RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
Rob has helped me resolve this. Essentially, this was the issue. The machine was a domain controller first and I installed the CA utilities (much) later. When I created the server as an Enterprise CA, it apparently created two certificate authorities (which may be the wrong verbage, but unfortunately my knowledge of SSL is rather limited) - one for DC1 and one for DC1-CA. What the documentation had me leading to believe was that the DC1 CA cert would be what I needed for the sync process to work. What Rob helped me discover was that it needed the DC1-CA cert. Once I tracked down that certificate (which Microsoft doesn't make easy to do) and exported it, I was able to install it as part of the IPA Server ipa-replica-manage process and the user accounts have replicated. Now, if I can find a "nice" GUI for adding the synchronized user accounts to groups which only exist on the IPA Server side, I will be a very, very happy camper. Jeff Moody Senior Systems Engineer EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.mo...@evscorporation.com -Original Message- From: Jenny Galipeau [mailto:jgali...@redhat.com] Sent: Monday, July 27, 2009 12:14 PM To: Jeff Moody Cc: Rob Crittenden; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 Jeff Moody wrote: > Following the instructions on > http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html > I am running into an error generating the certificate for the DC. The > specific error I am getting is: > Denied by Policy Module 0x80094801, The request does not contain a > certificate template extension or the CertificateTemplate request attribute. > > I apologize that I am so ignorant on SSL, but what type of certificate > template should I put on the request? Domain Controller? Root CA? > > Thanks a ton for the help on this. > > Your Active Directory may already be SSL secured. But if not I suspect it is Domain Controller. Where is the Microsoft Certificate Authority installed? On the same machine as the Domain Controller? If the Certificate Authority is installed on the same machine and was installed before installing the domain controller - it automatically issues machines certificates for all machines added to the domain. Then you would just need to export the Root CA certificate and add it to the Directory Server as a trusted Root CA. Jenny > > > Jeff Moody > Senior Systems Engineer > > EVS Corporation > 5050 Poplar Avenue ,Suite 1600 > Memphis, Tennessee 38157 > (901) 259-2387 - 24x7 Helpdesk > > (901) 881-0919 - Office > (901) 497-1444 - Cell > jeff.mo...@evscorporation.com > > > -Original Message- > From: freeipa-users-boun...@redhat.com > [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jeff Moody > Sent: Monday, July 27, 2009 10:49 AM > To: Jenny Galipeau; Rob Crittenden > Cc: freeipa-users@redhat.com > Subject: RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and > Fedora 10 > > I've been communicating some with Rob off-list and have rebooted the Windows > server after installing the Passsync software, but not after installing the > certificate for the IPA server in the passsync directory. > > > > Jeff Moody > Senior Systems Engineer > > EVS Corporation > 5050 Poplar Avenue ,Suite 1600 > Memphis, Tennessee 38157 > (901) 259-2387 - 24x7 Helpdesk > > (901) 881-0919 - Office > (901) 497-1444 - Cell > jeff.mo...@evscorporation.com > > > -----Original Message----- > From: Jenny Galipeau [mailto:jgali...@redhat.com] > Sent: Monday, July 27, 2009 10:41 AM > To: Rob Crittenden > Cc: Jeff Moody; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and > Fedora 10 > > Rob Crittenden wrote: > >> Jeff Moody wrote: >> >>> I'm trying to set up password/identity sync to the FreeIPA server >>> from a Windows 2003R2 SP2 server to a Fedora 10 VM. >>> >>> I have installed the FreeIPA software and can load its configuration >>> page on the IPA server - so the service appears to be running. >>> >>> I have our Windows DC running the Windows 2003 Enterprise Certificate >>> Authority service and have exported its root certificate and SCP'ed >>> that to the IPA server. >>> >>> Following the instructions from TFM, I run the following command: >>> >>> >>> >>> [r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn >>> CN=PassSync,OU=Admins,DC
Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
Jeff Moody wrote: Following the instructions on http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html I am running into an error generating the certificate for the DC. The specific error I am getting is: Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. I apologize that I am so ignorant on SSL, but what type of certificate template should I put on the request? Domain Controller? Root CA? Thanks a ton for the help on this. Your Active Directory may already be SSL secured. But if not I suspect it is Domain Controller. Where is the Microsoft Certificate Authority installed? On the same machine as the Domain Controller? If the Certificate Authority is installed on the same machine and was installed before installing the domain controller - it automatically issues machines certificates for all machines added to the domain. Then you would just need to export the Root CA certificate and add it to the Directory Server as a trusted Root CA. Jenny Jeff Moody Senior Systems Engineer EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.mo...@evscorporation.com -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jeff Moody Sent: Monday, July 27, 2009 10:49 AM To: Jenny Galipeau; Rob Crittenden Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 I've been communicating some with Rob off-list and have rebooted the Windows server after installing the Passsync software, but not after installing the certificate for the IPA server in the passsync directory. Jeff Moody Senior Systems Engineer EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.mo...@evscorporation.com -Original Message- From: Jenny Galipeau [mailto:jgali...@redhat.com] Sent: Monday, July 27, 2009 10:41 AM To: Rob Crittenden Cc: Jeff Moody; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 Rob Crittenden wrote: Jeff Moody wrote: I'm trying to set up password/identity sync to the FreeIPA server from a Windows 2003R2 SP2 server to a Fedora 10 VM. I have installed the FreeIPA software and can load its configuration page on the IPA server - so the service appears to be running. I have our Windows DC running the Windows 2003 Enterprise Certificate Authority service and have exported its root certificate and SCP'ed that to the IPA server. Following the instructions from TFM, I run the following command: [r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw WindowsAccountPassword --cacert /root/dc1-base64-x509.cer dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync This is the output from that command: Directory Manager password: INFO:root:Shutting down dirsrv: EVSCORPORATION-COM... [ OK ] INFO:root: INFO:root: INFO:root: INFO:root:Starting dirsrv: EVSCORPORATION-COM... [ OK ] INFO:root: INFO:root:Added CA certificate /root/dc1-base64-x509.cer to certificate database for ipamem1.evscorporation.com INFO:root:Restarted directory server ipamem1.evscorporation.com INFO:root:Could not validate connection to remote server dc1.evscorporation.com:636 - continuing INFO:root:The error was: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"} The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com Windows PassSync entry exists, not resetting password INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP error: Can't contact LDAP server: start: 0: end: 0 INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - LDAP error: Can't contact LDAP server] INFO:root:Added agreement for other host dc1.evscorporation.com Additionally, in the /var/lib/dirsrv/ errors log, I have the following error: [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's Certificate issuer is not recognized.) 11 (Resource temporarily unavailable) On the Windows server, the Passsync service is running
RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
Following the instructions on http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html I am running into an error generating the certificate for the DC. The specific error I am getting is: Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. I apologize that I am so ignorant on SSL, but what type of certificate template should I put on the request? Domain Controller? Root CA? Thanks a ton for the help on this. Jeff Moody Senior Systems Engineer EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.mo...@evscorporation.com -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jeff Moody Sent: Monday, July 27, 2009 10:49 AM To: Jenny Galipeau; Rob Crittenden Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 I've been communicating some with Rob off-list and have rebooted the Windows server after installing the Passsync software, but not after installing the certificate for the IPA server in the passsync directory. Jeff Moody Senior Systems Engineer EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.mo...@evscorporation.com -Original Message- From: Jenny Galipeau [mailto:jgali...@redhat.com] Sent: Monday, July 27, 2009 10:41 AM To: Rob Crittenden Cc: Jeff Moody; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 Rob Crittenden wrote: > Jeff Moody wrote: >> I'm trying to set up password/identity sync to the FreeIPA server >> from a Windows 2003R2 SP2 server to a Fedora 10 VM. >> >> I have installed the FreeIPA software and can load its configuration >> page on the IPA server - so the service appears to be running. >> >> I have our Windows DC running the Windows 2003 Enterprise Certificate >> Authority service and have exported its root certificate and SCP'ed >> that to the IPA server. >> >> Following the instructions from TFM, I run the following command: >> >> >> >> [r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn >> CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw >> WindowsAccountPassword --cacert /root/dc1-base64-x509.cer >> dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync >> >> >> >> This is the output from that command: >> >> >> >> Directory Manager password: >> >> INFO:root:Shutting down dirsrv: >> >> EVSCORPORATION-COM... [ OK ] >> >> >> >> INFO:root: >> >> INFO:root: >> >> INFO:root: >> >> INFO:root:Starting dirsrv: >> >> EVSCORPORATION-COM... [ OK ] >> >> >> >> INFO:root: >> >> INFO:root:Added CA certificate /root/dc1-base64-x509.cer to >> certificate database for ipamem1.evscorporation.com >> >> INFO:root:Restarted directory server ipamem1.evscorporation.com >> >> INFO:root:Could not validate connection to remote server >> dc1.evscorporation.com:636 - continuing >> >> INFO:root:The error was: {'info': 'error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', >> 'desc': "Can't contact LDAP server"} >> >> The user for the Windows PassSync service is >> uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com >> >> Windows PassSync entry exists, not resetting password >> >> INFO:root:Added new sync agreement, waiting for it to become ready . . . >> >> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP >> error: Can't contact LDAP server: start: 0: end: 0 >> >> INFO:root:Agreement is ready, starting replication . . . >> >> Starting replication, please wait until this has completed. >> >> [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - >> LDAP error: Can't contact LDAP server] >> >> INFO:root:Added agreement for other host dc1.evscorporation.com >> >> >> >> Additionally, in the /var/lib/dirsrv/ errors log, I have the >> following error: >> >> >> >> [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send >> bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] >> mech [SIMPLE]: error 81 (Can't contact LDAP se
RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
I've been communicating some with Rob off-list and have rebooted the Windows server after installing the Passsync software, but not after installing the certificate for the IPA server in the passsync directory. Jeff Moody Senior Systems Engineer EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.mo...@evscorporation.com -Original Message- From: Jenny Galipeau [mailto:jgali...@redhat.com] Sent: Monday, July 27, 2009 10:41 AM To: Rob Crittenden Cc: Jeff Moody; freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 Rob Crittenden wrote: > Jeff Moody wrote: >> I'm trying to set up password/identity sync to the FreeIPA server >> from a Windows 2003R2 SP2 server to a Fedora 10 VM. >> >> I have installed the FreeIPA software and can load its configuration >> page on the IPA server - so the service appears to be running. >> >> I have our Windows DC running the Windows 2003 Enterprise Certificate >> Authority service and have exported its root certificate and SCP'ed >> that to the IPA server. >> >> Following the instructions from TFM, I run the following command: >> >> >> >> [r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn >> CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw >> WindowsAccountPassword --cacert /root/dc1-base64-x509.cer >> dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync >> >> >> >> This is the output from that command: >> >> >> >> Directory Manager password: >> >> INFO:root:Shutting down dirsrv: >> >> EVSCORPORATION-COM... [ OK ] >> >> >> >> INFO:root: >> >> INFO:root: >> >> INFO:root: >> >> INFO:root:Starting dirsrv: >> >> EVSCORPORATION-COM... [ OK ] >> >> >> >> INFO:root: >> >> INFO:root:Added CA certificate /root/dc1-base64-x509.cer to >> certificate database for ipamem1.evscorporation.com >> >> INFO:root:Restarted directory server ipamem1.evscorporation.com >> >> INFO:root:Could not validate connection to remote server >> dc1.evscorporation.com:636 - continuing >> >> INFO:root:The error was: {'info': 'error:14090086:SSL >> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', >> 'desc': "Can't contact LDAP server"} >> >> The user for the Windows PassSync service is >> uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com >> >> Windows PassSync entry exists, not resetting password >> >> INFO:root:Added new sync agreement, waiting for it to become ready . . . >> >> INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP >> error: Can't contact LDAP server: start: 0: end: 0 >> >> INFO:root:Agreement is ready, starting replication . . . >> >> Starting replication, please wait until this has completed. >> >> [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - >> LDAP error: Can't contact LDAP server] >> >> INFO:root:Added agreement for other host dc1.evscorporation.com >> >> >> >> Additionally, in the /var/lib/dirsrv/ errors log, I have the >> following error: >> >> >> >> [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send >> bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] >> mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's >> Certificate issuer is not recognized.) 11 (Resource temporarily >> unavailable) >> >> >> >> On the Windows server, the Passsync service is running and as far as >> I know I installed the right certificate on the Passsync side by >> following the instructions at >> (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) >> >> and the only message in the Passsync log on the Windows side is: >> >> >> >> 07/25/09 14:32:15: PassSync service started >> >> >> >> I'm sure that I'm just missing some simple, stupid little thing.but I >> have no earthly idea as to what that could be. Any >> help/suggestions/troubleshooting anyone can help me with, I would >> greatly appreciate it. >> > > Hmm, clearly an SSL trust issue. > > Lets start by making sure that DS has the CA you provided loaded and >
Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
Rob Crittenden wrote: Jeff Moody wrote: I’m trying to set up password/identity sync to the FreeIPA server from a Windows 2003R2 SP2 server to a Fedora 10 VM. I have installed the FreeIPA software and can load its configuration page on the IPA server – so the service appears to be running. I have our Windows DC running the Windows 2003 Enterprise Certificate Authority service and have exported its root certificate and SCP’ed that to the IPA server. Following the instructions from TFM, I run the following command: [r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw WindowsAccountPassword --cacert /root/dc1-base64-x509.cer dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync This is the output from that command: Directory Manager password: INFO:root:Shutting down dirsrv: EVSCORPORATION-COM... [ OK ] INFO:root: INFO:root: INFO:root: INFO:root:Starting dirsrv: EVSCORPORATION-COM... [ OK ] INFO:root: INFO:root:Added CA certificate /root/dc1-base64-x509.cer to certificate database for ipamem1.evscorporation.com INFO:root:Restarted directory server ipamem1.evscorporation.com INFO:root:Could not validate connection to remote server dc1.evscorporation.com:636 - continuing INFO:root:The error was: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"} The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com Windows PassSync entry exists, not resetting password INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP error: Can't contact LDAP server: start: 0: end: 0 INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - LDAP error: Can't contact LDAP server] INFO:root:Added agreement for other host dc1.evscorporation.com Additionally, in the /var/lib/dirsrv/ errors log, I have the following error: [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's Certificate issuer is not recognized.) 11 (Resource temporarily unavailable) On the Windows server, the Passsync service is running and as far as I know I installed the right certificate on the Passsync side by following the instructions at (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) and the only message in the Passsync log on the Windows side is: 07/25/09 14:32:15: PassSync service started I’m sure that I’m just missing some simple, stupid little thing…but I have no earthly idea as to what that could be. Any help/suggestions/troubleshooting anyone can help me with, I would greatly appreciate it. Hmm, clearly an SSL trust issue. Lets start by making sure that DS has the CA you provided loaded and trusted: # certutil -L -d /etc/dirsrv/slapd-INSTANCE It should include your CA and have a trust like CT,,C I found that I needed to reboot my AD server when installing the CA service and getting PassSync installed. Have you rebooted recently? These instructions are much more comprehensive and include that a reboot of the AD machine is required. http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Windows_Sync-Configuring_Windows_Sync.html Jenny rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Jenny Galipeau Principal Software QA Engineer Red Hat, Inc. Security Engineering ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
RE: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
Pardon my ignorance, but are there any special steps outside of the ipa-replica-manage command with the Root Cert from the AD server needed to get the certificate installed? I had some other issues with the VM over the weekend and am rebuilding the VM now to reinstall the IPA server software and will be able to check and give you the output of certutil later today. Thanks. Jeff Moody Senior Systems Engineer EVS Corporation 5050 Poplar Avenue ,Suite 1600 Memphis, Tennessee 38157 (901) 259-2387 - 24x7 Helpdesk (901) 881-0919 - Office (901) 497-1444 - Cell jeff.mo...@evscorporation.com -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, July 27, 2009 9:05 AM To: Jeff Moody Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10 Jeff Moody wrote: > I'm trying to set up password/identity sync to the FreeIPA server from a > Windows 2003R2 SP2 server to a Fedora 10 VM. > > I have installed the FreeIPA software and can load its configuration > page on the IPA server - so the service appears to be running. > > I have our Windows DC running the Windows 2003 Enterprise Certificate > Authority service and have exported its root certificate and SCP'ed that > to the IPA server. > > Following the instructions from TFM, I run the following command: > > > > [r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn > CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw > WindowsAccountPassword --cacert /root/dc1-base64-x509.cer > dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync > > > > This is the output from that command: > > > > Directory Manager password: > > INFO:root:Shutting down dirsrv: > > EVSCORPORATION-COM... [ OK ] > > > > INFO:root: > > INFO:root: > > INFO:root: > > INFO:root:Starting dirsrv: > > EVSCORPORATION-COM... [ OK ] > > > > INFO:root: > > INFO:root:Added CA certificate /root/dc1-base64-x509.cer to certificate > database for ipamem1.evscorporation.com > > INFO:root:Restarted directory server ipamem1.evscorporation.com > > INFO:root:Could not validate connection to remote server > dc1.evscorporation.com:636 - continuing > > INFO:root:The error was: {'info': 'error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': > "Can't contact LDAP server"} > > The user for the Windows PassSync service is > uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com > > Windows PassSync entry exists, not resetting password > > INFO:root:Added new sync agreement, waiting for it to become ready . . . > > INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP > error: Can't contact LDAP server: start: 0: end: 0 > > INFO:root:Agreement is ready, starting replication . . . > > Starting replication, please wait until this has completed. > > [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - LDAP > error: Can't contact LDAP server] > > INFO:root:Added agreement for other host dc1.evscorporation.com > > > > Additionally, in the /var/lib/dirsrv/ errors log, I have the following > error: > > > > [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send > bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] > mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's > Certificate issuer is not recognized.) 11 (Resource temporarily unavailable) > > > > On the Windows server, the Passsync service is running and as far as I > know I installed the right certificate on the Passsync side by following > the instructions at > (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) > > and the only message in the Passsync log on the Windows side is: > > > > 07/25/09 14:32:15: PassSync service started > > > > I'm sure that I'm just missing some simple, stupid little thing.but I > have no earthly idea as to what that could be. Any > help/suggestions/troubleshooting anyone can help me with, I would > greatly appreciate it. > Hmm, clearly an SSL trust issue. Lets start by making sure that DS has the CA you provided loaded and trusted: # certutil -L -d /etc/dirsrv/slapd-INSTANCE It should include your CA and have a trust like CT,,C I found that I needed to reboot my AD server when installing the CA service and getting PassSync installed. Have you rebooted recently? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA Windows Sync - Windows 2003 R2 SP2 and Fedora 10
Jeff Moody wrote: I’m trying to set up password/identity sync to the FreeIPA server from a Windows 2003R2 SP2 server to a Fedora 10 VM. I have installed the FreeIPA software and can load its configuration page on the IPA server – so the service appears to be running. I have our Windows DC running the Windows 2003 Enterprise Certificate Authority service and have exported its root certificate and SCP’ed that to the IPA server. Following the instructions from TFM, I run the following command: [r...@ipamem1 ~]# ipa-replica-manage add --winsync --binddn CN=PassSync,OU=Admins,DC=evscorporation,DC=com --bindpw WindowsAccountPassword --cacert /root/dc1-base64-x509.cer dc1.evscorporation.com -v --passsync PasswordEnteredIntoPassSync This is the output from that command: Directory Manager password: INFO:root:Shutting down dirsrv: EVSCORPORATION-COM... [ OK ] INFO:root: INFO:root: INFO:root: INFO:root:Starting dirsrv: EVSCORPORATION-COM... [ OK ] INFO:root: INFO:root:Added CA certificate /root/dc1-base64-x509.cer to certificate database for ipamem1.evscorporation.com INFO:root:Restarted directory server ipamem1.evscorporation.com INFO:root:Could not validate connection to remote server dc1.evscorporation.com:636 - continuing INFO:root:The error was: {'info': 'error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed', 'desc': "Can't contact LDAP server"} The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=evscorporation,dc=com Windows PassSync entry exists, not resetting password INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 81 - LDAP error: Can't contact LDAP server: start: 0: end: 0 INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. [ipamem1.evscorporation.com] reports: Update failed! Status: [81 - LDAP error: Can't contact LDAP server] INFO:root:Added agreement for other host dc1.evscorporation.com Additionally, in the /var/lib/dirsrv/ errors log, I have the following error: [25/Jul/2009:14:41:50 -0500] slapi_ldap_bind - Error: could not send bind request for id [CN=PassSync,OU=Admins,DC=evscorporation,DC=com] mech [SIMPLE]: error 81 (Can't contact LDAP server) -8179 (Peer's Certificate issuer is not recognized.) 11 (Resource temporarily unavailable) On the Windows server, the Passsync service is running and as far as I know I installed the right certificate on the Passsync side by following the instructions at (http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Windows_Sync-Configuring_Windows_Sync.html#Configuring_Windows_Sync-Configure_the_Password_Sync_Service) and the only message in the Passsync log on the Windows side is: 07/25/09 14:32:15: PassSync service started I’m sure that I’m just missing some simple, stupid little thing…but I have no earthly idea as to what that could be. Any help/suggestions/troubleshooting anyone can help me with, I would greatly appreciate it. Hmm, clearly an SSL trust issue. Lets start by making sure that DS has the CA you provided loaded and trusted: # certutil -L -d /etc/dirsrv/slapd-INSTANCE It should include your CA and have a trust like CT,,C I found that I needed to reboot my AD server when installing the CA service and getting PassSync installed. Have you rebooted recently? rob smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users