[Freeipa-users] consulting?
Jimmy
g17jimmy at gmail.com
Tue Jan 24 20:26:51 UTC 2012
The sync is still not working so I was going back through the docs to see
what I missed. I know this is from an older version of IPA but I was
looking here:
http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Prerequisites.html#sect-Installation_and_Deployment_Guide-Prerequisites-Setting_up_Active_Directory
and used this method to get the AD certificate server cert.
1. Navigate to My Network Places and drill down to the CA distribution
point. On Windows 2003 Server this is typically
C:\WINDOWS\system32\certsrv\CertEnroll\
2. Double-click the security certificate file (.crt file) to display the
*Certificate* dialog box.
3. On the *Details* tab, click *Copy to File* to start the *Certificate
Export Wizard*.
4. Click *Next*, select *Base-64 encoded X.509 (.CER)* and then click *
Next*.
5. Specify a suitable directory and file name for the exported file. The
file name is not important. Click *Next* to export the certificate, and
then click *Finish*. You should receive a message stating that the
export was successful.
6. Click *OK* to exit the wizard.
But when I run the command to create the sync agreement(pointing to the
cert I got in the step above) the ssl connection fails and if I look at
tcpdump of the connection I see that the AD server is not sending the cert
that I have imported with the sync agreement. I have used certutil to
verify that I have the same cert(same serial number and same public key) in
the 389 server as the one in the AD server ( C:\WINDOWS\system32\
certsrv\CertEnroll\). The AD server is sending a completely different cert,
and I have been unable to find the cert in the certificate stores on the AD
server so I'm not sure where the bogus cert is coming from. Before I added
the certificate services role the certsrv\certenroll directory was not
present so I know this was created when I added that role to the AD server.
The pcap can be seen here:
http://www.pcapr.net/view/g17jimmy/2012/0/2/11/ldaps3.pcap.html (sorry,
registration required on that site, I didn't have anywhere else to put it.)
Any idea why AD would be sending me the wrong cert and where it's coming
from? Yes, I know this isn't MS just trying to get these 2 systems to talk
;).
On Tue, Jan 24, 2012 at 1:18 PM, Rich Megginson <rmeggins at redhat.com> wrote:
> **
> On 01/24/2012 11:03 AM, Jimmy wrote:
>
> Ok, I just realized that I only have passsync and not winsync, stupid
> oversight, but now that I know it I need to get winsync. Is there a
> location to download binaries or must I compile from source? I see the
> binaries for passsync on the directory server project downloads but I don't
> see the same for winsync.
>
> winsync is built-in to 389 - there isn't any additional component that you
> need to install.
>
>
> Thanks,
> Jim
>
> On Mon, Jan 23, 2012 at 1:33 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>
>> On 01/23/2012 11:34 AM, Jimmy wrote:
>>
>> I did create the winsync user and it is an admin.
>>
>> I will fix the ip address(change to hostname,) I only did it that was
>> because this is currently a test system so I can figure out how to get it
>> all working.
>>
>> ok - once you do that, you can check the 389 errors log at
>> /var/log/dirsrv/slapd-INST/errors to see if winsync is logging any errors
>>
>>
>> On Mon, Jan 23, 2012 at 1:06 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>
>>> On 01/23/2012 10:52 AM, Jimmy wrote:
>>>
>>> That's what I was thinking, and what I did, but it still doesn't
>>> replicate new users. This is the command I used:
>>>
>>> ipa-replica-manage connect --passsync --binddn
>>> cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp --bindpw=******** --cacert
>>> /home/winsync/AD-server-cert.cer 192.168.201.150 -v
>>>
>>>
>>> Did you create the user cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp?
>>> And does this user have the rights to perform sync? (e.g. has to have
>>> replicator rights, or be some sort of admin) - see
>>> http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx - the
>>> AD user must have replication rights and write rights.
>>>
>>> In addition, since this process uses SSL, you cannot use an IP address,
>>> you must use a hostname, or the SSL cert hostname checking (for MITM) will
>>> fail.
>>>
>>>
>>> On Mon, Jan 23, 2012 at 12:30 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>>
>>>> On 01/23/2012 10:19 AM, Jimmy wrote:
>>>>
>>>> Here's what I found in the DS admin guide. Is this all that's needed to
>>>> create the sync agreement?
>>>>
>>>> Not with ipa - you should use the ipa-replica-manage command instead
>>>>
>>>> Thanks.
>>>>
>>>> add sync agreement:
>>>> ldapmodify -x -D "cn=Directory Manager" -W
>>>> Enter LDAP Password: *******
>>>> dn: cn=ExampleSyncAgreement,cn=sync
>>>> replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config
>>>>
>>>> it should be cn=replica, not cn=sync replica - does it use the latter
>>>> in the Admin Guide?
>>>>
>>>> changetype: add
>>>> objectclass: top
>>>> objectclass: nsDSWindowsReplicationAgreement
>>>> cn: ExampleSyncAgreement
>>>> nsds7WindowsReplicaSubtree: cn=Users,dc=ad1
>>>> nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com
>>>>
>>>> nsds7NewWinUserSyncEnabled: on
>>>> nsds7NewWinGroupSyncEnabled: on
>>>> nsds7WindowsDomain: ad1
>>>> nsDS5ReplicaRoot: dc=example,dc=com
>>>> nsDS5ReplicaHost: ad1.windows-server.com
>>>> nsDS5ReplicaPort: 389
>>>> nsDS5ReplicaBindDN: cn=sync user,cn=config
>>>> nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA==
>>>> nsDS5ReplicaTransportInfo: TLS
>>>> winSyncInterval: 1200
>>>>
>>>> On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>>>
>>>>> On 01/20/2012 01:08 PM, Jimmy wrote:
>>>>>
>>>>> That was it! I have passwords syncing, *BUT*(at the risk of sounding
>>>>> stupid)-- is it not possible to also sync(add) the users from AD to DS?
>>>>>
>>>>> Yes, it is. Just configure IPA Windows Sync
>>>>>
>>>>> I created a new user in AD and it doesn't propogate to DS, just says:
>>>>>
>>>>> attempting to sync password for testuser3
>>>>> searching for (ntuserdomainid=testuser3)
>>>>> There are no entries that match: testuser3
>>>>> deferring password change for testuser3
>>>>>
>>>>> On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>>>>
>>>>>> On 01/20/2012 12:46 PM, Jimmy wrote:
>>>>>>
>>>>>> Getting close here... Now I see this message in the sync log file:
>>>>>>
>>>>>> attempting to sync password for testuser
>>>>>> searching for (ntuserdomainid=testuser)
>>>>>> ldap error in queryusername
>>>>>> 32: no such object
>>>>>> deferring password change for testuser
>>>>>>
>>>>>> This usually means the search base is incorrect or not found. You
>>>>>> can look at the 389 access log to see what it was using as the search
>>>>>> criteria.
>>>>>>
>>>>>>
>>>>>> On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson <rmeggins at redhat.com
>>>>>> > wrote:
>>>>>>
>>>>>>> On 01/20/2012 10:23 AM, Jimmy wrote:
>>>>>>>
>>>>>>> You are correct. I had installed as an Enterprise root, but the doc
>>>>>>> I was reading(original link) seemed to say that I had to do the certreq
>>>>>>> manually, my bad. I think I'm getting closer I can establish an openssl
>>>>>>> connection from DS to AD but I get these errors:
>>>>>>>
>>>>>>> openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile
>>>>>>> dsca.crt
>>>>>>> CONNECTED(00000003)
>>>>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>>>>> verify error:num=20:unable to get local issuer certificate
>>>>>>> verify return:1
>>>>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>>>>> verify error:num=27:certificate not trusted
>>>>>>> verify return:1
>>>>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>>>>> verify error:num=21:unable to verify the first certificate
>>>>>>> verify return:1
>>>>>>>
>>>>>>> I thought I had imported the cert from AD but it doesn't seem so.
>>>>>>> I'm still researching but if you guys have a suggestion let me know.
>>>>>>>
>>>>>>> Is dsca.crt the CA that issued the DS server cert? If so, that
>>>>>>> won't work. You need the CA cert from the CA that issued the AD server
>>>>>>> cert (i.e. the CA cert from the MS Enterprise Root CA).
>>>>>>>
>>>>>>> -J
>>>>>>>
>>>>>>> On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson <
>>>>>>> rmeggins at redhat.com> wrote:
>>>>>>>
>>>>>>>> On 01/19/2012 02:59 PM, Jimmy wrote:
>>>>>>>>
>>>>>>>> ok. I started from scratch this week on this and I think I've got
>>>>>>>> the right doc and understand better where this is going. My problem now is
>>>>>>>> that when configuring SSL on the AD server (step c in this url:
>>>>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service )
>>>>>>>>
>>>>>>>> I get this error:
>>>>>>>>
>>>>>>>> certreq -submit request.req certnew.cer
>>>>>>>> Active Directory Enrollment Policy
>>>>>>>> {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>>>>>>> ldap:
>>>>>>>> RequestId: 3
>>>>>>>> RequestId: "3"
>>>>>>>> Certificate not issued (Denied) Denied by Policy Module
>>>>>>>> 0x80094801, The request does not contain a certificate template extension
>>>>>>>> or the CertificateTemplate request attribute.
>>>>>>>> The request contains no certificate template information.
>>>>>>>> 0x80094801 (-2146875391)
>>>>>>>> Certificate Request Processor: The request contains no certificate
>>>>>>>> template information. 0x80094801 (-2146875391)
>>>>>>>> Denied by Policy Module 0x80094801, The request does not contain
>>>>>>>> a certificate template extension or the CertificateTemplate request
>>>>>>>> attribute.
>>>>>>>>
>>>>>>>> The RH doc says to use the browser if an error occurs and IIS is
>>>>>>>> running but I'm not running IIS. I researched that error but didn't find
>>>>>>>> anything that helps with FreeIPA and passsync.
>>>>>>>>
>>>>>>>> Hmm - try installing Microsoft Certificate Authority in Enterprise
>>>>>>>> Root CA mode - it will usually automatically create and install the AD
>>>>>>>> server cert.
>>>>>>>> http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>>>>>>>>
>>>>>>>>
>>>>>>>> Jimmy
>>>>>>>>
>>>>>>>> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson <
>>>>>>>> rmeggins at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> On 01/11/2012 11:22 AM, Jimmy wrote:
>>>>>>>>>
>>>>>>>>> We need to be able to replicate user/pass between Windows 2008 AD
>>>>>>>>> and FreeIPA.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> That's what IPA Windows Sync is supposed to do.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have followed many different documents and posted here about it
>>>>>>>>> and from what I've read and procedures I've followed we are unable to
>>>>>>>>> accomplish this.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> What have you tried, and what problems have you run into?
>>>>>>>>>
>>>>>>>>> It doesn't need to be a full trust.
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>>
>>>>>>>>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený <jzeleny at redhat.com>wrote:
>>>>>>>>>
>>>>>>>>>> > Just wondering if there was anyone listening on the list that
>>>>>>>>>> might be
>>>>>>>>>> > available for little work integrating FreeIPA with Active
>>>>>>>>>> Directory
>>>>>>>>>> > (preferrably in the south east US.) I hope this isn't against
>>>>>>>>>> the list
>>>>>>>>>> > rules, I just thought one of you guys could help or point me in
>>>>>>>>>> the right
>>>>>>>>>> > direction.
>>>>>>>>>>
>>>>>>>>>> If you want some help, it is certainly not against list rules
>>>>>>>>>> ;-) But in that
>>>>>>>>>> case, it would be much better if you asked what exactly do you
>>>>>>>>>> need.
>>>>>>>>>>
>>>>>>>>>> I'm not an AD expert, but a couple tips: If you are looking for
>>>>>>>>>> cross-domain
>>>>>>>>>> (cross-realm) trust, then you might be a bit disappointed, it is
>>>>>>>>>> still in
>>>>>>>>>> development, so it probably won't be 100% functional at this
>>>>>>>>>> moment.
>>>>>>>>>>
>>>>>>>>>> If you are looking for something else, could you be a little more
>>>>>>>>>> specific what
>>>>>>>>>> it is?
>>>>>>>>>>
>>>>>>>>>> I also recommend starting with reading some doc:
>>>>>>>>>> http://freeipa.org/page/DocumentationPortal
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>> Jan
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120124/2ca6efc6/attachment.htm>
More information about the Freeipa-users
mailing list