https://bugzilla.redhat.com/show_bug.cgi?id=754973
Description of problem: "force-sync, re-initialize and del" fail against AD. On the same setup I created a standard replica and these options for ipa-replica-manage work as expected. Version-Release number of selected component (if applicable): ipa-server-2.1.3-9.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. [root@decepticons ~]# ipa-replica-manage force-sync --from dhcp201-112.englab.pnq.redhat.com Actual results: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM not found in Kerberos database) [root@decepticons ~]# Expected results: force-sync and other options (re-initialize and del) are successful. Additional info: Against AD: [root@decepticons ~]# kinit admin Password for admin@LAB.ENG.PNQ.REDHAT.COM: [root@decepticons ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@LAB.ENG.PNQ.REDHAT.COM Valid starting Expires Service principal 11/18/11 16:34:56 11/19/11 16:34:54 krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM [root@decepticons ~]# [root@decepticons ~]# ipa-replica-manage list decepticons.lab.eng.pnq.redhat.com: master [root@decepticons ~]# [root@decepticons ~]# ipa-replica-manage connect --winsync --passsync=password --cacert=/root/wincertnew.cer dhcp201-112.englab.pnq.redhat.com --binddn "cn=Administrator,cn=Users,dc=englab,dc=pnq,dc=redhat,dc=com" --bindpw Secret123 -v -p Secret123 Added CA certificate /root/wincertnew.cer to certificate database for decepticons.lab.eng.pnq.redhat.com INFO:root:AD Suffix is: DC=englab,DC=pnq,DC=redhat,DC=com The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=lab,dc=eng,dc=pnq,dc=redhat,dc=com Windows PassSync entry exists, not resetting password INFO:root:Added new sync agreement, waiting for it to become ready . . . INFO:root:Replication Update in progress: FALSE: status: 0 Replica acquired successfully: Incremental update started: start: 20111118110522Z: end: 20111118110522Z INFO:root:Agreement is ready, starting replication . . . Starting replication, please wait until this has completed. Update succeeded Connected 'decepticons.lab.eng.pnq.redhat.com' to 'dhcp201-112.englab.pnq.redhat.com' [root@decepticons ~]# [root@decepticons ~]# ipa-replica-manage list decepticons.lab.eng.pnq.redhat.com: master dhcp201-112.englab.pnq.redhat.com: winsync [root@decepticons ~]# [root@decepticons ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@LAB.ENG.PNQ.REDHAT.COM Valid starting Expires Service principal 11/18/11 16:34:56 11/19/11 16:34:54 krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM 11/18/11 16:35:04 11/19/11 16:34:54 ldap/decepticons.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM [root@decepticons ~]# [root@decepticons ~]# ipa-replica-manage force-sync --from dhcp201-112.englab.pnq.redhat.com SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM not found in Kerberos database) [root@decepticons ~]# Against standard replica: [root@decepticons ~]# /usr/sbin/ipa-replica-manage re-initialize --from sideswipe.lab.eng.pnq.redhat.com Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update in progress Update succeeded [root@decepticons ~]# [root@decepticons ~]# /usr/sbin/ipa-replica-manage force-sync --from sideswipe.lab.eng.pnq.redhat.com [root@decepticons ~]# echo $? 0 [root@decepticons ~]# [root@decepticons ~]# ipa-replica-manage del sideswipe.lab.eng.pnq.redhat.com [root@decepticons ~]# echo $? 0 [root@decepticons ~]# [root@decepticons ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@LAB.ENG.PNQ.REDHAT.COM Valid starting Expires Service principal 11/18/11 17:06:58 11/19/11 17:06:56 krbtgt/LAB.ENG.PNQ.REDHAT.COM@LAB.ENG.PNQ.REDHAT.COM 11/18/11 17:07:07 11/19/11 17:06:56 ldap/decepticons.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM 11/18/11 17:07:43 11/19/11 17:06:56 ldap/sideswipe.lab.eng.pnq.redhat.com@LAB.ENG.PNQ.REDHAT.COM [root@decepticons ~]#
I'm seeing a slightly different error, but it may be that another change has masked the original problem.
The problem I'm seeing is that we are binding over SSL and we haven't loaded the AD CA cert. We haven't because we don't have it any more (it is only in the 389-ds NSS database). I'm not yet sure if we want to set that as a PEM or try to repoint to the 389-ds DB, I'm leaning towards the PEM file. We'll need to either extract this on the fly or store it in some common place.
The problem stemmed from the fact that we were trying to contact the AD server at all. It is unaware of our presence. The winsync plugin handles synchronization so we only need to work with the local instance for winsync.
I also require that the user be root when creating a winsync agreement because we need to update the 389-ds NSS db.
attachment freeipa-rcrit-935-winsync.patch
Moving to next month iteration.
master: 31f00f9[[BR]] ipa-2-2: fefbdce
Metadata Update from @mkosek: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/02
Login to comment on this ticket.