[Freeipa-users] AD setup failure

Steven Jones Steven.Jones at vuw.ac.nz
Tue Mar 29 20:26:14 UTC 2011 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            12:fb:5c:b4:00:00:00:00:00:02
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=nz, DC=ac, DC=ipa, CN=dc0001
        Validity
            Not Before: Mar 29 00:54:45 2011 GMT
            Not After : Mar 28 00:54:45 2012 GMT
        Subject: CN=dc0001.ipa.ac.nz
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:9b:68:bb:1f:8d:62:c4:7c:08:65:f2:ec:c0:32:
                    0a:99:17:b6:02:1a:02:90:e1:d7:64:38:de:ef:f0:
                    58:b0:bb:06:6a:6f:82:ed:c1:8c:9e:ae:44:91:6e:
                    8e:3c:6f:5b:04:44:92:40:cd:af:3e:a2:2f:c8:ad:
                    1f:7a:7f:d7:53:25:2b:f9:b7:c7:ac:c4:cc:3d:92:
                    05:47:a7:96:25:e9:d5:78:a1:4d:e1:a0:65:1d:66:
                    03:d3:e1:11:f6:d5:cc:c5:e5:73:e3:e3:98:ee:c1:
                    23:c2:32:5c:4f:5f:66:ef:98:61:4b:e0:2a:3a:e6:
                    55:67:08:ed:2a:ae:6b:db:ab
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            S/MIME Capabilities: 
                050...*.H..
......0...*.H..
......0...+....0
..*.H..
..
            X509v3 Subject Key Identifier: 
                7F:03:DF:87:27:A7:F2:59:C7:17:E8:CF:19:01:51:1B:FA:EF:D7:D3
            1.3.6.1.4.1.311.20.2: 
                . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
            X509v3 Authority Key Identifier: 
                keyid:CC:D6:15:2E:3F:81:70:17:C5:4B:8D:F9:8E:21:9E:5D:C5:11:F9:DB

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:ldap:///CN=dc0001,CN=dc0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint
                  URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.crl

            Authority Information Access: 
                CA Issuers - URI:ldap:///CN=dc0001,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?cACertificate?base?objectClass=certificationAuthority
                CA Issuers - URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.ipa.ac.nz_dc0001.crt

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                othername:<unsupported>, DNS:dc0001.ipa.ac.nz
    Signature Algorithm: sha1WithRSAEncryption
        6e:11:ea:99:64:72:59:56:71:e8:6d:ab:cd:ee:93:be:cd:d4:
        94:d4:cb:b4:d1:e1:ad:d3:02:a6:1c:15:db:e6:13:6c:74:07:
        21:a0:1d:65:81:de:27:0d:8b:65:9c:5b:e2:2f:8e:67:fb:3f:
        63:7c:a4:a3:ab:15:3d:57:fc:b8:2c:5c:e2:75:fd:71:68:73:
        1d:14:49:cc:a8:5c:fb:62:5d:fd:61:b3:57:6f:18:d7:46:b7:
        5c:7d:6d:5a:ee:5c:8c:66:b6:45:cb:62:8d:72:20:40:b1:cb:
        fa:e8:f5:06:44:19:d1:fc:f3:b7:a0:86:52:39:20:6b:4f:20:
        c5:8f:7f:5c:0d:2f:a3:a1:d7:4f:c7:5e:36:1a:d4:22:33:ea:
        59:31:eb:9e:6a:31:9f:8d:7a:3a:b8:dc:b2:09:4e:64:d5:17:
        14:28:09:c0:b0:48:ff:38:00:4f:cd:01:e1:62:7e:82:dc:4d:
        d6:62:3c:54:e9:c2:ff:7d:9d:c7:b0:cf:ee:f7:6f:0a:e0:c8:
        ec:f0:c0:01:b2:41:56:01:22:a4:31:4d:cd:98:6b:a1:83:db:
        10:de:4d:43:59:b1:d3:4c:2a:16:03:9c:91:97:98:92:23:15:
        04:41:3f:9d:77:9b:fd:b2:32:0d:36:35:06:64:ff:80:6a:e8:
        a0:5b:12:85
-----BEGIN CERTIFICATE-----
MIIFjzCCBHegAwIBAgIKEvtctAAAAAAAAjANBgkqhkiG9w0BAQUFADBOMRIwEAYK
CZImiZPyLGQBGRYCbnoxEjAQBgoJkiaJk/IsZAEZFgJhYzETMBEGCgmSJomT8ixk
ARkWA2lwYTEPMA0GA1UEAxMGZGMwMDAxMB4XDTExMDMyOTAwNTQ0NVoXDTEyMDMy
ODAwNTQ0NVowGzEZMBcGA1UEAxMQZGMwMDAxLmlwYS5hYy5uejCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAm2i7H41ixHwIZfLswDIKmRe2AhoCkOHXZDje7/BY
sLsGam+C7cGMnq5EkW6OPG9bBESSQM2vPqIvyK0fen/XUyUr+bfHrMTMPZIFR6eW
JenVeKFN4aBlHWYD0+ER9tXMxeVz4+OY7sEjwjJcT19m75hhS+AqOuZVZwjtKq5r
26sCAwEAAaOCAyQwggMgMAsGA1UdDwQEAwIFoDBEBgkqhkiG9w0BCQ8ENzA1MA4G
CCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcN
AwcwHQYDVR0OBBYEFH8D34cnp/JZxxfozxkBURv679fTMC8GCSsGAQQBgjcUAgQi
HiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAfBgNVHSMEGDAWgBTM
1hUuP4FwF8VLjfmOIZ5dxRH52zCB8wYDVR0fBIHrMIHoMIHloIHioIHfhoGtbGRh
cDovLy9DTj1kYzAwMDEsQ049ZGMwMDAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl
MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWlwYSxE
Qz1hYyxEQz1uej9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0
Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLWh0dHA6Ly9kYzAwMDEuaXBhLmFj
Lm56L0NlcnRFbnJvbGwvZGMwMDAxLmNybDCCAQUGCCsGAQUFBwEBBIH4MIH1MIGm
BggrBgEFBQcwAoaBmWxkYXA6Ly8vQ049ZGMwMDAxLENOPUFJQSxDTj1QdWJsaWMl
MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD
PWlwYSxEQz1hYyxEQz1uej9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9
Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBKBggrBgEFBQcwAoY+aHR0cDovL2RjMDAw
MS5pcGEuYWMubnovQ2VydEVucm9sbC9kYzAwMDEuaXBhLmFjLm56X2RjMDAwMS5j
cnQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDwGA1UdEQQ1MDOgHwYJ
KwYBBAGCNxkBoBIEEAdtYFw3yQ9DmIgdDBjdl92CEGRjMDAwMS5pcGEuYWMubnow
DQYJKoZIhvcNAQEFBQADggEBAG4R6plkcllWcehtq83uk77N1JTUy7TR4a3TAqYc
FdvmE2x0ByGgHWWB3icNi2WcW+Ivjmf7P2N8pKOrFT1X/LgsXOJ1/XFocx0UScyo
XPtiXf1hs1dvGNdGt1x9bVruXIxmtkXLYo1yIECxy/ro9QZEGdH887eghlI5IGtP
IMWPf1wNL6Oh10/HXjYa1CIz6lkx655qMZ+Nejq43LIJTmTVFxQoCcCwSP84AE/N
AeFifoLcTdZiPFTpwv99ncewz+73bwrgyOzwwAGyQVYBIqQxTc2Ya6GD2xDeTUNZ
sdNMKhYDnJGXmJIjFQRBP513m/2yMg02NQZk/4Bq6KBbEoU=
-----END CERTIFICATE-----
________________________________________
From: Rich Megginson [rmeggins at redhat.com]
Sent: Wednesday, 30 March 2011 9:04 a.m.
To: Steven Jones
Cc: Rob Crittenden; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] AD setup failure

On 03/29/2011 02:02 PM, Steven Jones wrote:
> Hi,
>
> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....?
can you paste the output of
openssl x509 -in /home/jonesst1/domaincert.cer -text
?
> regards
>
> Steven
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 30 March 2011 2:50 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] AD setup failure
>
> Steven Jones wrote:
>> Got a bit further.......I was missing   "--passsync"
> I think you were using the V1 documentation. The "Enterprise Identity
> Management Guide" is what you want off freeipa.org in the Documentation
> section.
>
>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement
>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz
>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz
>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'}
>> unexpected error: Failed to setup winsync replication
>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz
>> dc0001.ipa.ac.nz has address 192.168.101.2
>> [root at fed14-64-ipam001 samba]#
>>
>> But still isnt working.........
> I think you have the wrong AD cert. -8179 translates to "Certificate is
> signed by an unknown issuer". Can you verify that you have the AD CA
> certificate?
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list