Red Hat Bugzilla – Bug 744306
Unable to add Windows Synchronization Agreement
Last modified: 2011-12-06 13:42:33 EST
Description of problem: Setting up windows synchronization with ipa-server is unsuccessful: Here are my steps :: 1) Make sure IPA server and ADS server are resolvable via DNS. ACTIVE DIRECTORY 2) Transfer IPA CA Cert to your ADS server. 3) Install passsync on ADS > hostname : ipaserver.jgalipea.redhat.com port : 636 binddn : ??? used cn=Directory Manager (no instructions to set up different sync user and ipa-manage-cli does not ask you to specify one) password : DM's password Security Device Password : password to use when you create the passsync's certdbs (chicken before the egg as always) user search : cn=users,cn=accounts,dc=jgalipea 4) Make IPA CA trusted C:\Program Files\Red Hat Directory Password Synchronization certutil -d . -N (supply password you defined when installing passsync for the Security Device Password) certutil -d . -A -n "IPA CA" -t CT,, -a -i c:\path\to\ipaca.crt TO NOTE : change passsync log level to 1 5) Restart you ADS machine passsync log : 10/07/11 12:07:29: PassSync service initialized 10/07/11 12:07:29: PassSync service running 10/07/11 12:07:29: No entries yet 10/07/11 12:07:29: Password list is empty. Waiting for passhook event IPA SERVER 6) Transfer ADS CA Cert to you IPA Server Verify you can connect via TLS to ADS server # LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-JGALIPEA ldapsearch -x -ZZ -h jgalipea-win2008r2.ipa.qe -D "cn=Administrator,cn=users,dc=ipa,dc=qe" -w MySecret -b "cn=administrator,cn=users,dc=ipa,dc=qe" 7) NEW STEP : Do Not think this should be required - but was told by development to do this Copy AD certificate to /etc/openldap/cacerts/ Run cacertdir_rehash /etc/openldap/cacerts/ Modify /etc/openldap/ldap.conf, add: TLS_CACERTDIR /etc/openldap/cacerts/ TLS_REQCERT allow 8) Add winsync agreement .. # ipa-replica-manage connect --passsync --winsync --binddn "cn=administrator,cn=users,dc=ipa,dc=qe" --bindpw MySecret --cacert /tmp/WIN-CA.cer jgalipea-win2008r2.ipa.qe -v -p Secret123 RESULT :: Added CA certificate /tmp/WIN-CA.cer to certificate database for ipaserver.jgalipea.redhat.com Failed to get data from 'ipaserver.jgalipea.redhat.com': {'desc': "Can't contact LDAP server"} Version-Release number of selected component (if applicable): ipa-server-2.1.1-4.el6.x86_64 How reproducible: everytime Steps to Reproduce: 1. See description 2. 3. Actual results: Added CA certificate /tmp/WIN-CA.cer to certificate database for ipaserver.jgalipea.redhat.com Failed to get data from 'ipaserver.jgalipea.redhat.com': {'desc': "Can't contact LDAP server"} Expected results: Sync Agreement to be set up and successfully sync users and passwords from AD Additional info:
Upstream ticket: https://fedorahosted.org/freeipa/ticket/1946
Side note: Passsync isn't required to get windows replication working. The --passsync option is there to set the password for the shared passsync user. It works for me: # ipa-replica-manage connect --winsync --passsync=password --cacert=/home/rcrit/AD.cer win2003.example.com --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw Secret123 -v Directory Manager password: Added CA certificate /home/rcrit/AD.cer to certificate database for rawhide.example.com INFO:root:AD Suffix is: DC=example,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 0 No replication sessions started since server startup: start: 0: end: 0 INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update succeeded Connected 'rawhide.example.com' to 'win2003.example.com' I think that --passsync should have a value, I wonder if it is eating some other option. Can you try again with --passsync=<somepassword>?
Woot Woot ... # ipa-replica-manage connect --winsync --passsync=MySecret --cacert=/root/WIN-CA.cer --binddn "cn=administrator,cn=users,dc=ipa,dc=qe" --bindpw MySecret -v jgalipea-win-2008r2.ipa.qe Directory Manager password: Added CA certificate /root/WIN-CA.cer to certificate database for dhcp-100-18-170.testrelm INFO:root:AD Suffix is: DC=ipa,DC=qe The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=testrelm INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20111013190829Z: end: 20111013190829Z INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update in progress Update in progress Update in progress Update succeeded Connected 'dhcp-100-18-170.testrelm' to 'jgalipea-win-2008r2.ipa.qe' With this bug, can we please get the man page ipa-replica-manage fixed ... at least an example of the command to use when adding a winsync agreement ...??
need to include the passsync user dn in the man page too , as will as an example command.
ipa-replica-manage man page fixed upstream: master: https://fedorahosted.org/freeipa/changeset/eaec3c4968148fd86e3fef9c7b7093ef4bf9f8ed ipa-2-1: https://fedorahosted.org/freeipa/changeset/2427d3bb6f7e20ef18d22ae547b57a03742da28f
verified: <snip> WINSYNC Creating a Windows AD Synchronization agreement is similar to creating an IPA replication agreement, there are just a couple of extra steps. A special user entry is created for the PassSync service. The DN of this entry is uid=passsync,cn=sysaccounts,cn=etc,<basedn>. You are not required to use PassSync to use a Windows synchronization agreement but setting a password for the user is required. The following examples use the AD administrator account as the synchronization user. This is not mandatory but the user must have read-access to the subtree. 1. Transfer the base64-encoded Windows AD CA Certficate to your IPA Server 2. Remove any existing kerberos credentials # kdestroy 3) Add the winsync replication agreement # ipa-replica-manage connect --winsync --passsync=<bindpwd_for_syncuser_that will_be_used_for_agreement> --cacert=/path/to/adscacert/WIN-CA.cer --binddn "cn=administrator,cn=users,dc=ad,dc=example,dc=com" --bindpw <ads_administrator_password> -v <adserver.fqdn> You will be prompted to supply the Directory Manager’s password. Create a winsync replication agreement: # ipa-replica-manage connect --winsync --passsync=MySecret --cacert=/root/WIN-CA.cer --binddn "cn=administrator,cn=users,dc=ad,dc=exam- ple,dc=com" --bindpw MySecret -v windows.ad.example.com Remove a winsync replication agreement: # ipa-replica-manage disconnect windows.ad.example.com </snip> version: ipa-server-2.1.3-3.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Do not document
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html