[Freeipa-users] AD setup failure
Rob Crittenden
rcritten at redhat.com
Tue Mar 29 20:49:41 UTC 2011
Steven Jones wrote:
> some more output,
>
The new cert looks a lot better. I think you need to remove the old one
and this should start working:
# certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -D -n Imported CA
This is trying to add a new cert with the same nickname. Too bad the
error messages out of certutil aren't more helpful.
rob
> ==========
>
> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn "cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz" --bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/Cacrt.cer dc0001.ipa.ac.nz -v
> ipa: CRITICAL: Error importing CA cert file named [/home/jonesst1/Cacrt.cer]: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -A -n Imported CA -t CT,,C -a' returned non-zero exit status 255
> Could not load the required CA certificate file [/home/jonesst1/Cacrt.cer]
> [root at fed14-64-ipam001 samba]# cd ~jonesst1
> [root at fed14-64-ipam001 jonesst1]# ls -l
> total 52
> -rw-rw-r--. 1 jonesst1 jonesst1 384 Mar 29 15:16 ad-fail
> -rwxr--r--. 1 jonesst1 jonesst1 1628 Mar 30 09:16 Cacrt.cer
> -rw-rw-r--. 1 jonesst1 jonesst1 984 Mar 29 16:11 client2.fail
> -rw-rw-r--. 1 jonesst1 jonesst1 345 Mar 29 15:22 connect-fail
> drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Desktop
> drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Documents
> -rwxr--r--. 1 jonesst1 jonesst1 2020 Mar 29 14:06 domaincert.cer
> drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Downloads
> drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Music
> drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Pictures
> drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Public
> drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Templates
> drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Videos
> [root at fed14-64-ipam001 jonesst1]#
>
> =========
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 48:58:cd:99:6c:e4:53:b5:4f:6f:5b:9a:86:21:46:b6
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: DC=nz, DC=ac, DC=ipa, CN=dc0001
> Validity
> Not Before: Mar 29 00:45:47 2011 GMT
> Not After : Mar 29 00:55:22 2016 GMT
> Subject: DC=nz, DC=ac, DC=ipa, CN=dc0001
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (2048 bit)
> Modulus:
> 00:b2:f0:2a:e2:a1:f7:6d:6e:96:dc:a8:a1:84:ff:
> e8:24:f7:79:de:ad:a9:ac:c4:6d:73:51:ab:7e:fc:
> cf:98:d2:85:72:0e:89:7e:df:61:c9:d8:03:1f:9f:
> 4b:23:bf:29:44:e6:e8:99:87:69:63:09:7e:c6:3e:
> ad:99:ac:31:1e:b6:08:80:03:3d:99:6a:e5:85:b1:
> ea:77:1e:8c:70:8a:c7:b8:6b:b7:a5:fd:13:15:83:
> 95:8b:f6:cd:2a:a4:f9:f6:7e:f0:b4:a8:a1:38:ee:
> e3:ff:13:00:64:b0:60:01:ac:e8:79:1e:2d:3c:e9:
> 44:df:17:46:d8:e5:8a:0a:40:53:2e:60:8d:7c:93:
> 4e:e8:ea:ab:7a:c2:16:45:14:79:57:7c:21:f7:d9:
> a2:2c:09:4b:cb:ff:b8:a5:80:d4:b5:a2:f4:03:5f:
> 3a:b8:8d:1c:14:d6:b7:b5:29:c8:38:80:1b:41:29:
> 54:0f:6b:6a:80:f5:9c:38:d8:31:51:ae:25:70:06:
> 2d:f7:5d:90:06:33:b6:93:d9:3a:33:4d:ce:4f:41:
> 30:df:89:55:87:ee:c1:86:e6:e8:20:3f:c5:58:e8:
> fa:7f:40:00:60:f6:10:d7:ec:38:7d:d0:1d:20:f4:
> d1:a9:fe:e8:3d:fd:a7:91:b9:0e:2f:f2:fd:0f:e1:
> 0a:0b
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Key Usage:
> Digital Signature, Certificate Sign, CRL Sign
> X509v3 Basic Constraints: critical
> CA:TRUE
> X509v3 Subject Key Identifier:
> CC:D6:15:2E:3F:81:70:17:C5:4B:8D:F9:8E:21:9E:5D:C5:11:F9:DB
> X509v3 CRL Distribution Points:
>
> Full Name:
> URI:ldap:///CN=dc0001,CN=dc0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint
> URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.crl
>
> 1.3.6.1.4.1.311.21.1:
> ...
> Signature Algorithm: sha1WithRSAEncryption
> 1c:69:e5:c3:fe:06:e2:22:86:cf:20:a7:18:7f:49:02:6c:c7:
> 31:8f:40:84:79:72:20:6c:3f:45:2d:e5:7c:91:33:ad:db:e6:
> f2:d9:90:4f:20:0e:ba:1f:63:3c:5c:70:5f:b3:b7:29:75:83:
> 1f:dd:d4:c7:56:e1:e5:b0:32:a4:cb:70:4f:21:d7:49:3c:cd:
> 43:c9:2b:e7:02:12:8b:ad:d8:f4:b4:c9:af:69:c2:3d:16:9c:
> 92:4b:08:45:4a:51:45:01:0d:bb:57:30:95:98:0c:68:14:74:
> ee:9f:c1:bb:f1:76:5b:ea:e4:95:d5:83:fc:21:d2:a3:00:1a:
> 71:bb:fc:90:c6:27:56:e6:ba:73:71:2b:8e:7f:c2:e8:e6:be:
> 7b:0a:4e:ef:66:6c:62:54:5d:01:61:cd:21:bd:15:3d:f5:a2:
> d1:bc:e5:36:a2:4e:c8:22:82:99:e7:0e:17:97:c5:fd:80:39:
> 59:af:fa:c3:28:b2:22:34:d2:3b:9c:5b:43:80:1a:a9:08:46:
> 83:2c:56:c0:fc:64:98:03:0b:7a:53:f3:fb:98:a1:62:f2:5d:
> 8b:6f:d9:81:43:41:ba:31:d2:02:6e:b2:26:3e:63:59:df:d8:
> d6:d7:c2:70:5d:18:26:3e:5c:98:11:51:59:a4:52:13:17:80:
> 74:eb:90:89
> -----BEGIN CERTIFICATE-----
> MIIEcTCCA1mgAwIBAgIQSFjNmWzkU7VPb1uahiFGtjANBgkqhkiG9w0BAQUFADBO
> MRIwEAYKCZImiZPyLGQBGRYCbnoxEjAQBgoJkiaJk/IsZAEZFgJhYzETMBEGCgmS
> JomT8ixkARkWA2lwYTEPMA0GA1UEAxMGZGMwMDAxMB4XDTExMDMyOTAwNDU0N1oX
> DTE2MDMyOTAwNTUyMlowTjESMBAGCgmSJomT8ixkARkWAm56MRIwEAYKCZImiZPy
> LGQBGRYCYWMxEzARBgoJkiaJk/IsZAEZFgNpcGExDzANBgNVBAMTBmRjMDAwMTCC
> ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLwKuKh921ultyooYT/6CT3
> ed6tqazEbXNRq378z5jShXIOiX7fYcnYAx+fSyO/KUTm6JmHaWMJfsY+rZmsMR62
> CIADPZlq5YWx6ncejHCKx7hrt6X9ExWDlYv2zSqk+fZ+8LSooTju4/8TAGSwYAGs
> 6HkeLTzpRN8XRtjligpAUy5gjXyTTujqq3rCFkUUeVd8IffZoiwJS8v/uKWA1LWi
> 9ANfOriNHBTWt7UpyDiAG0EpVA9raoD1nDjYMVGuJXAGLfddkAYztpPZOjNNzk9B
> MN+JVYfuwYbm6CA/xVjo+n9AAGD2ENfsOH3QHSD00an+6D39p5G5Di/y/Q/hCgsC
> AwEAAaOCAUkwggFFMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
> DgQWBBTM1hUuP4FwF8VLjfmOIZ5dxRH52zCB8wYDVR0fBIHrMIHoMIHloIHioIHf
> hoGtbGRhcDovLy9DTj1kYzAwMDEsQ049ZGMwMDAxLENOPUNEUCxDTj1QdWJsaWMl
> MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD
> PWlwYSxEQz1hYyxEQz1uej9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/
> b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLWh0dHA6Ly9kYzAwMDEu
> aXBhLmFjLm56L0NlcnRFbnJvbGwvZGMwMDAxLmNybDAQBgkrBgEEAYI3FQEEAwIB
> ADANBgkqhkiG9w0BAQUFAAOCAQEAHGnlw/4G4iKGzyCnGH9JAmzHMY9AhHlyIGw/
> RS3lfJEzrdvm8tmQTyAOuh9jPFxwX7O3KXWDH93Ux1bh5bAypMtwTyHXSTzNQ8kr
> 5wISi63Y9LTJr2nCPRackksIRUpRRQENu1cwlZgMaBR07p/Bu/F2W+rkldWD/CHS
> owAacbv8kMYnVua6c3Erjn/C6Oa+ewpO72ZsYlRdAWHNIb0VPfWi0bzlNqJOyCKC
> mecOF5fF/YA5Wa/6wyiyIjTSO5xbQ4AaqQhGgyxWwPxkmAMLelPz+5ihYvJdi2/Z
> gUNBujHSAm6yJj5jWd/Y1tfCcF0YJj5cmBFRWaRSExeAdOuQiQ==
> -----END CERTIFICATE-----
>
> ________________________________________
> From: Rich Megginson [rmeggins at redhat.com]
> Sent: Wednesday, 30 March 2011 9:36 a.m.
> To: Steven Jones
> Cc: Rob Crittenden; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] AD setup failure
>
> On 03/29/2011 02:32 PM, Steven Jones wrote:
>> Hi,
>>
>> Yes its a "intermediate CA" In the real world combining them is a huge issue, ie making a single joined certificate...It not likely many sites would go to the pain to do that....I think you need to re-visit that assumption.....
> It does not appear to be CA cert at all, much less an "intermediate
> CA". Someone please correct me if I'm wrong, but the CA does not have
> the X509v3 Basic Constraints extension. For example, here is a CA cert
> issued by Windows 2008:
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 6d:e2:9a:21:dd:d5:20:b6:4f:96:be:57:10:62:50:f7
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA
> Validity
> Not Before: Feb 9 17:44:10 2011 GMT
> Not After : Feb 9 17:54:07 2021 GMT
> Subject: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA
> ...
> X509v3 extensions:
> X509v3 Key Usage:
> Digital Signature, Certificate Sign, CRL Sign
> X509v3 Basic Constraints: critical
> CA:TRUE
>
>> The older docs suggested a manual import of the root cert is possible?
>>
>> regards
>> ________________________________________
>> From: Rich Megginson [rmeggins at redhat.com]
>> Sent: Wednesday, 30 March 2011 9:27 a.m.
>> To: Steven Jones
>> Cc: Rob Crittenden; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] AD setup failure
>>
>> On 03/29/2011 02:14 PM, Steven Jones wrote:
>>> So I need 2 certificates?
>> No.
>>> and I have to manually add the root CA with certutil?
>> No.
>>> to the IPA master as a separate process?
>> No.
>>
>> You only need the CA certificate for the CA that issued the MS AD server
>> certificate.
>> ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer
>> will add the CA.
>>
>> If the MS CA is an intermediate CA, you should ask the administrator to
>> give you a single CA certificate file (base64 encoded) that contains the
>> intermediate CA and all of the parent CA up to the root CA.
>>> regards
>>>
>>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 30 March 2011 9:05 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] AD setup failure
>>>
>>> Steven Jones wrote:
>>>> Hi,
>>>>
>>>> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....?
>>> That's what we're doing here. You need to provide the CA that issued the
>>> SSL certificate for the AD server we're connecting to.
>>>
>>> I'm guessing they didn't give you the root CA cert.
>>>
>>> rob
>>>
>>>> regards
>>>>
>>>> Steven
>>>> ________________________________________
>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>> Sent: Wednesday, 30 March 2011 2:50 a.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] AD setup failure
>>>>
>>>> Steven Jones wrote:
>>>>> Got a bit further.......I was missing "--passsync"
>>>> I think you were using the V1 documentation. The "Enterprise Identity
>>>> Management Guide" is what you want off freeipa.org in the Documentation
>>>> section.
>>>>
>>>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>>>>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement
>>>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>>>>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz
>>>>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz
>>>>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'}
>>>>> unexpected error: Failed to setup winsync replication
>>>>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz
>>>>> dc0001.ipa.ac.nz has address 192.168.101.2
>>>>> [root at fed14-64-ipam001 samba]#
>>>>>
>>>>> But still isnt working.........
>>>> I think you have the wrong AD cert. -8179 translates to "Certificate is
>>>> signed by an unknown issuer". Can you verify that you have the AD CA
>>>> certificate?
>>>>
>>>> rob
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list