RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
Rob has helped me resolve this. Essentially, this was the issue. The machine was a domain controller first and I installed the CA utilities (much) later. When I created the server as an Enterprise CA, it apparently created two certificate authorities (which may be the wrong verbage, but unfortunately my knowledge of SSL is rather limited) - one for DC1 and one for DC1-CA. What the documentation had me leading to believe was that the DC1 CA cert would be what I needed for the sync process to work. What Rob helped me discover was that it needed the DC1-CA cert. Once I tracked down that certificate (which Microsoft doesn't make easy to do) and exported it, I was able to install it as part of the IPA Server ipa-replica-manage process and the user accounts have replicated. Now, if I can find a "nice" GUI for adding the synchronized user accounts to groups which only exist on the IPA Server side, I will be a very, very happy camper. Jeff Moody Senior Systems Engineer EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.mo...@evscorporation.com -Original Message- From: Jenny Galipeau [mailto:jgali...@redhat.com] Sent: Monday, July 27, 2009 12:14 PM To: Jeff Moody Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 Jeff Moody wrote: > Following the instructions on > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html > I am running into an error generating the certificate for the DC. The > specific error I am getting is: > Denied by Policy Module 0x80094801, The request does not contain a > certificate template extension or the CertificateTemplate request attribute. > > I apologize that I am so ignorant on SSL, but what type of certificate > template should I put on the request? Domain Controller? Root CA? > > Thanks a ton for the help on this. > > Your Active Directory may already be SSL secured. But if not I suspect it is Domain Controller. Where is the Microsoft Certificate Authority installed? On the same machine as the Domain Controller? If the Certificate Authority is installed on the same machine and was installed before installing the domain controller - it automatically issues machines certificates for all machines added to the domain. Then you would just need to export the Root CA certificate and add it to the Directory Server as a trusted Root CA. Jenny > > > Jeff Moody > Senior Systems Engineer > > EVS Corporation > 5050 Poplar Avenue ,Suite 1600 > Memphis, Tennessee 38157 > (901) 259-2387 - 24x7 Helpdesk > > (901) 881-0919 - Office > (901) 497-1444 - Cell > jeff.mo...@evscorporation.com > > > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jeff Moody > Sent: Monday, July 27, 2009 10:49 AM > To: Jenny Galipeau; Rob Crittenden > Cc: freeipa-users@redhat.com > Subject: RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and > Fedora 10 > > I've been communicating some with Rob off-list and have rebooted the Windows > server after installing the Passsync software, but not after installing the > certificate for the IPA server in the passsync directory. > > > > Jeff Moody > Senior Systems Engineer > > EVS Corporation > 5050 Poplar Avenue ,Suite 1600 > Memphis, Tennessee 38157 > (901) 259-2387 - 24x7 Helpdesk > > (901) 881-0919 - Office > (901) 497-1444 - Cell > jeff.mo...@evscorporation.com > > > -----Original Message----- > From: Jenny Galipeau [mailto:jgali...@redhat.com] > Sent: Monday, July 27, 2009 10:41 AM > To: Rob Crittenden > Cc: Jeff Moody; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and > Fedora 10 > > Rob Crittenden wrote: > >> Jeff Moody wrote: >> >>> I'm trying to set up password/identity sync to the FreeIPA server >>> from a Windows 2003R2 SP2 server to a Fedora 10 VM. >>> >>> I have installed the FreeIPA software and can load its configuration >>> page on the IPA server - so the service appears to be running. >>> >>> I have our Windows DC running the Windows 2003 Enterprise Certificate >>> Authority service and have exported its root certificate and SCP'ed >>> that to the IPA server. >>> >>> Following the instructions from TFM, I run the following command: >>> >>> >>> >>> [r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn >>> CN=PassSync,OU=Admins,DC
Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
Jeff Moody wrote:
Following the instructions on
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html
I am running into an error generating the certificate for the DC. The specific
error I am getting is:
Denied by Policy Module 0x80094801, The request does not contain a certificate
template extension or the CertificateTemplate request attribute.
I apologize that I am so ignorant on SSL, but what type of certificate template
should I put on the request? Domain Controller? Root CA?
Thanks a ton for the help on this.
Your Active Directory may already be SSL secured. But if not I suspect
it is Domain Controller. Where is the Microsoft Certificate Authority
installed? On the same machine as the Domain Controller? If the
Certificate Authority is installed on the same machine and was installed
before installing the domain controller - it automatically issues
machines certificates for all machines added to the domain. Then you
would just need to export the Root CA certificate and add it to the
Directory Server as a trusted Root CA.
Jenny
Jeff Moody
Senior Systems Engineer
EVS Corporation
5050 Poplar Avenue ,Suite 1600
Memphis, Tennessee 38157
(901) 259-2387 - 24x7 Helpdesk
(901) 881-0919 - Office
(901) 497-1444 - Cell
jeff.mo...@evscorporation.com
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jeff Moody
Sent: Monday, July 27, 2009 10:49 AM
To: Jenny Galipeau; Rob Crittenden
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora
10
I've been communicating some with Rob off-list and have rebooted the Windows
server after installing the Passsync software, but not after installing the
certificate for the IPA server in the passsync directory.
Jeff Moody
Senior Systems Engineer
EVS Corporation
5050 Poplar Avenue ,Suite 1600
Memphis, Tennessee 38157
(901) 259-2387 - 24x7 Helpdesk
(901) 881-0919 - Office
(901) 497-1444 - Cell
jeff.mo...@evscorporation.com
-Original Message-
From: Jenny Galipeau [mailto:jgali...@redhat.com]
Sent: Monday, July 27, 2009 10:41 AM
To: Rob Crittenden
Cc: Jeff Moody; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora
10
Rob Crittenden wrote:
Jeff Moody wrote:
I'm trying to set up password/identity sync to the FreeIPA server
from a Windows 2003R2 SP2 server to a Fedora 10 VM.
I have installed the FreeIPA software and can load its configuration
page on the IPA server - so the service appears to be running.
I have our Windows DC running the Windows 2003 Enterprise Certificate
Authority service and have exported its root certificate and SCP'ed
that to the IPA server.
Following the instructions from TFM, I run the following command:
[r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn
CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw
WindowsAccountPassword --cacert /root/dc1-base64-x509.cer
dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync
This is the output from that command:
Directory Manager password:
INFO:root:Shutting down dirsrv:
EVSCORPORATION-COM... [ OK ]
INFO:root:
INFO:root:
INFO:root:
INFO:root:Starting dirsrv:
EVSCORPORATION-COM... [ OK ]
INFO:root:
INFO:root:Added CA certificate /root/dc1-base64-x509.cer to
certificate database for ipamem1.evscorporation.com
INFO:root:Restarted directory server ipamem1.evscorporation.com
INFO:root:Could not validate connection to remote server
dc1.evscorporation.com:636 - continuing
INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed',
'desc': "Can't contact LDAP server"}
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP
error: Can't contact LDAP server: start: 0: end: 0
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[ipamem1.evscorporation.com] reports: Update failed! Status: [81 -
LDAP error: Can't contact LDAP server]
INFO:root:Added agreement for other host dc1.evscorporation.com
Additionally, in the /var/lib/dirsrv/ errors log, I have the
following error:
[25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send
bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com]
mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's
Certificate issuer is not recognized.) 11 (Resource temporarily
unavailable)
On the Windows server, the Passsync service is running
RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
Following the instructions on
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html
I am running into an error generating the certificate for the DC. The specific
error I am getting is:
Denied by Policy Module 0x80094801, The request does not contain a certificate
template extension or the CertificateTemplate request attribute.
I apologize that I am so ignorant on SSL, but what type of certificate template
should I put on the request? Domain Controller? Root CA?
Thanks a ton for the help on this.
Jeff Moody
Senior Systems Engineer
EVS Corporation
5050 Poplar Avenue ,Suite 1600
Memphis, Tennessee 38157
(901) 259-2387 - 24x7 Helpdesk
(901) 881-0919 - Office
(901) 497-1444 - Cell
jeff.mo...@evscorporation.com
-Original Message-
From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jeff Moody
Sent: Monday, July 27, 2009 10:49 AM
To: Jenny Galipeau; Rob Crittenden
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora
10
I've been communicating some with Rob off-list and have rebooted the Windows
server after installing the Passsync software, but not after installing the
certificate for the IPA server in the passsync directory.
Jeff Moody
Senior Systems Engineer
EVS Corporation
5050 Poplar Avenue ,Suite 1600
Memphis, Tennessee 38157
(901) 259-2387 - 24x7 Helpdesk
(901) 881-0919 - Office
(901) 497-1444 - Cell
jeff.mo...@evscorporation.com
-Original Message-
From: Jenny Galipeau [mailto:jgali...@redhat.com]
Sent: Monday, July 27, 2009 10:41 AM
To: Rob Crittenden
Cc: Jeff Moody; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora
10
Rob Crittenden wrote:
> Jeff Moody wrote:
>> I'm trying to set up password/identity sync to the FreeIPA server
>> from a Windows 2003R2 SP2 server to a Fedora 10 VM.
>>
>> I have installed the FreeIPA software and can load its configuration
>> page on the IPA server - so the service appears to be running.
>>
>> I have our Windows DC running the Windows 2003 Enterprise Certificate
>> Authority service and have exported its root certificate and SCP'ed
>> that to the IPA server.
>>
>> Following the instructions from TFM, I run the following command:
>>
>>
>>
>> [r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn
>> CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw
>> WindowsAccountPassword --cacert /root/dc1-base64-x509.cer
>> dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync
>>
>>
>>
>> This is the output from that command:
>>
>>
>>
>> Directory Manager password:
>>
>> INFO:root:Shutting down dirsrv:
>>
>> EVSCORPORATION-COM... [ OK ]
>>
>>
>>
>> INFO:root:
>>
>> INFO:root:
>>
>> INFO:root:
>>
>> INFO:root:Starting dirsrv:
>>
>> EVSCORPORATION-COM... [ OK ]
>>
>>
>>
>> INFO:root:
>>
>> INFO:root:Added CA certificate /root/dc1-base64-x509.cer to
>> certificate database for ipamem1.evscorporation.com
>>
>> INFO:root:Restarted directory server ipamem1.evscorporation.com
>>
>> INFO:root:Could not validate connection to remote server
>> dc1.evscorporation.com:636 - continuing
>>
>> INFO:root:The error was: {'info': 'error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed',
>> 'desc': "Can't contact LDAP server"}
>>
>> The user for the Windows PassSync service is
>> uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com
>>
>> Windows PassSync entry exists, not resetting password
>>
>> INFO:root:Added new sync agreement, waiting for it to become ready . . .
>>
>> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP
>> error: Can't contact LDAP server: start: 0: end: 0
>>
>> INFO:root:Agreement is ready, starting replication . . .
>>
>> Starting replication, please wait until this has completed.
>>
>> [ipamem1.evscorporation.com] reports: Update failed! Status: [81 -
>> LDAP error: Can't contact LDAP server]
>>
>> INFO:root:Added agreement for other host dc1.evscorporation.com
>>
>>
>>
>> Additionally, in the /var/lib/dirsrv/ errors log, I have the
>> following error:
>>
>>
>>
>> [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send
>> bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com]
>> mech [SIMPLE]: error 81 (Can't contact LDAP se
RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
I've been communicating some with Rob off-list and have rebooted the Windows
server after installing the Passsync software, but not after installing the
certificate for the IPA server in the passsync directory.
Jeff Moody
Senior Systems Engineer
EVS Corporation
5050 Poplar Avenue ,Suite 1600
Memphis, Tennessee 38157
(901) 259-2387 - 24x7 Helpdesk
(901) 881-0919 - Office
(901) 497-1444 - Cell
jeff.mo...@evscorporation.com
-Original Message-
From: Jenny Galipeau [mailto:jgali...@redhat.com]
Sent: Monday, July 27, 2009 10:41 AM
To: Rob Crittenden
Cc: Jeff Moody; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora
10
Rob Crittenden wrote:
> Jeff Moody wrote:
>> I'm trying to set up password/identity sync to the FreeIPA server
>> from a Windows 2003R2 SP2 server to a Fedora 10 VM.
>>
>> I have installed the FreeIPA software and can load its configuration
>> page on the IPA server - so the service appears to be running.
>>
>> I have our Windows DC running the Windows 2003 Enterprise Certificate
>> Authority service and have exported its root certificate and SCP'ed
>> that to the IPA server.
>>
>> Following the instructions from TFM, I run the following command:
>>
>>
>>
>> [r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn
>> CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw
>> WindowsAccountPassword --cacert /root/dc1-base64-x509.cer
>> dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync
>>
>>
>>
>> This is the output from that command:
>>
>>
>>
>> Directory Manager password:
>>
>> INFO:root:Shutting down dirsrv:
>>
>> EVSCORPORATION-COM... [ OK ]
>>
>>
>>
>> INFO:root:
>>
>> INFO:root:
>>
>> INFO:root:
>>
>> INFO:root:Starting dirsrv:
>>
>> EVSCORPORATION-COM... [ OK ]
>>
>>
>>
>> INFO:root:
>>
>> INFO:root:Added CA certificate /root/dc1-base64-x509.cer to
>> certificate database for ipamem1.evscorporation.com
>>
>> INFO:root:Restarted directory server ipamem1.evscorporation.com
>>
>> INFO:root:Could not validate connection to remote server
>> dc1.evscorporation.com:636 - continuing
>>
>> INFO:root:The error was: {'info': 'error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed',
>> 'desc': "Can't contact LDAP server"}
>>
>> The user for the Windows PassSync service is
>> uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com
>>
>> Windows PassSync entry exists, not resetting password
>>
>> INFO:root:Added new sync agreement, waiting for it to become ready . . .
>>
>> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP
>> error: Can't contact LDAP server: start: 0: end: 0
>>
>> INFO:root:Agreement is ready, starting replication . . .
>>
>> Starting replication, please wait until this has completed.
>>
>> [ipamem1.evscorporation.com] reports: Update failed! Status: [81 -
>> LDAP error: Can't contact LDAP server]
>>
>> INFO:root:Added agreement for other host dc1.evscorporation.com
>>
>>
>>
>> Additionally, in the /var/lib/dirsrv/ errors log, I have the
>> following error:
>>
>>
>>
>> [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send
>> bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com]
>> mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's
>> Certificate issuer is not recognized.) 11 (Resource temporarily
>> unavailable)
>>
>>
>>
>> On the Windows server, the Passsync service is running and as far as
>> I know I installed the right certificate on the Passsync side by
>> following the instructions at
>> (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service)
>>
>> and the only message in the Passsync log on the Windows side is:
>>
>>
>>
>> 07/25/09 14:32:15: PassSync service started
>>
>>
>>
>> I'm sure that I'm just missing some simple, stupid little thing.but I
>> have no earthly idea as to what that could be. Any
>> help/suggestions/troubleshooting anyone can help me with, I would
>> greatly appreciate it.
>>
>
> Hmm, clearly an SSL trust issue.
>
> Lets start by making sure that DS has the CA you provided loaded and
>
Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
Rob Crittenden wrote:
Jeff Moody wrote:
I’m trying to set up password/identity sync to the FreeIPA server
from a Windows 2003R2 SP2 server to a Fedora 10 VM.
I have installed the FreeIPA software and can load its configuration
page on the IPA server – so the service appears to be running.
I have our Windows DC running the Windows 2003 Enterprise Certificate
Authority service and have exported its root certificate and SCP’ed
that to the IPA server.
Following the instructions from TFM, I run the following command:
[r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn
CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw
WindowsAccountPassword --cacert /root/dc1-base64-x509.cer
dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync
This is the output from that command:
Directory Manager password:
INFO:root:Shutting down dirsrv:
EVSCORPORATION-COM... [ OK ]
INFO:root:
INFO:root:
INFO:root:
INFO:root:Starting dirsrv:
EVSCORPORATION-COM... [ OK ]
INFO:root:
INFO:root:Added CA certificate /root/dc1-base64-x509.cer to
certificate database for ipamem1.evscorporation.com
INFO:root:Restarted directory server ipamem1.evscorporation.com
INFO:root:Could not validate connection to remote server
dc1.evscorporation.com:636 - continuing
INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed',
'desc': "Can't contact LDAP server"}
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP
error: Can't contact LDAP server: start: 0: end: 0
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[ipamem1.evscorporation.com] reports: Update failed! Status: [81 -
LDAP error: Can't contact LDAP server]
INFO:root:Added agreement for other host dc1.evscorporation.com
Additionally, in the /var/lib/dirsrv/ errors log, I have the
following error:
[25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send
bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com]
mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's
Certificate issuer is not recognized.) 11 (Resource temporarily
unavailable)
On the Windows server, the Passsync service is running and as far as
I know I installed the right certificate on the Passsync side by
following the instructions at
(http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service)
and the only message in the Passsync log on the Windows side is:
07/25/09 14:32:15: PassSync service started
I’m sure that I’m just missing some simple, stupid little thing…but I
have no earthly idea as to what that could be. Any
help/suggestions/troubleshooting anyone can help me with, I would
greatly appreciate it.
Hmm, clearly an SSL trust issue.
Lets start by making sure that DS has the CA you provided loaded and
trusted:
# certutil -L -d /etc/dirsrv/slapd-INSTANCE
It should include your CA and have a trust like CT,,C
I found that I needed to reboot my AD server when installing the CA
service and getting PassSync installed. Have you rebooted recently?
These instructions are much more comprehensive and include that a reboot
of the AD machine is required.
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html
Jenny
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Jenny Galipeau
Principal Software QA Engineer
Red Hat, Inc. Security Engineering
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
Pardon my ignorance, but are there any special steps outside of the
ipa-replica-manage command with the Root Cert from the AD server needed to get
the certificate installed?
I had some other issues with the VM over the weekend and am rebuilding the VM
now to reinstall the IPA server software and will be able to check and give you
the output of certutil later today.
Thanks.
Jeff Moody
Senior Systems Engineer
EVS Corporation
5050 Poplar Avenue ,Suite 1600
Memphis, Tennessee 38157
(901) 259-2387 - 24x7 Helpdesk
(901) 881-0919 - Office
(901) 497-1444 - Cell
jeff.mo...@evscorporation.com
-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com]
Sent: Monday, July 27, 2009 9:05 AM
To: Jeff Moody
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora
10
Jeff Moody wrote:
> I'm trying to set up password/identity sync to the FreeIPA server from a
> Windows 2003R2 SP2 server to a Fedora 10 VM.
>
> I have installed the FreeIPA software and can load its configuration
> page on the IPA server - so the service appears to be running.
>
> I have our Windows DC running the Windows 2003 Enterprise Certificate
> Authority service and have exported its root certificate and SCP'ed that
> to the IPA server.
>
> Following the instructions from TFM, I run the following command:
>
>
>
> [r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn
> CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw
> WindowsAccountPassword --cacert /root/dc1-base64-x509.cer
> dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync
>
>
>
> This is the output from that command:
>
>
>
> Directory Manager password:
>
> INFO:root:Shutting down dirsrv:
>
> EVSCORPORATION-COM... [ OK ]
>
>
>
> INFO:root:
>
> INFO:root:
>
> INFO:root:
>
> INFO:root:Starting dirsrv:
>
> EVSCORPORATION-COM... [ OK ]
>
>
>
> INFO:root:
>
> INFO:root:Added CA certificate /root/dc1-base64-x509.cer to certificate
> database for ipamem1.evscorporation.com
>
> INFO:root:Restarted directory server ipamem1.evscorporation.com
>
> INFO:root:Could not validate connection to remote server
> dc1.evscorporation.com:636 - continuing
>
> INFO:root:The error was: {'info': 'error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
> "Can't contact LDAP server"}
>
> The user for the Windows PassSync service is
> uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com
>
> Windows PassSync entry exists, not resetting password
>
> INFO:root:Added new sync agreement, waiting for it to become ready . . .
>
> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP
> error: Can't contact LDAP server: start: 0: end: 0
>
> INFO:root:Agreement is ready, starting replication . . .
>
> Starting replication, please wait until this has completed.
>
> [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - LDAP
> error: Can't contact LDAP server]
>
> INFO:root:Added agreement for other host dc1.evscorporation.com
>
>
>
> Additionally, in the /var/lib/dirsrv/ errors log, I have the following
> error:
>
>
>
> [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send
> bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com]
> mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's
> Certificate issuer is not recognized.) 11 (Resource temporarily unavailable)
>
>
>
> On the Windows server, the Passsync service is running and as far as I
> know I installed the right certificate on the Passsync side by following
> the instructions at
> (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service)
>
> and the only message in the Passsync log on the Windows side is:
>
>
>
> 07/25/09 14:32:15: PassSync service started
>
>
>
> I'm sure that I'm just missing some simple, stupid little thing.but I
> have no earthly idea as to what that could be. Any
> help/suggestions/troubleshooting anyone can help me with, I would
> greatly appreciate it.
>
Hmm, clearly an SSL trust issue.
Lets start by making sure that DS has the CA you provided loaded and
trusted:
# certutil -L -d /etc/dirsrv/slapd-INSTANCE
It should include your CA and have a trust like CT,,C
I found that I needed to reboot my AD server when installing the CA
service and getting PassSync installed. Have you rebooted recently?
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
Jeff Moody wrote:
I’m trying to set up password/identity sync to the FreeIPA server from a
Windows 2003R2 SP2 server to a Fedora 10 VM.
I have installed the FreeIPA software and can load its configuration
page on the IPA server – so the service appears to be running.
I have our Windows DC running the Windows 2003 Enterprise Certificate
Authority service and have exported its root certificate and SCP’ed that
to the IPA server.
Following the instructions from TFM, I run the following command:
[r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn
CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw
WindowsAccountPassword --cacert /root/dc1-base64-x509.cer
dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync
This is the output from that command:
Directory Manager password:
INFO:root:Shutting down dirsrv:
EVSCORPORATION-COM... [ OK ]
INFO:root:
INFO:root:
INFO:root:
INFO:root:Starting dirsrv:
EVSCORPORATION-COM... [ OK ]
INFO:root:
INFO:root:Added CA certificate /root/dc1-base64-x509.cer to certificate
database for ipamem1.evscorporation.com
INFO:root:Restarted directory server ipamem1.evscorporation.com
INFO:root:Could not validate connection to remote server
dc1.evscorporation.com:636 - continuing
INFO:root:The error was: {'info': 'error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc':
"Can't contact LDAP server"}
The user for the Windows PassSync service is
uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com
Windows PassSync entry exists, not resetting password
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP
error: Can't contact LDAP server: start: 0: end: 0
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
[ipamem1.evscorporation.com] reports: Update failed! Status: [81 - LDAP
error: Can't contact LDAP server]
INFO:root:Added agreement for other host dc1.evscorporation.com
Additionally, in the /var/lib/dirsrv/ errors log, I have the following
error:
[25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send
bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com]
mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's
Certificate issuer is not recognized.) 11 (Resource temporarily unavailable)
On the Windows server, the Passsync service is running and as far as I
know I installed the right certificate on the Passsync side by following
the instructions at
(http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service)
and the only message in the Passsync log on the Windows side is:
07/25/09 14:32:15: PassSync service started
I’m sure that I’m just missing some simple, stupid little thing…but I
have no earthly idea as to what that could be. Any
help/suggestions/troubleshooting anyone can help me with, I would
greatly appreciate it.
Hmm, clearly an SSL trust issue.
Lets start by making sure that DS has the CA you provided loaded and
trusted:
# certutil -L -d /etc/dirsrv/slapd-INSTANCE
It should include your CA and have a trust like CT,,C
I found that I needed to reboot my AD server when installing the CA
service and getting PassSync installed. Have you rebooted recently?
rob
smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
