[Freeipa-users] AD setup failure

Steven Jones Steven.Jones at vuw.ac.nz
Tue Mar 29 20:58:10 UTC 2011 

uh, this is a AD 2003 domain, so this stuff only works with 2008 AD?

regards
________________________________________
From: Rich Megginson [rmeggins at redhat.com]
Sent: Wednesday, 30 March 2011 9:36 a.m.
To: Steven Jones
Cc: Rob Crittenden; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] AD setup failure

On 03/29/2011 02:32 PM, Steven Jones wrote:
> Hi,
>
> Yes its a "intermediate CA" In the real world combining them is a huge issue, ie making a single joined certificate...It not likely many sites would go to the pain to do that....I think you need to re-visit that assumption.....
It does not appear to be CA cert at all, much less an "intermediate
CA".  Someone please correct me if I'm wrong, but the CA does not have
the X509v3 Basic Constraints extension.  For example, here is a CA cert
issued by Windows 2008:
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
             6d:e2:9a:21:dd:d5:20:b6:4f:96:be:57:10:62:50:f7
         Signature Algorithm: sha1WithRSAEncryption
         Issuer: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA
         Validity
             Not Before: Feb  9 17:44:10 2011 GMT
             Not After : Feb  9 17:54:07 2021 GMT
         Subject: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA
...
         X509v3 extensions:
             X509v3 Key Usage:
                 Digital Signature, Certificate Sign, CRL Sign
             X509v3 Basic Constraints: critical
                 CA:TRUE

> The older docs suggested a manual import of the root cert is possible?
>
> regards
> ________________________________________
> From: Rich Megginson [rmeggins at redhat.com]
> Sent: Wednesday, 30 March 2011 9:27 a.m.
> To: Steven Jones
> Cc: Rob Crittenden; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] AD setup failure
>
> On 03/29/2011 02:14 PM, Steven Jones wrote:
>> So I need 2 certificates?
> No.
>> and I have to manually add the root CA with certutil?
> No.
>> to the IPA master as a separate process?
> No.
>
> You only need the CA certificate for the CA that issued the MS AD server
> certificate.
> ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer
> will add the CA.
>
> If the MS CA is an intermediate CA, you should ask the administrator to
> give you a single CA certificate file (base64 encoded) that contains the
> intermediate CA and all of the parent CA up to the root CA.
>> regards
>>
>>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 30 March 2011 9:05 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] AD setup failure
>>
>> Steven Jones wrote:
>>> Hi,
>>>
>>> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....?
>> That's what we're doing here. You need to provide the CA that issued the
>> SSL certificate for the AD server we're connecting to.
>>
>> I'm guessing they didn't give you the root CA cert.
>>
>> rob
>>
>>> regards
>>>
>>> Steven
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 30 March 2011 2:50 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] AD setup failure
>>>
>>> Steven Jones wrote:
>>>> Got a bit further.......I was missing   "--passsync"
>>> I think you were using the V1 documentation. The "Enterprise Identity
>>> Management Guide" is what you want off freeipa.org in the Documentation
>>> section.
>>>
>>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>>>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement
>>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>>>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz
>>>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz
>>>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'}
>>>> unexpected error: Failed to setup winsync replication
>>>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz
>>>> dc0001.ipa.ac.nz has address 192.168.101.2
>>>> [root at fed14-64-ipam001 samba]#
>>>>
>>>> But still isnt working.........
>>> I think you have the wrong AD cert. -8179 translates to "Certificate is
>>> signed by an unknown issuer". Can you verify that you have the AD CA
>>> certificate?
>>>
>>> rob
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list