RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 744306 - Unable to add Windows Synchronization Agreement
Summary: Unable to add Windows Synchronization Agreement
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 748554
TreeView+ depends on / blocked
 
Reported: 2011-10-07 19:47 UTC by Jenny Severance
Modified: 2011-12-06 18:42 UTC (History)
2 users (show)

Fixed In Version: ipa-2.1.3-1.el6
Doc Type: Bug Fix
Doc Text:
Do not document
Clone Of:
Environment:
Last Closed: 2011-12-06 18:42:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 0 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Jenny Severance 2011-10-07 19:47:00 UTC 
Description of problem:
Setting up windows synchronization with ipa-server is unsuccessful:

Here are my steps ::

1) Make sure IPA server and ADS server are resolvable via DNS.

ACTIVE DIRECTORY
2) Transfer IPA CA Cert to your ADS server.
3) Install passsync on ADS
>
hostname :  ipaserver.jgalipea.redhat.com
port : 636
binddn : ??? used cn=Directory Manager  (no instructions to set up
different sync user and ipa-manage-cli does not ask you to specify one)
password :  DM's password
Security Device Password :  password to use when you create the
passsync's certdbs (chicken before the egg as always)
user search :  cn=users,cn=accounts,dc=jgalipea

4) Make IPA CA trusted

C:\Program Files\Red Hat Directory Password Synchronization
certutil -d . -N  (supply password you defined when installing
passsync for the Security Device Password)
certutil -d . -A -n "IPA CA" -t CT,, -a -i c:\path\to\ipaca.crt

TO NOTE : change passsync log level to 1

5) Restart you ADS machine

passsync log :

10/07/11 12:07:29: PassSync service initialized
10/07/11 12:07:29: PassSync service running
10/07/11 12:07:29: No entries yet
10/07/11 12:07:29: Password list is empty.  Waiting for passhook event


IPA SERVER
6) Transfer ADS CA Cert to you IPA Server

Verify you can connect via TLS to ADS server

# LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-JGALIPEA ldapsearch -x -ZZ -h jgalipea-win2008r2.ipa.qe -D "cn=Administrator,cn=users,dc=ipa,dc=qe" -w MySecret -b "cn=administrator,cn=users,dc=ipa,dc=qe"

7) NEW STEP : Do Not think this should be required - but was told by development to do this

Copy AD certificate to /etc/openldap/cacerts/
Run cacertdir_rehash /etc/openldap/cacerts/
Modify /etc/openldap/ldap.conf, add:
   TLS_CACERTDIR /etc/openldap/cacerts/
   TLS_REQCERT allow

8) Add winsync agreement ..

# ipa-replica-manage connect --passsync --winsync --binddn "cn=administrator,cn=users,dc=ipa,dc=qe" --bindpw MySecret --cacert /tmp/WIN-CA.cer jgalipea-win2008r2.ipa.qe -v -p Secret123


RESULT ::


Added CA certificate /tmp/WIN-CA.cer to certificate database for ipaserver.jgalipea.redhat.com
Failed to get data from 'ipaserver.jgalipea.redhat.com': {'desc': "Can't contact LDAP server"}

Version-Release number of selected component (if applicable):
ipa-server-2.1.1-4.el6.x86_64

How reproducible:
everytime

Steps to Reproduce:
1.  See description
2.
3.
  
Actual results:
Added CA certificate /tmp/WIN-CA.cer to certificate database for ipaserver.jgalipea.redhat.com
Failed to get data from 'ipaserver.jgalipea.redhat.com': {'desc': "Can't contact LDAP server"}

Expected results:
Sync Agreement to be set up and successfully sync users and passwords from AD

Additional info:
Comment 1 Dmitri Pal 2011-10-07 21:14:03 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1946
Comment 2 Rob Crittenden 2011-10-10 19:03:07 UTC 
Side note: Passsync isn't required to get windows replication working. The --passsync option is there to set the password for the shared passsync user.

It works for me:

# ipa-replica-manage connect --winsync --passsync=password --cacert=/home/rcrit/AD.cer win2003.example.com --binddn cn=administrator,cn=users,dc=example,dc=com --bindpw Secret123 -v
Directory Manager password:

Added CA certificate /home/rcrit/AD.cer to certificate database for rawhide.example.com
INFO:root:AD Suffix is: DC=example,DC=com
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 0 No replication sessions started since server startup: start: 0: end: 0
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update succeeded
Connected 'rawhide.example.com' to 'win2003.example.com'

I think that --passsync should have a value, I wonder if it is eating some other option. Can you try again with --passsync=<somepassword>?
Comment 3 Jenny Severance 2011-10-13 19:14:37 UTC 
Woot Woot ...

# ipa-replica-manage connect --winsync --passsync=MySecret --cacert=/root/WIN-CA.cer --binddn "cn=administrator,cn=users,dc=ipa,dc=qe" --bindpw MySecret -v jgalipea-win-2008r2.ipa.qe
Directory Manager password: 

Added CA certificate /root/WIN-CA.cer to certificate database for dhcp-100-18-170.testrelm
INFO:root:AD Suffix is: DC=ipa,DC=qe
The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=testrelm
INFO:root:Added new sync agreement, waiting for it to become ready . . .
INFO:root:Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20111013190829Z: end: 20111013190829Z
INFO:root:Agreement is ready, starting replication . . .
Starting replication, please wait until this has completed.
Update in progress
Update in progress
Update in progress
Update succeeded
Connected 'dhcp-100-18-170.testrelm' to 'jgalipea-win-2008r2.ipa.qe'


With this bug, can we please get the man page ipa-replica-manage fixed ... at least an example of the command to use when adding a winsync agreement ...??
Comment 4 Jenny Severance 2011-10-13 19:36:14 UTC 
need to include the passsync user dn in the man page too , as will as an example command.
Comment 5 Martin Kosek 2011-10-14 07:07:19 UTC 
ipa-replica-manage man page fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/eaec3c4968148fd86e3fef9c7b7093ef4bf9f8ed
ipa-2-1: https://fedorahosted.org/freeipa/changeset/2427d3bb6f7e20ef18d22ae547b57a03742da28f
Comment 7 Jenny Severance 2011-10-26 16:40:17 UTC 
verified:

<snip>

WINSYNC
       Creating a Windows AD Synchronization agreement is similar to creating an IPA replication agreement, there are just a couple of extra steps.

       A  special  user entry is created for the PassSync service. The DN of this entry is uid=passsync,cn=sysaccounts,cn=etc,<basedn>. You are not required to
       use PassSync to use a Windows synchronization agreement but setting a password for the user is required.

       The following examples use the AD administrator account as the synchronization user. This is not mandatory but the user must  have  read-access  to  the
       subtree.

       1. Transfer the base64-encoded Windows AD CA Certficate to your IPA Server

       2. Remove any existing kerberos credentials
                # kdestroy

       3) Add the winsync replication agreement
                # ipa-replica-manage connect --winsync --passsync=<bindpwd_for_syncuser_that will_be_used_for_agreement> --cacert=/path/to/adscacert/WIN-CA.cer
              --binddn "cn=administrator,cn=users,dc=ad,dc=example,dc=com" --bindpw <ads_administrator_password> -v <adserver.fqdn>

       You will be prompted to supply the Directory Manager’s password.

       Create a winsync replication agreement:

               #  ipa-replica-manage  connect  --winsync  --passsync=MySecret  --cacert=/root/WIN-CA.cer   --binddn   "cn=administrator,cn=users,dc=ad,dc=exam-
              ple,dc=com" --bindpw MySecret -v windows.ad.example.com

       Remove a winsync replication agreement:
               # ipa-replica-manage disconnect windows.ad.example.com

</snip>

version:
ipa-server-2.1.3-3.el6.x86_64
Comment 8 Martin Kosek 2011-10-31 19:39:33 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Do not document
Comment 9 errata-xmlrpc 2011-12-06 18:42:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html
Note You need to log in before you can comment on or make changes to this bug.