Re: [Freeipa-users] EXTERNAL: Re: Syncing with AD
Hey James, Like I said the IPA user has read access at the domain level. He is also a member of the domain users group. I don't know why it's only working if you have him part of the administrator group. What does it say in the passync log on the AD server? I tried to do the uni-directional sync but it never worked for me the way it was intended and I just stumbled on giving the user only read access to the domain. Matt From: James A [mailto:ja...@atia.se] Sent: Tuesday, May 14, 2013 10:42 AM To: Joseph, Matthew (EXP) Cc: Chris Hudson; freeipa-users@redhat.com Subject: EXTERNAL: Re: Syncing with AD On Tue, May 14, 2013 at 3:30 PM, Joseph, Matthew (EXP) matthew.jos...@lmco.commailto:matthew.jos...@lmco.com wrote: Hey James, I configured my IPA server with winsync and I was in the same boat as you. The IPA user that is created for Active Directory does not require write access to AD. My IPA user only has read permissions to the domain and my passwords sync just fine. When I delete a user from IPA it does not delete it from AD. Thanks; good to know that there is a way to do this. I really don't see where I am going wrong. The user I use for synching will only work if I put it in the administrator group. And when I do, I have a two way synch - if I remove an account on the IPA server, it disappears also in the AD - even though I did: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync Do you by any chance have the specifics (permissions, groups etc.) of your user (in the AD) you use for synch'ing? thanks /J Matt From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] On Behalf Of Chris Hudson Sent: Tuesday, May 14, 2013 10:13 AM To: James A Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Syncing with AD Hello all, I have been playing with trying to set up synchronization between windows AD -- IPA following the instructions at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html A few questions arise; 1.) The documentation (specifically on https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html), (under table 9.2) talks about options to the ipa-replica-manage connect command. Among others, --bindpw and --passsync. With --binddn we specify the full user DN of the synchronization identity (and it's password with --bindpw ... but I fail to understand which users password should be used for --passsync?? Is it the same user? The --passsync password is the password that you *will* use for the passsync user should you install the password synchronization package on your AD controllers. You are essentially setting this password preemptively. 2.) The documentation says that the synchronization identity (see also above) must exist in the AD domain and must have replicator, read, search and write permissions on the AD subtree. What I am trying to do is create a one way sync from AD -- IPA and I would really like to avoid using a user (for synching) that has write permissions (in the AD). All my tries in setting up synchronization fails unless I add the synch-user to the group Administrators. I have tried (and failed) using account admins etc. Any pointers here would be great. Sorry for my ignorance when it comes to Windows. I am sure I am missing something obvious. Someone else can probably comment on this, but the IPA server will need to bind to the AD controller and pull the necessary information from the directory...which makes these rights a necessity. 3.) I follow the instructions under 9.4.5 (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync) to setup Uni-directional sync. (only AD -- IPA), and yet, when I go to remove an account in IPA it gets removed also in the AD. (This I really want to avoid, thus the need for a read-only user to do the synchronization - see question 2). I do not recall IPA ever removing users from AD. From what I remember, only certain attributes were bi-directional and deletes were not performed on AD. Has this changed? All in all I think the FreeIPA project is amazing and it really gives us in the Linux community something we haven't had before. If I can iron out the problems above I am sure it will become a great tool for me and my client. Any input would be most appreciated. Thanks //James. ___ Freeipa-users mailing list Freeipa-users@redhat.commailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] EXTERNAL: Re: Syncing with AD
Hey James, One more thing, what are the values in the registry for your password sync application? The default option for the User Name Field was wrong. It was set to userid (or something similar to that) when it should have been uid. I don't think that's your problem but who knows what else might be wrong. Also is your IPA sync user in the same OU as your normal users? Matt From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Tuesday, May 14, 2013 10:50 AM To: James A Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: Syncing with AD Hey James, Like I said the IPA user has read access at the domain level. He is also a member of the domain users group. I don't know why it's only working if you have him part of the administrator group. What does it say in the passync log on the AD server? I tried to do the uni-directional sync but it never worked for me the way it was intended and I just stumbled on giving the user only read access to the domain. Matt From: James A [mailto:ja...@atia.se] Sent: Tuesday, May 14, 2013 10:42 AM To: Joseph, Matthew (EXP) Cc: Chris Hudson; freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: EXTERNAL: Re: Syncing with AD On Tue, May 14, 2013 at 3:30 PM, Joseph, Matthew (EXP) matthew.jos...@lmco.commailto:matthew.jos...@lmco.com wrote: Hey James, I configured my IPA server with winsync and I was in the same boat as you. The IPA user that is created for Active Directory does not require write access to AD. My IPA user only has read permissions to the domain and my passwords sync just fine. When I delete a user from IPA it does not delete it from AD. Thanks; good to know that there is a way to do this. I really don't see where I am going wrong. The user I use for synching will only work if I put it in the administrator group. And when I do, I have a two way synch - if I remove an account on the IPA server, it disappears also in the AD - even though I did: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync Do you by any chance have the specifics (permissions, groups etc.) of your user (in the AD) you use for synch'ing? thanks /J Matt From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] On Behalf Of Chris Hudson Sent: Tuesday, May 14, 2013 10:13 AM To: James A Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Syncing with AD Hello all, I have been playing with trying to set up synchronization between windows AD -- IPA following the instructions at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html A few questions arise; 1.) The documentation (specifically on https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html), (under table 9.2) talks about options to the ipa-replica-manage connect command. Among others, --bindpw and --passsync. With --binddn we specify the full user DN of the synchronization identity (and it's password with --bindpw ... but I fail to understand which users password should be used for --passsync?? Is it the same user? The --passsync password is the password that you *will* use for the passsync user should you install the password synchronization package on your AD controllers. You are essentially setting this password preemptively. 2.) The documentation says that the synchronization identity (see also above) must exist in the AD domain and must have replicator, read, search and write permissions on the AD subtree. What I am trying to do is create a one way sync from AD -- IPA and I would really like to avoid using a user (for synching) that has write permissions (in the AD). All my tries in setting up synchronization fails unless I add the synch-user to the group Administrators. I have tried (and failed) using account admins etc. Any pointers here would be great. Sorry for my ignorance when it comes to Windows. I am sure I am missing something obvious. Someone else can probably comment on this, but the IPA server will need to bind to the AD controller and pull the necessary information from the directory...which makes these rights a necessity. 3.) I follow the instructions under 9.4.5 (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync) to setup Uni-directional sync. (only AD -- IPA), and yet, when I go to remove an account in IPA it gets removed also in the AD. (This I really want to avoid, thus the need for a read-only user to do the synchronization - see question 2). I do
Re: [Freeipa-users] EXTERNAL: Re: Syncing with AD
On Tue, May 14, 2013 at 3:56 PM, Joseph, Matthew (EXP) matthew.jos...@lmco.com wrote: Hey James, ** ** One more thing, what are the values in the registry for your password sync application The default option for the User Name Field was wrong. It was set to userid (or something similar to that) when it should have been uid. I don’t think that’s your problem but who knows what else might be wrong. uuuhh registry? I am not sure exaclty what you mean by this? I need to change some registry setting on the AD server? ** ** Also is your IPA sync user in the same OU as your normal users? ** Yes ... ** Matt ** ** *From:* freeipa-users-boun...@redhat.com [mailto: freeipa-users-boun...@redhat.com] *On Behalf Of *Joseph, Matthew (EXP) *Sent:* Tuesday, May 14, 2013 10:50 AM *To:* James A *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] EXTERNAL: Re: Syncing with AD ** ** Hey James, ** ** Like I said the IPA user has read access at the domain level. He is also a member of the domain users group. ** ** I don’t know why it’s only working if you have him part of the administrator group. ** ** What does it say in the passync log on the AD server? ** ** I tried to do the uni-directional sync but it never worked for me the way it was intended and I just stumbled on giving the user only read access to the domain. ** ** Matt ** ** *From:* James A [mailto:ja...@atia.se ja...@atia.se] *Sent:* Tuesday, May 14, 2013 10:42 AM *To:* Joseph, Matthew (EXP) *Cc:* Chris Hudson; freeipa-users@redhat.com *Subject:* EXTERNAL: Re: Syncing with AD ** ** ** ** ** ** On Tue, May 14, 2013 at 3:30 PM, Joseph, Matthew (EXP) matthew.jos...@lmco.com wrote: Hey James, I configured my IPA server with winsync and I was in the same boat as you. The IPA user that is created for Active Directory does not require write access to AD. My IPA user only has read permissions to the domain and my passwords sync just fine. When I delete a user from IPA it does not delete it from AD.*** * ** ** ** ** ** ** Thanks; good to know that there is a way to do this. I really don't see where I am going wrong. The user I use for synching will only work if I put it in the administrator group. And when I do, I have a two way synch - if I remove an account on the IPA server, it disappears also in the AD - even though I did: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync ** ** Do you by any chance have the specifics (permissions, groups etc.) of your user (in the AD) you use for synch'ing? ** ** thanks /J ** ** ** ** ** ** Matt *From:* freeipa-users-boun...@redhat.com [mailto: freeipa-users-boun...@redhat.com] *On Behalf Of *Chris Hudson *Sent:* Tuesday, May 14, 2013 10:13 AM *To:* James A *Cc:* freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] Syncing with AD Hello all, I have been playing with trying to set up synchronization between windows AD -- IPA following the instructions at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html A few questions arise; 1.) The documentation (specifically on https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html), (under table 9.2) talks about options to the ipa-replica-manage connect command. Among others, --bindpw and --passsync. With --binddn we specify the full user DN of the synchronization identity (and it's password with --bindpw ... but I fail to understand which users password should be used for --passsync?? Is it the same user? The --passsync password is the password that you *will* use for the passsync user should you install the password synchronization package on your AD controllers. You are essentially setting this password preemptively. 2.) The documentation says that the synchronization identity (see also above) must exist in the AD domain and must have replicator, read, search and write permissions on the AD subtree. What I am trying to do is create a one way sync from AD -- IPA and I would really like to avoid using a user (for synching) that has write permissions (in the AD). All my tries in setting up synchronization fails unless I add the synch-user to the group Administrators. I have tried (and failed) using account admins etc. Any pointers here would be great. Sorry for my ignorance when it comes to Windows. I am sure I am missing something obvious. Someone else can probably comment on this, but the IPA server will need to bind
Re: [Freeipa-users] EXTERNAL: Re: Syncing with AD
Hello again, :-) On Tue, May 14, 2013 at 3:49 PM, Joseph, Matthew (EXP) matthew.jos...@lmco.com wrote: Hey James, ** ** Like I said the IPA user has read access at the domain level. He is also a member of the domain users group. ...I am by no means a windows person but I am pretty sure this is what my user is like as well. ** ** I don’t know why it’s only working if you have him part of the administrator group. ** ** What does it say in the passync log on the AD server? uhmmm... I haven't gotten to the passync stuff yet ... but where would I find that log? ** ** I tried to do the uni-directional sync but it never worked for me the way it was intended and I just stumbled on giving the user only read access to the domain. Exactly what I would like. I really wonder what differs in our setups! ** ** Matt ** ** *From:* James A [mailto:ja...@atia.se] *Sent:* Tuesday, May 14, 2013 10:42 AM *To:* Joseph, Matthew (EXP) *Cc:* Chris Hudson; freeipa-users@redhat.com *Subject:* EXTERNAL: Re: Syncing with AD ** ** ** ** ** ** On Tue, May 14, 2013 at 3:30 PM, Joseph, Matthew (EXP) matthew.jos...@lmco.com wrote: Hey James, I configured my IPA server with winsync and I was in the same boat as you. The IPA user that is created for Active Directory does not require write access to AD. My IPA user only has read permissions to the domain and my passwords sync just fine. When I delete a user from IPA it does not delete it from AD.*** * ** ** ** ** ** ** Thanks; good to know that there is a way to do this. I really don't see where I am going wrong. The user I use for synching will only work if I put it in the administrator group. And when I do, I have a two way synch - if I remove an account on the IPA server, it disappears also in the AD - even though I did: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync ** ** Do you by any chance have the specifics (permissions, groups etc.) of your user (in the AD) you use for synch'ing? ** ** thanks /J ** ** ** ** ** ** Matt *From:* freeipa-users-boun...@redhat.com [mailto: freeipa-users-boun...@redhat.com] *On Behalf Of *Chris Hudson *Sent:* Tuesday, May 14, 2013 10:13 AM *To:* James A *Cc:* freeipa-users@redhat.com *Subject:* EXTERNAL: Re: [Freeipa-users] Syncing with AD Hello all, I have been playing with trying to set up synchronization between windows AD -- IPA following the instructions at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html A few questions arise; 1.) The documentation (specifically on https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html), (under table 9.2) talks about options to the ipa-replica-manage connect command. Among others, --bindpw and --passsync. With --binddn we specify the full user DN of the synchronization identity (and it's password with --bindpw ... but I fail to understand which users password should be used for --passsync?? Is it the same user? The --passsync password is the password that you *will* use for the passsync user should you install the password synchronization package on your AD controllers. You are essentially setting this password preemptively. 2.) The documentation says that the synchronization identity (see also above) must exist in the AD domain and must have replicator, read, search and write permissions on the AD subtree. What I am trying to do is create a one way sync from AD -- IPA and I would really like to avoid using a user (for synching) that has write permissions (in the AD). All my tries in setting up synchronization fails unless I add the synch-user to the group Administrators. I have tried (and failed) using account admins etc. Any pointers here would be great. Sorry for my ignorance when it comes to Windows. I am sure I am missing something obvious. Someone else can probably comment on this, but the IPA server will need to bind to the AD controller and pull the necessary information from the directory...which makes these rights a necessity. 3.) I follow the instructions under 9.4.5 ( https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync) to setup Uni-directional sync. (only AD -- IPA), and yet, when I go to remove an account in IPA it gets removed also in the AD. (This I really want to avoid, thus the need for a read-only user to do the synchronization - see question 2). I do
Re: [Freeipa-users] EXTERNAL: Re: Syncing with AD
On the AD server open up regedit (start -- run -- regedit) and go to HKEY_LOCAL_MACHINE -- Software -- PasswordSync and just copy and paste your parameters that are set. Remove any sensitive information of course. In reference to the other email the PasswordSync log is under C:\Program Files\ Red Hat password Synchronization\ and there should be a file called passsync.log If you open up Active Directory Users and Computers and right click on your Domain container (Domain.com) and go to Properties you should see a Security Tab. Find your IPA pass sync user and see what permissions he has. He should have Read (Also gives him access to Read Domain Password Lockout Policies and Read Other Domain Parameters) Matt From: James A [mailto:ja...@atia.se] Sent: Tuesday, May 14, 2013 11:26 AM To: Joseph, Matthew (EXP) Cc: freeipa-users@redhat.com Subject: Re: EXTERNAL: Re: Syncing with AD On Tue, May 14, 2013 at 3:56 PM, Joseph, Matthew (EXP) matthew.jos...@lmco.commailto:matthew.jos...@lmco.com wrote: Hey James, One more thing, what are the values in the registry for your password sync application The default option for the User Name Field was wrong. It was set to userid (or something similar to that) when it should have been uid. I don't think that's your problem but who knows what else might be wrong. uuuhh registry? I am not sure exaclty what you mean by this? I need to change some registry setting on the AD server? Also is your IPA sync user in the same OU as your normal users? Yes ... Matt From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] On Behalf Of Joseph, Matthew (EXP) Sent: Tuesday, May 14, 2013 10:50 AM To: James A Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: Re: [Freeipa-users] EXTERNAL: Re: Syncing with AD Hey James, Like I said the IPA user has read access at the domain level. He is also a member of the domain users group. I don't know why it's only working if you have him part of the administrator group. What does it say in the passync log on the AD server? I tried to do the uni-directional sync but it never worked for me the way it was intended and I just stumbled on giving the user only read access to the domain. Matt From: James A [mailto:ja...@atia.se] Sent: Tuesday, May 14, 2013 10:42 AM To: Joseph, Matthew (EXP) Cc: Chris Hudson; freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: EXTERNAL: Re: Syncing with AD On Tue, May 14, 2013 at 3:30 PM, Joseph, Matthew (EXP) matthew.jos...@lmco.commailto:matthew.jos...@lmco.com wrote: Hey James, I configured my IPA server with winsync and I was in the same boat as you. The IPA user that is created for Active Directory does not require write access to AD. My IPA user only has read permissions to the domain and my passwords sync just fine. When I delete a user from IPA it does not delete it from AD. Thanks; good to know that there is a way to do this. I really don't see where I am going wrong. The user I use for synching will only work if I put it in the administrator group. And when I do, I have a two way synch - if I remove an account on the IPA server, it disappears also in the AD - even though I did: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html#unidirectional-sync Do you by any chance have the specifics (permissions, groups etc.) of your user (in the AD) you use for synch'ing? thanks /J Matt From: freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.commailto:freeipa-users-boun...@redhat.com] On Behalf Of Chris Hudson Sent: Tuesday, May 14, 2013 10:13 AM To: James A Cc: freeipa-users@redhat.commailto:freeipa-users@redhat.com Subject: EXTERNAL: Re: [Freeipa-users] Syncing with AD Hello all, I have been playing with trying to set up synchronization between windows AD -- IPA following the instructions at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html A few questions arise; 1.) The documentation (specifically on https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html), (under table 9.2) talks about options to the ipa-replica-manage connect command. Among others, --bindpw and --passsync. With --binddn we specify the full user DN of the synchronization identity (and it's password with --bindpw ... but I fail to understand which users password should be used for --passsync?? Is it the same user? The --passsync password is the password that you *will* use for the passsync user should you install the password synchronization package on your AD controllers. You are essentially setting this password preemptively. 2.) The documentation says