subject:"\[Freeipa\-users\] Fwd\: Re\: AD \-\- FreeIPA Password Sync \-\-\- Peer reports incompatible or unsupported protocol"

Re: [Freeipa-users] Fwd: Re: AD -- FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol

2015-03-19 Thread Gonzalo Fernandez Ordas

I have completed changed the scenario and I managed to install
freeipa-server 4.1 (Somebody publish the right repo for Centos and it
worked really well)

--Let me double check a couple of things. You wrote you installed
PassSync on Windows 2013 (which could be a typo?) We support Windows
Server 2008 R2 and 2012 R2. We also confirmed it works on Windows
Server 2003 R2.

Yes, sorry, that was a typo.

So, starting again from scratch, new machine, the whole installation
process went well, not issues there but:

* FreeIPA is supposed to generate a PassSync user by running
ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man
ipa-replica-manage).

I tried 5 times, the user was never created on the ipa server, I had to
create it manually (I gave it admin permissions so it could
create/delete/update users).
Doing that, the password sync worked all right. We submit a password
reset in AD and that propagated all right, tested and it worked fine.

/
* In one scenario I uninstalled freeipa (still kept the packages),
installed again and something went wrong with the kerberos keys.
After creating the AD -- LDAP certs and successfully syncing the
passwords, I could read in the /var/log/messages a password decryption
issue (kerberos related) everytime I tried to log as any user.
I have tried uninstalling freeipa and also uninstalling removing the
product completely and re-installing. it did not matter if I tried to
rebuild the kerberos keys, the issue was always there, so I have to
start afresh with a new box.

So.. that has been all so far

Thanks

Gonzalo

On 16/03/2015 20:05, Noriko Hosoi wrote:

Hello, Gonzalo,

Any progress on your Password Synchronization?

Let me double check a couple of things. You wrote you installed
PassSync on Windows 2013 (which could be a typo?) We support Windows
Server 2008 R2 and 2012 R2. We also confirmed it works on Windows
Server 2003 R2.

On 03/13/2015 12:45 PM,g.fer.or...@unicyber.co.uk wrote:
I got the Password Sync Tool installed in the Windows2013 box
You can find the doc on PassSync here.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#windows-pass-sync
The doc is on PassSync 1.1.5, but 1.1.6 remains intact except the
default SSL version to connect to the 389 Directory Server (as we
discussed before).

We had a dicussion regarding the PassSync user you had to create:
uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
FreeIPA is supposed to generate a PassSync user by running
ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also
man ipa-replica-manage)./

there must some problem as FreeIPA
creates own Passsync user in cn=sysaccounts,cn=etc,SUFFIX also sets it's
DN
as passSyncManagersDNs in ipa_pwd_extop plugin to avoid it creating expired
passwords. So there is no need to create
uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com manually.
Please see the above doc regarding the user creation.

*
The username of the system user which Active Directory uses to
connect to the IdM machine. This account is configured
automatically when sync is configured on the IdM server. The
default account is
|uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com|.
*
The password set in the |--passsync| option when the sync
agreement was created.

I'm sending this response to freeipa-users to share the info and
request for more suggestions.

Thanks,
--noriko

On 03/13/2015 02:48 PM, g.fer.or...@unicyber.co.uk wrote:

I forgot to attach the search command now:
# passsync, users, accounts, corp.company.com
dn: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
cn: passsync
displayName: passsync
krbLastFailedAuth: 20150313211546Z
krbLoginFailedCount: 1
krbExtraData:: AALUUQNVcm9vdC9hZG1pbkBDT1JQLkhPT1RTVUlURU1FRElBLkNPTQA=
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=corp,dc=company,dc=com
krbLastPwdChange: 20150313210836Z
krbPasswordExpiration: 20150611210836Z
mepManagedEntry: cn=passsync,cn=groups,cn=accounts,dc=corp,dc=company,d
c=com
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/bash
gecos: pass sync
sn: sync
homeDirectory: /home/passsync
uid: passsync
mail: passs...@corp.company.com
krbPrincipalName: passs...@corp.company.com
givenName: pass
initials: ps
userPassword:: z=
=
ipaUniqueID: 1d76b14a-c9c5-11e4-93f4-12d2e19d1e3c
uidNumber: 1481000829
gidNumber: 1481000829
krbPrincipalKey:: dfrerererer

# search result
search: 2

On 2015-03-13 21:39, g.fer.or...@unicyber.co.uk wrote:

I had to manually create the user!! For some reason I thought the sync
Agreement task was also creating that entry

Re: [Freeipa-users] Fwd: Re: AD -- FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol

2015-03-19 Thread Dmitri Pal

On 03/19/2015 05:10 AM, Gonzalo Fernandez Ordas wrote:

I have completed changed the scenario and I managed to install
freeipa-server 4.1 (Somebody publish the right repo for Centos and it
worked really well)

Yes, sorry, that was a typo.

So, starting again from scratch, new machine, the whole installation
process went well, not issues there but:

* FreeIPA is supposed to generate a PassSync user by running
ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also
man ipa-replica-manage).

I tried 5 times, the user was never created on the ipa server, I had
to create it manually (I gave it admin permissions so it could
create/delete/update users).
Doing that, the password sync worked all right. We submit a password
reset in AD and that propagated all right, tested and it worked fine.

Something is really messed up with the system.
Do you have some kind of backup and restore running in the background?
It seems that for some reason a kerberos (probably master) key was
rewritten in some way.

So.. that has been all so far

Thanks

Gonzalo

On 16/03/2015 20:05, Noriko Hosoi wrote:

Hello, Gonzalo,

Any progress on your Password Synchronization?

I'm sending this response to freeipa-users to share the info and
request for more suggestions.

Thanks,
--noriko

On 03/13/2015 02:48 PM, g.fer.or...@unicyber.co.uk wrote:

Re: [Freeipa-users] Fwd: Re: AD -- FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol

2015-03-16 Thread Noriko Hosoi


Hello, Gonzalo,

Any progress on your Password Synchronization?

Let me double check a couple of things.  You wrote you installed 
PassSync on Windows 2013 (which could be a typo?)  We support Windows 
Server 2008 R2 and 2012 R2.  We also confirmed it works on Windows 
Server 2003 R2.



On 03/13/2015 12:45 PM,g.fer.or...@unicyber.co.uk  wrote:

I got the Password Sync Tool installed in the Windows2013 box


You can find the doc on PassSync here.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#windows-pass-sync

The doc is on PassSync 1.1.5, but 1.1.6 remains intact except the 
default SSL version to connect to the 389 Directory Server (as we 
discussed before).


We had a dicussion regarding the PassSync user you had to create:

uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com

FreeIPA is supposed to generate a PassSync user by running 
ipa-replica-manage *--winsync **--passsync*=/PASSSYNC_PWD. (See also man 
ipa-replica-manage)./



there must some problem as FreeIPA
creates own Passsync user in cn=sysaccounts,cn=etc,SUFFIX also sets it's DN
as passSyncManagersDNs in ipa_pwd_extop plugin to avoid it creating expired
passwords. So there is no need to create
uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com manually.


Please see the above doc regarding the user creation.

 *
   The username of the system user which Active Directory uses to
   connect to the IdM machine. This account is configured automatically
   when sync is configured on the IdM server. The default account is
   |uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com|.
 *
   The password set in the |--passsync| option when the sync agreement
   was created.

I'm sending this response to freeipa-users to share the info and request 
for more suggestions.


Thanks,
--noriko

On 03/13/2015 02:48 PM, g.fer.or...@unicyber.co.uk wrote:

I forgot to attach the search command now:
# passsync, users, accounts, corp.company.com
dn: uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
cn: passsync
displayName: passsync
krbLastFailedAuth: 20150313211546Z
krbLoginFailedCount: 1
krbExtraData:: AALUUQNVcm9vdC9hZG1pbkBDT1JQLkhPT1RTVUlURU1FRElBLkNPTQA=
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=corp,dc=company,dc=com
krbLastPwdChange: 20150313210836Z
krbPasswordExpiration: 20150611210836Z
mepManagedEntry: cn=passsync,cn=groups,cn=accounts,dc=corp,dc=company,d
 c=com
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/bash
gecos: pass sync
sn: sync
homeDirectory: /home/passsync
uid: passsync
mail: passs...@corp.company.com
krbPrincipalName: passs...@corp.company.com
givenName: pass
initials: ps
userPassword:: z=
 =
ipaUniqueID: 1d76b14a-c9c5-11e4-93f4-12d2e19d1e3c
uidNumber: 1481000829
gidNumber: 1481000829
krbPrincipalKey:: dfrerererer

# search result
search: 2


On 2015-03-13 21:39, g.fer.or...@unicyber.co.uk wrote:

Hi

I had to manually create the user!! For some reason I thought the sync
Agreement task was also creating that entry for the DS!

So now I got:

[13/Mar/2015:14:27:30 -0700] conn=66 op=4 SRCH
base=uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
scope=0 filter=(objectClass=*) attrs=telephoneNumber uid title
loginShell uidNumber gidNumber sn homeDirectory mail ou givenName
nsAccountLock
[13/Mar/2015:14:27:30 -0700] conn=66 op=4 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=5 SRCH
base=uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
scope=0 filter=(userPassword=*) attrs=userPassword
[13/Mar/2015:14:27:30 -0700] conn=66 op=5 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=6 SRCH
base=uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
scope=0 filter=(krbPrincipalKey=*) attrs=krbPrincipalKey
[13/Mar/2015:14:27:30 -0700] conn=66 op=6 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=7 SRCH
base=uid=passsync,cn=users,cn=accounts,dc=corp,dc=company,dc=com
scope=0 filter=(objectClass=*) attrs=ipaSshPubKey
[13/Mar/2015:14:27:30 -0700] conn=66 op=7 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:30 -0700] conn=66 op=8 UNBIND
[13/Mar/2015:14:27:30 -0700] conn=66 op=8 fd=103 closed - U1
[13/Mar/2015:14:27:33 -0700] conn=48 op=20 RESULT err=0 tag=101
nentries=828 etime=90 notes=U
[13/Mar/2015:14:27:33 -0700] conn=48 op=21 ABANDON targetop=NOTFOUND 
msgid=16

[13/Mar/2015:14:27:33 -0700] conn=48 op=22 SRCH
base=cn=users,cn=accounts,dc=corp,dc=company,dc=com scope=0
filter=(objectClass=*) attrs=* aci
[13/Mar/2015:14:27:33 -0700] conn=48 op=22 RESULT err=0 tag=101
nentries=1 etime=0
[13/Mar/2015:14:27:33 -0700] conn=48 op=23 ABANDON

Re: [Freeipa-users] Fwd: Re: AD -- FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol

Re: [Freeipa-users] Fwd: Re: AD -- FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol

Re: [Freeipa-users] Fwd: Re: AD -- FreeIPA Password Sync --- Peer reports incompatible or unsupported protocol

3 matches

Site Navigation

Mail list logo

Footer information