Bug 744306
| Summary: | Unable to add Windows Synchronization Agreement | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jenny Severance <jgalipea> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.1 | CC: | dpal, mkosek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-2.1.3-1.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Do not document
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-06 18:42:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 748554 | ||
Upstream ticket: https://fedorahosted.org/freeipa/ticket/1946 Side note: Passsync isn't required to get windows replication working. The --passsync option is there to set the password for the shared passsync user. It works for me: # ipa-replica-manage connect --winsync --passsync=password --cacert=/home/rcrit/AD.cer win2003.example.com --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw Secret123 -v Directory Manager password: Added CA certificate /home/rcrit/AD.cer to certificate database for rawhide.example.com INFO:root:AD Suffix is: DC=example,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 0 No replication sessions started since server startup: start: 0: end: 0 INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update succeeded Connected 'rawhide.example.com' to 'win2003.example.com' I think that --passsync should have a value, I wonder if it is eating some other option. Can you try again with --passsync=<somepassword>? Woot Woot ... # ipa-replica-manage connect --winsync --passsync=MySecret --cacert=/root/WIN-CA.cer --binddn "cn=administrator,cn=users,dc=ipa,dc=qe" --bindpw MySecret -v jgalipea-win-2008r2.ipa.qe Directory Manager password: Added CA certificate /root/WIN-CA.cer to certificate database for dhcp-100-18-170.testrelm INFO:root:AD Suffix is: DC=ipa,DC=qe The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=testrelm INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20111013190829Z: end: 20111013190829Z INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update succeeded Connected 'dhcp-100-18-170.testrelm' to 'jgalipea-win-2008r2.ipa.qe' With this bug, can we please get the man page ipa-replica-manage fixed ... at least an example of the command to use when adding a winsync agreement ...?? need to include the passsync user dn in the man page too , as will as an example command. ipa-replica-manage man page fixed upstream: master: https://fedorahosted.org/freeipa/changeset/eaec3c4968148fd86e3fef9c7b7093ef4bf9f8ed ipa-2-1: https://fedorahosted.org/freeipa/changeset/2427d3bb6f7e20ef18d22ae547b57a03742da28f verified:
<snip>
WINSYNC
Creating a Windows AD Synchronization agreement is similar to creating an IPA replication agreement, there are just a couple of extra steps.
A special user entry is created for the PassSync service. The DN of this entry is uid=passsync,cn=sysaccounts,cn=etc,<basedn>. You are not required to
use PassSync to use a Windows synchronization agreement but setting a password for the user is required.
The following examples use the AD administrator account as the synchronization user. This is not mandatory but the user must have read-access to the
subtree.
1. Transfer the base64-encoded Windows AD CA Certficate to your IPA Server
2. Remove any existing kerberos credentials
# kdestroy
3) Add the winsync replication agreement
# ipa-replica-manage connect --winsync --passsync=<bindpwd_for_syncuser_that will_be_used_for_agreement> --cacert=/path/to/adscacert/WIN-CA.cer
--binddn "cn=administrator,cn=users,dc=ad,dc=example,dc=com" --bindpw <ads_administrator_password> -v <adserver.fqdn>
You will be prompted to supply the Directory Manager’s password.
Create a winsync replication agreement:
# ipa-replica-manage connect --winsync --passsync=MySecret --cacert=/root/WIN-CA.cer --binddn "cn=administrator,cn=users,dc=ad,dc=exam-
ple,dc=com" --bindpw MySecret -v windows.ad.example.com
Remove a winsync replication agreement:
# ipa-replica-manage disconnect windows.ad.example.com
</snip>
version:
ipa-server-2.1.3-3.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Do not document
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |
Description of problem: Setting up windows synchronization with ipa-server is unsuccessful: Here are my steps :: 1) Make sure IPA server and ADS server are resolvable via DNS. ACTIVE DIRECTORY 2) Transfer IPA CA Cert to your ADS server. 3) Install passsync on ADS > hostname : ipaserver.jgalipea.redhat.com port : 636 binddn : ??? used cn=Directory Manager (no instructions to set up different sync user and ipa-manage-cli does not ask you to specify one) password : DM's password Security Device Password : password to use when you create the passsync's certdbs (chicken before the egg as always) user search : cn=users,cn=accounts,dc=jgalipea 4) Make IPA CA trusted C:\Program Files\Red Hat Directory Password Synchronization certutil -d . -N (supply password you defined when installing passsync for the Security Device Password) certutil -d . -A -n "IPA CA" -t CT,, -a -i c:\path\to\ipaca.crt TO NOTE : change passsync log level to 1 5) Restart you ADS machine passsync log : 10/07/11 12:07:29: PassSync service initialized 10/07/11 12:07:29: PassSync service running 10/07/11 12:07:29: No entries yet 10/07/11 12:07:29: Password list is empty. Waiting for passhook event IPA SERVER 6) Transfer ADS CA Cert to you IPA Server Verify you can connect via TLS to ADS server # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-JGALIPEA ldapsearch -x -ZZ -h jgalipea-win2008r2.ipa.qe -D "cn=Administrator,cn=users,dc=ipa,dc=qe" -w MySecret -b "cn=administrator,cn=users,dc=ipa,dc=qe" 7) NEW STEP : Do Not think this should be required - but was told by development to do this Copy AD certificate to /etc/openldap/cacerts/ Run cacertdir_rehash /etc/openldap/cacerts/ Modify /etc/openldap/ldap.conf, add: TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow 8) Add winsync agreement .. # ipa-replica-manage connect --passsync --winsync --binddn "cn=administrator,cn=users,dc=ipa,dc=qe" --bindpw MySecret --cacert /tmp/WIN-CA.cer jgalipea-win2008r2.ipa.qe -v -p Secret123 RESULT :: Added CA certificate /tmp/WIN-CA.cer to certificate database for ipaserver.jgalipea.redhat.com Failed to get data from 'ipaserver.jgalipea.redhat.com': {'desc': "Can't contact LDAP server"} Version-Release number of selected component (if applicable): ipa-server-2.1.1-4.el6.x86_64 How reproducible: everytime Steps to Reproduce: 1. See description 2. 3. Actual results: Added CA certificate /tmp/WIN-CA.cer to certificate database for ipaserver.jgalipea.redhat.com Failed to get data from 'ipaserver.jgalipea.redhat.com': {'desc': "Can't contact LDAP server"} Expected results: Sync Agreement to be set up and successfully sync users and passwords from AD Additional info: