Re: [Freeipa-users] Insufficient access during winsync agreement
On 20/06/11 16:37, Attila Bogár wrote: I'm trying to set up the AD-FreeIPA sync agreement and I'm always getting this error: # ipa-replica-manage connect --winsync --binddn cn=IPA Sync,cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert /root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v This is solved now. Directory Manager password was missing from the command line. (-p). admin user's privileges via kerberos are insufficient to set up a replica agreement as I see. Could you please add this to the documentation example in the docs, I think upcoming users would appreciate this. http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server Thanks, Attila ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Insufficient access during winsync agreement
On Tue, 2011-06-21 at 10:01 +0100, Attila Bogár wrote: On 20/06/11 16:37, Attila Bogár wrote: I'm trying to set up the AD-FreeIPA sync agreement and I'm always getting this error: # ipa-replica-manage connect --winsync --binddn cn=IPA Sync,cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert /root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v This is solved now. Directory Manager password was missing from the command line. (-p). admin user's privileges via kerberos are insufficient to set up a replica agreement as I see. Could you please add this to the documentation example in the docs, I think upcoming users would appreciate this. http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#sect-Enterprise_Identity_Management_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Setting_up_Windows_Sync_on_the_IPA_Server If the command didn't give you an error it is a bug, can you please open a ticket ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Insufficient access during winsync agreement
Hi, I'm trying to set up the AD-FreeIPA sync agreement and I'm always getting this error: # ipa-replica-manage connect --winsync --binddn cn=IPA Sync,cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert /root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v Added CA certificate /root/dc1.cer to certificate database for ipa1.example.com ipa: INFO: AD Suffix is: DC=win,DC=example,DC=com *Insufficient access* Where does this insufficient access come from? Can you please provide some guidance with this issue? IPA Sync user on the AD side has Domain Admins, Enterprise Admins, Schema Admins group memberships. I'm able to query the AD using ldapsearch and binding with the credentials and have an also an admin kerberos ticket. On the other hand the documentation in the freeipa enterprise guide is rather succint than adequate as it doesn't provide at least one working example. I've read all the corresponding documentation and it's still unclear what password do I have to specify with the --passsync to ipa-replica-manage? the password for the Windows PassSync user, and a required argument to |ipa-replica-manage| when creating winsync agreements. I can't see any documentation mentioning that a passync user has to (or being) created in the AD. The bindpw already gives read/write permission to the AD tree, so I'm wondering why is this --passync required? It's rather annoying to set up the passync on the Windows side. The only documentation for this (what FreeIPA refers to) I can see is: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html However, cn=sync,cn=config on the screenshot for the user name is misleading as full dn was working only for us. I assume instead of ou=People,dc=example,dc=com cn=user,cn=accounts,dc=example,dc=com has to be substituted (or it has to be cn=compat?) Thanks for any help in advance, Attila ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Insufficient access during winsync agreement
On 06/20/2011 09:37 AM, Attila Bogár wrote: Hi, I'm trying to set up the AD-FreeIPA sync agreement and I'm always getting this error: # ipa-replica-manage connect --winsync --binddn cn=IPA Sync,cn=Users,dc=win,dc=example,dc=com --bindpw JamesBond007 --cacert /root/dc1.cer --passsync JamesBond007 dc1.win.example.com -v Added CA certificate /root/dc1.cer to certificate database for ipa1.example.com ipa: INFO: AD Suffix is: DC=win,DC=example,DC=com *Insufficient access* Where does this insufficient access come from? Can you please provide some guidance with this issue? Not sure. First check the directory server access log - look for err=50 around the time of your command - /var/log/dirsrv/slapd-YOUR-INSTANCE/access IPA Sync user on the AD side has Domain Admins, Enterprise Admins, Schema Admins group memberships. I'm able to query the AD using ldapsearch and binding with the credentials and have an also an admin kerberos ticket. On the other hand the documentation in the freeipa enterprise guide is rather succint than adequate as it doesn't provide at least one working example. I've read all the corresponding documentation and it's still unclear what password do I have to specify with the --passsync to ipa-replica-manage? the password for the Windows PassSync user, and a required argument to |ipa-replica-manage| when creating winsync agreements. I can't see any documentation mentioning that a passync user has to (or being) created in the AD. The bindpw already gives read/write permission to the AD tree, so I'm wondering why is this --passync required? It's rather annoying to set up the passync on the Windows side. The only documentation for this (what FreeIPA refers to) I can see is: http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html However, cn=sync,cn=config on the screenshot for the user name is misleading as full dn was working only for us. I assume instead of ou=People,dc=example,dc=com cn=user,cn=accounts,dc=example,dc=com has to be substituted (or it has to be cn=compat?) Thanks for any help in advance, Attila ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
