. So.. that has been all so far Thanks Gonzalo On 16/03/2015 20:05, Noriko Hosoi wrote: Hello, Gonzalo, Any progress on your Password Synchronization? Let me double check a couple of things. You wrote you installed PassSync on Windows 2013 (which could be a typo?) We support Windows Server 2008 R2 and 2012 R2. We also confirmed it works on Windows Server 2003 R2. On 03/13/2015 12:45 PM,g.fer.or...@unicyber.co.uk wrote: I got the Password Sync Tool installed in the Windows2013 box You can find the doc on PassSync here. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#windows-pass-sync The doc is on PassSync 1.1.5, but 1.1.6 remains intact except the default SSL version to connect to the 389 Directory Server (as we discussed before). We had a dicussion regarding the PassSync user you had to create: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com FreeIPA is supposed to generate a PassSync user by running ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man ipa-replica-manage)./ there must some problem as FreeIPA creates own Passsync user in cn=sysaccounts,cn=etc,SUFFIX also sets it's DN as passSyncManagersDNs in ipa_pwd_extop plugin to avoid it creating expired passwords. So there is no need to create uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com manually. Please see the above doc regarding the user creation. * The username of the system user which Active Directory uses to connect to the IdM machine. This account is configured automatically when sync is configured on the IdM server. The default account is |uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com|. * The password set in the |--passsync| option when the sync agreement was created. I'm sending this response to freeipa-users to share the info and request for more suggestions. Thanks, --noriko On 03/13/2015 02:48 PM, g.fer.or...@unicyber.co.uk wrote: I forgot to attach the search command now: # passsync, users, accounts, corp.company.com dn: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com cn: passsync displayName: passsync krbLastFailedAuth: 20150313211546Z krbLoginFailedCount: 1 krbExtraData:: AALUUQNVcm9vdC9hZG1pbkBDT1JQLkhPT1RTVUlURU1FRElBLkNPTQA= memberOf: cn=ipausers,cn=groups,cn=accounts,dc=corp,dc=company,dc=com krbLastPwdChange: 20150313210836Z krbPasswordExpiration: 20150611210836Z mepManagedEntry: cn=passsync,cn=groups,cn=accounts,dc=corp,dc=company,d c=com objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/bash gecos: pass sync sn: sync homeDirectory: /home/passsync uid: passsync mail: passs...@corp.company.com krbPrincipalName: passs...@corp.company.com givenName: pass initials: ps userPassword:: z= = ipaUniqueID: 1d76b14a-c9c5-11e4-93f4-12d2e19d1e3c uidNumber: 1481000829 gidNumber: 1481000829 krbPrincipalKey:: dfrerererer # search result search: 2 On 2015-03-13 21:39, g.fer.or...@unicyber.co.uk wrote: Hi I had to manually create the user!! For some reason I thought the sync Agreement task was also creating that entry
Re: [Freeipa-users] Fwd: Re: AD -- FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol
On 03/19/2015 05:10 AM, Gonzalo Fernandez Ordas wrote: Hi I have completed changed the scenario and I managed to install freeipa-server 4.1 (Somebody publish the right repo for Centos and it worked really well) --Let me double check a couple of things. You wrote you installed PassSync on Windows 2013 (which could be a typo?) We support Windows Server 2008 R2 and 2012 R2. We also confirmed it works on Windows Server 2003 R2. Yes, sorry, that was a typo. So, starting again from scratch, new machine, the whole installation process went well, not issues there but: * FreeIPA is supposed to generate a PassSync user by running ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man ipa-replica-manage). I tried 5 times, the user was never created on the ipa server, I had to create it manually (I gave it admin permissions so it could create/delete/update users). Doing that, the password sync worked all right. We submit a password reset in AD and that propagated all right, tested and it worked fine. / * In one scenario I uninstalled freeipa (still kept the packages), installed again and something went wrong with the kerberos keys. After creating the AD -- LDAP certs and successfully syncing the passwords, I could read in the /var/log/messages a password decryption issue (kerberos related) everytime I tried to log as any user. I have tried uninstalling freeipa and also uninstalling removing the product completely and re-installing. it did not matter if I tried to rebuild the kerberos keys, the issue was always there, so I have to start afresh with a new box. Something is really messed up with the system. Do you have some kind of backup and restore running in the background? It seems that for some reason a kerberos (probably master) key was rewritten in some way. So.. that has been all so far Thanks Gonzalo On 16/03/2015 20:05, Noriko Hosoi wrote: Hello, Gonzalo, Any progress on your Password Synchronization? Let me double check a couple of things. You wrote you installed PassSync on Windows 2013 (which could be a typo?) We support Windows Server 2008 R2 and 2012 R2. We also confirmed it works on Windows Server 2003 R2. On 03/13/2015 12:45 PM,g.fer.or...@unicyber.co.uk wrote: I got the Password Sync Tool installed in the Windows2013 box You can find the doc on PassSync here. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#windows-pass-sync The doc is on PassSync 1.1.5, but 1.1.6 remains intact except the default SSL version to connect to the 389 Directory Server (as we discussed before). We had a dicussion regarding the PassSync user you had to create: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com FreeIPA is supposed to generate a PassSync user by running ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man ipa-replica-manage)./ there must some problem as FreeIPA creates own Passsync user in cn=sysaccounts,cn=etc,SUFFIX also sets it's DN as passSyncManagersDNs in ipa_pwd_extop plugin to avoid it creating expired passwords. So there is no need to create uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com manually. Please see the above doc regarding the user creation. * The username of the system user which Active Directory uses to connect to the IdM machine. This account is configured automatically when sync is configured on the IdM server. The default account is |uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com|. * The password set in the |--passsync| option when the sync agreement was created. I'm sending this response to freeipa-users to share the info and request for more suggestions. Thanks, --noriko On 03/13/2015 02:48 PM, g.fer.or...@unicyber.co.uk wrote: I forgot to attach the search command now: # passsync, users, accounts, corp.company.com dn: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com cn: passsync displayName: passsync krbLastFailedAuth: 20150313211546Z krbLoginFailedCount: 1 krbExtraData:: AALUUQNVcm9vdC9hZG1pbkBDT1JQLkhPT1RTVUlURU1FRElBLkNPTQA= memberOf: cn=ipausers,cn=groups,cn=accounts,dc=corp,dc=company,dc=com krbLastPwdChange: 20150313210836Z krbPasswordExpiration: 20150611210836Z mepManagedEntry: cn=passsync,cn=groups,cn=accounts,dc=corp,dc=company,d c=com objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/bash gecos: pass sync sn: sync homeDirectory: /home/passsync uid: passsync mail: passs...@corp.company.com krbPrincipalName: passs...@corp.company.com givenName: pass initials: ps userPassword:: z= = ipaUniqueID: 1d76b14a-c9c5-11e4-93f4-12d2e19d1e3c
Re: [Freeipa-users] Fwd: Re: AD -- FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol
Hello, Gonzalo, Any progress on your Password Synchronization? Let me double check a couple of things. You wrote you installed PassSync on Windows 2013 (which could be a typo?) We support Windows Server 2008 R2 and 2012 R2. We also confirmed it works on Windows Server 2003 R2. On 03/13/2015 12:45 PM,g.fer.or...@unicyber.co.uk wrote: I got the Password Sync Tool installed in the Windows2013 box You can find the doc on PassSync here. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#windows-pass-sync The doc is on PassSync 1.1.5, but 1.1.6 remains intact except the default SSL version to connect to the 389 Directory Server (as we discussed before). We had a dicussion regarding the PassSync user you had to create: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com FreeIPA is supposed to generate a PassSync user by running ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man ipa-replica-manage)./ there must some problem as FreeIPA creates own Passsync user in cn=sysaccounts,cn=etc,SUFFIX also sets it's DN as passSyncManagersDNs in ipa_pwd_extop plugin to avoid it creating expired passwords. So there is no need to create uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com manually. Please see the above doc regarding the user creation. * The username of the system user which Active Directory uses to connect to the IdM machine. This account is configured automatically when sync is configured on the IdM server. The default account is |uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com|. * The password set in the |--passsync| option when the sync agreement was created. I'm sending this response to freeipa-users to share the info and request for more suggestions. Thanks, --noriko On 03/13/2015 02:48 PM, g.fer.or...@unicyber.co.uk wrote: I forgot to attach the search command now: # passsync, users, accounts, corp.company.com dn: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com cn: passsync displayName: passsync krbLastFailedAuth: 20150313211546Z krbLoginFailedCount: 1 krbExtraData:: AALUUQNVcm9vdC9hZG1pbkBDT1JQLkhPT1RTVUlURU1FRElBLkNPTQA= memberOf: cn=ipausers,cn=groups,cn=accounts,dc=corp,dc=company,dc=com krbLastPwdChange: 20150313210836Z krbPasswordExpiration: 20150611210836Z mepManagedEntry: cn=passsync,cn=groups,cn=accounts,dc=corp,dc=company,d c=com objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry loginShell: /bin/bash gecos: pass sync sn: sync homeDirectory: /home/passsync uid: passsync mail: passs...@corp.company.com krbPrincipalName: passs...@corp.company.com givenName: pass initials: ps userPassword:: z= = ipaUniqueID: 1d76b14a-c9c5-11e4-93f4-12d2e19d1e3c uidNumber: 1481000829 gidNumber: 1481000829 krbPrincipalKey:: dfrerererer # search result search: 2 On 2015-03-13 21:39, g.fer.or...@unicyber.co.uk wrote: Hi I had to manually create the user!! For some reason I thought the sync Agreement task was also creating that entry for the DS! So now I got: [13/Mar/2015:14:27:30 -0700] conn=66 op=4 SRCH base=uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com scope=0 filter=(objectClass=*) attrs=telephoneNumber uid title loginShell uidNumber gidNumber sn homeDirectory mail ou givenName nsAccountLock [13/Mar/2015:14:27:30 -0700] conn=66 op=4 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2015:14:27:30 -0700] conn=66 op=5 SRCH base=uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com scope=0 filter=(userPassword=*) attrs=userPassword [13/Mar/2015:14:27:30 -0700] conn=66 op=5 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2015:14:27:30 -0700] conn=66 op=6 SRCH base=uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com scope=0 filter=(krbPrincipalKey=*) attrs=krbPrincipalKey [13/Mar/2015:14:27:30 -0700] conn=66 op=6 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2015:14:27:30 -0700] conn=66 op=7 SRCH base=uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com scope=0 filter=(objectClass=*) attrs=ipaSshPubKey [13/Mar/2015:14:27:30 -0700] conn=66 op=7 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2015:14:27:30 -0700] conn=66 op=8 UNBIND [13/Mar/2015:14:27:30 -0700] conn=66 op=8 fd=103 closed - U1 [13/Mar/2015:14:27:33 -0700] conn=48 op=20 RESULT err=0 tag=101 nentries=828 etime=90 notes=U [13/Mar/2015:14:27:33 -0700] conn=48 op=21 ABANDON targetop=NOTFOUND msgid=16 [13/Mar/2015:14:27:33 -0700] conn=48 op=22 SRCH base=cn=users,cn=accounts,dc=corp,dc=company,dc=com scope=0 filter=(objectClass=*) attrs=* aci [13/Mar/2015:14:27:33 -0700] conn=48 op=22 RESULT err=0 tag=101 nentries=1 etime=0 [13/Mar/2015:14:27:33 -0700] conn=48 op=23 ABANDON