[Freeipa-users] IPA+AD sync error
Rich Megginson
rmeggins at redhat.com
Wed Aug 18 13:44:15 UTC 2010
Shan Kumaraswamy wrote:
> Rich,
> Can I know command to trust IPA genearated CA cert file?
See below
So I don't think that is the problem here. If that were the problem, I
would expect a different error message. I think you're just going to
have to use something like openssl s_client to examine the server cert
used by AD.
>
>
>
>
> On Tue, Aug 17, 2010 at 7:26 PM, Rich Megginson <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> wrote:
>
> Shan Kumaraswamy wrote:
>
>
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 46:90:cd:94:c6:53:d4:ae:44:a6:df:e2:6b:24:15:56
> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> Issuer: "CN=test-WINDOWS-CA,DC=test,DC=ad"
> Validity:
> Not Before: Tue Aug 17 01:39:07 2010
> Not After : Mon Aug 17 01:49:05 2015
> Subject: "CN=test-WINDOWS-CA,DC=test,DC=ad"
> Subject Public Key Info:
> Public Key Algorithm: PKCS #1 RSA Encryption
> RSA Public Key:
> Modulus:
>
> a9:6e:1a:54:c2:70:1c:d7:dc:06:b4:d3:09:0f:8d:25:
>
> e5:8f:9f:1f:f6:f9:ee:fb:9c:6b:9c:84:c3:01:f7:45:
>
> f1:8e:43:d3:ed:ad:01:e6:92:6c:52:f4:d7:03:03:19:
>
> 0a:93:84:18:42:92:2b:6b:74:3d:77:8c:31:b9:bf:75:
>
> 84:cb:a0:8c:a5:df:c2:5a:d6:cb:a3:78:a2:1a:6d:a6:
>
> e1:b4:81:ea:22:e7:83:bb:1f:0d:70:f8:44:29:24:96:
>
> f3:f0:01:12:49:7a:59:b8:f7:1a:84:e4:e4:a4:0d:60:
>
> 58:db:d9:9c:b4:51:7a:21:f2:a2:f9:ed:ee:92:6f:c0:
>
> 00:39:dc:26:9f:c5:0b:e3:e1:72:62:5d:9f:8e:4a:79:
>
> f3:95:56:a0:37:63:9a:d1:53:af:74:0b:c9:88:b7:43:
>
> ff:11:cb:91:02:4a:5c:8c:35:41:cb:39:4e:fb:8c:a4:
>
> 2d:a6:88:7b:dc:29:04:7a:f0:0a:89:25:24:76:b1:34:
>
> 57:1e:c2:3f:48:79:21:47:f0:f1:1a:70:15:d8:b5:9b:
>
> cb:bc:a2:3c:42:f6:da:91:a7:24:5b:fa:08:ec:41:8b:
>
> c5:82:7c:81:76:3c:ef:84:58:93:cd:92:36:5d:96:55:
> 40:72:21:5e:14:7c:fe:78:cf:35:69:97:4a:49:35:81
> Exponent: 65537 (0x10001)
> Signed Extensions:
> Name: Microsoft Enrollment Cert Type Extension
> Data: "CA"
>
> Name: Certificate Key Usage
> Critical: True
> Usages: Digital Signature
> Certificate Signing
> CRL Signing
>
> Name: Certificate Basic Constraints
> Critical: True
> Data: Is a CA with no maximum path length.
>
> Name: Certificate Subject Key ID
> Data:
> a9:7a:6e:7c:dd:dd:4f:9e:75:78:86:6a:ff:f1:b4:06:
> e6:fb:3a:6d
>
> Name: Microsoft CertServ CA version
> Data: 0 (0x0)
>
> Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
> Signature:
> 02:50:bd:c6:3a:80:85:9d:46:16:94:8c:e2:e8:2f:0d:
> 35:09:d7:af:e1:ce:c0:23:94:19:ef:a7:df:de:56:17:
> c8:9e:d5:a0:80:7e:31:46:1d:c0:c1:5a:e9:7d:fe:c3:
> bb:08:c0:6d:35:3a:f2:43:c2:b7:2f:44:2b:89:7f:f1:
> ad:e8:9e:51:fa:98:12:d9:2b:2d:08:00:80:c3:78:93:
> e7:bc:ee:17:ae:a3:07:81:6b:63:ac:bf:65:d5:e9:a8:
> e9:81:42:56:24:fc:2f:b8:d1:76:5b:72:c0:8f:62:66:
> cc:4d:5b:84:85:fb:63:06:6c:0a:54:a0:55:08:bf:11:
> 4b:30:ab:ba:49:19:39:ee:4f:57:3c:7b:0b:d3:8d:fe:
> 10:d8:18:63:ee:86:e9:cb:89:1e:ea:7e:0a:68:8c:f8:
> da:40:69:ca:2c:bc:5d:24:18:bc:2b:d7:ce:08:ca:d7:
> e8:aa:4b:d8:cb:ee:17:f3:4f:18:29:fc:48:59:ae:98:
> 18:37:f0:a7:cd:42:1f:5d:79:cd:a1:0f:30:41:7f:97:
> 81:43:68:8b:74:0c:d8:21:b6:eb:76:14:bf:44:14:13:
> dd:07:ee:ce:68:95:29:b1:14:f6:93:81:90:b5:e6:6a:
> 2b:38:6a:f0:4c:20:3f:fc:88:84:3f:43:5e:5f:6e:ed
> Fingerprint (MD5):
> 4B:AE:EB:7D:D0:B6:C8:D3:15:1B:08:ED:39:A0:68:6C
> Fingerprint (SHA1):
> 84:17:7E:EE:93:B2:A3:4F:D9:7B:72:C6:ED:D6:61:9E:0E:82:51:BC
>
> Certificate Trust Flags:
> SSL Flags:
> Valid CA
> Trusted CA
> Trusted Client CA
> Email Flags:
> Object Signing Flags:
> Valid CA
> Trusted CA
>
> This looks ok. So is it possible the AD server cert was not
> issued by this CA? I suppose you could use an SSL test program
> like /usr/bin/ssltap
> or openssl s_client like this:
> openssl s_client -connect windows.test.ad:636
> <http://windows.test.ad:636/> -CAfile /path/to/msadcacert.asc
> You can also add -verify 3 and -showcerts and -debug
> see "man s_client" for more information
>
>
>
>
> On Tue, Aug 17, 2010 at 7:04 PM, Shan Kumaraswamy
> <shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com <mailto:shan.sysadm at gmail.com>>>
> wrote:
>
> done, and it came the output also, can plz let me know the
> next step.
>
>
> On Tue, Aug 17, 2010 at 7:00 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> Please find the below out put of the command:
> [root at saprhds001 ~]# certutil -d
> /etc/dirsrv/slapd-XXXX-COM -L
> Certificate Nickname
> Trust Attributes
>
> SSL,S/MIME,JAR/XPI
> Imported CA
> CT,,C
> CA certificate
> CTu,u,Cu
>
The CT means the CA is trusted for SSL client and server certs.
certutil -H
...
trustargs is of the form x,y,z where x is for
SSL, y is for S/MIME,
...
c valid CA
T trusted CA to issue client certs
(implies c)
C trusted CA to issue server certs
(implies c)
> Server-Cert
> u,u,u
>
> I'm assuming "Imported CA" is the MS AD CA. Do this:
> certutil -d /etc/dirsrv/slapd-XXXX-COM -L -n "Imported CA"
>
>
>
> On Tue, Aug 17, 2010 at 6:35 PM, Rich Megginson
> <rmeggins at redhat.com <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>
> wrote:
>
> Shan Kumaraswamy wrote:
>
> After this error, I have triyed your the
> following
> steps:
> /usr/lib64/mozldap/ldapsearch -h
> windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>> -D
> "CN=administrator,CN=users,DC=test,DC=ad" -w
> "xxxx"
> -s base -b
> "" "objectclass=*"
>
> Then I got output like this:
> version: 1
> dn:
> currentTime: 20100817220245.0Z
> subschemaSubentry:
>
> CN=Aggregate,CN=Schema,CN=Configuration,DC=test,DC=ad
> dsServiceName: CN=NTDS
>
> Settings,CN=WINDOWS,CN=Servers,CN=Default-First-Site-Na
> me,CN=Sites,CN=Configuration,DC=test,DC=ad
> namingContexts: DC=test,DC=ad
> namingContexts: CN=Configuration,DC=test,DC=ad
> namingContexts:
> CN=Schema,CN=Configuration,DC=test,DC=ad
> namingContexts: DC=DomainDnsZones,DC=test,DC=ad
> namingContexts: DC=ForestDnsZones,DC=test,DC=ad
> defaultNamingContext: DC=test,DC=ad
> schemaNamingContext:
> CN=Schema,CN=Configuration,DC=test,DC=ad
> configurationNamingContext:
> CN=Configuration,DC=test,DC=ad
> rootDomainNamingContext: DC=test,DC=ad
> supportedControl: 1.2.840.113556.1.4.319
> supportedControl: 1.2.840.113556.1.4.801
> supportedControl: 1.2.840.113556.1.4.473
> supportedControl: 1.2.840.113556.1.4.528
> supportedControl: 1.2.840.113556.1.4.417
> supportedControl: 1.2.840.113556.1.4.619
> supportedControl: 1.2.840.113556.1.4.841
> supportedControl: 1.2.840.113556.1.4.529
> supportedControl: 1.2.840.113556.1.4.805
> supportedControl: 1.2.840.113556.1.4.521
> supportedControl: 1.2.840.113556.1.4.970
> supportedControl: 1.2.840.113556.1.4.1338
> supportedControl: 1.2.840.113556.1.4.474
> supportedControl: 1.2.840.113556.1.4.1339
> supportedControl: 1.2.840.113556.1.4.1340
> supportedControl: 1.2.840.113556.1.4.1413
> supportedControl: 2.16.840.1.113730.3.4.9
> supportedControl: 2.16.840.1.113730.3.4.10
> supportedControl: 1.2.840.113556.1.4.1504
> supportedControl: 1.2.840.113556.1.4.1852
> supportedControl: 1.2.840.113556.1.4.802
> supportedControl: 1.2.840.113556.1.4.1907
> supportedControl: 1.2.840.113556.1.4.1948
> supportedControl: 1.2.840.113556.1.4.1974
> supportedControl: 1.2.840.113556.1.4.1341
> supportedControl: 1.2.840.113556.1.4.2026
> supportedControl: 1.2.840.113556.1.4.2064
> supportedControl: 1.2.840.113556.1.4.2065
> supportedLDAPVersion: 3
> supportedLDAPVersion: 2
> supportedLDAPPolicies: MaxPoolThreads
> supportedLDAPPolicies: MaxDatagramRecv
> supportedLDAPPolicies: MaxReceiveBuffer
> supportedLDAPPolicies: InitRecvTimeout
> supportedLDAPPolicies: MaxConnections
> supportedLDAPPolicies: MaxConnIdleTime
> supportedLDAPPolicies: MaxPageSize
> supportedLDAPPolicies: MaxQueryDuration
> supportedLDAPPolicies: MaxTempTableSize
> supportedLDAPPolicies: MaxResultSetSize
> supportedLDAPPolicies: MinResultSets
> supportedLDAPPolicies: MaxResultSetsPerConn
> supportedLDAPPolicies: MaxNotificationPerConn
> supportedLDAPPolicies: MaxValRange
> highestCommittedUSN: 73772
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: GSS-SPNEGO
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: DIGEST-MD5
> dnsHostName: Windows.test.ad
> <http://windows.test.ad/>
> <http://windows.test.ad/> <http://windows.test.ad/>
>
> <http://Windows.test.ad
> <http://windows.test.ad/> <http://windows.test.ad/>
> <http://windows.test.ad/>>
> ldapServiceName: test.ad:windows$@TEST.AD
> <http://test.ad/>
> <http://test.ad/> <http://test.ad/>
> <http://TEST.AD <http://test.ad/>
> <http://test.ad/> <http://test.ad/>>
>
>
>
> serverName:
>
> CN=WINDOWS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
> guration,DC=test,DC=ad
> supportedCapabilities: 1.2.840.113556.1.4.800
> supportedCapabilities: 1.2.840.113556.1.4.1670
> supportedCapabilities: 1.2.840.113556.1.4.1791
> supportedCapabilities: 1.2.840.113556.1.4.1935
> supportedCapabilities: 1.2.840.113556.1.4.2080
> isSynchronized: TRUE
> isGlobalCatalogReady: TRUE
> domainFunctionality: 4
> forestFunctionality: 4
> domainControllerFunctionality: 4
>
> Then I tried next step:
> /usr/lib64/mozldap/ldapsearch -ZZ -P
> /etc/dirsrv/slapd-XXXX-COM/cert8.db -h
> windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad/>
>
> <http://windows.test.ad/>> -D
> "CN=administrator,CN=users,DC=test,DC=ad" -w
> "xxxxx" -s base
> -b "" "objectclass=*"
>
> ldap_simple_bind: Can't contact LDAP server
> TLS/SSL error -8179 (Peer's Certificate
> issuer is not
> recognized.)
> Please help me to fix this.....
>
> This usually means the SSL server's CA cert is not
> recognized.
> What does this say:
> certutil -d /etc/dirsrv/slapd-XXXX-COM -L
> ?
>
>
> On Tue, Aug 17, 2010 at 2:02 PM, Shan
> Kumaraswamy
> <shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>
> <mailto:shan.sysadm at gmail.com
> <mailto:shan.sysadm at gmail.com>>>>>
>
> wrote:
>
> Hi Rich,
> After I did all the steps, I am getting
> this error:
> INFO:root:Added CA certificate
> /etc/dirsrv/slapd-XXXX-COM/adcert.cer to
> certificate
> database for
> tesipa001.test.com
> <http://tesipa001.test.com/> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
>
> INFO:root:Restarted directory server
> tesipa001.test.com <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
> <http://tesipa001.test.com/>
>
> INFO:root:Could not validate connection to
> remote server
> windows.test.ad:636
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/>
> <http://windows.test.ad:636/> - continuing
>
> INFO:root:The error was: {'info':
> 'error:14090086:SSL
>
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify
> failed',
> 'desc': "Can't contact LDAP server"}
> The user for the Windows PassSync service is
>
> uid=passsync,cn=sysaccounts,cn=etc,dc=bmibank,dc=com
> Windows PassSync entry exists, not resetting
> password
> INFO:root:Added new sync agreement,
> waiting for
> it to
> become ready
> . . .
> INFO:root:Replication Update in progress:
> FALSE:
> status: 81 -
> LDAP error: Can't contact LDAP server:
> start: 0:
> end: 0
> INFO:root:Agreement is ready, starting
> replication . . .
> Starting replication, please wait until
> this has
> completed.
> [saprhds001.bmibank.com
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>
> <http://saprhds001.bmibank.com/>] reports:
>
> Update failed! Status: [81 - LDAP error:
> Can't
> contact
> LDAP server]
> INFO:root:Added agreement for other host
> windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
>
>
> Please help me to fix this issue.
> The syntex I used:
> ipa-replica-manage add
> --winsync
> --binddn
> CN=Administrator,CN=Users,DC=test,DC=com
> --bindpw "password"
> --cacert
> /etc/dirsrv/slapd-TEST-COM/adcert.cer
> windows.test.ad <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/>
> <http://windows.test.ad/> -v --passsync
> "password"
>
> On Mon, Aug 16, 2010 at
> 6:06 PM,
> Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>> wrote:
>
> Shan Kumaraswamy wrote:
>
> Rich,
> While installing IPA its creates its
> won CA cert
> right?
> (cacert.p12),
>
> Right.
>
> and also I done the setep of
> export this
> CA file as
> dsca.crt.
>
> Right. You have to do that so that
> AD can
> be an SSL
> client to
> the IPA SSL server.
>
> Please let me know steps to
> generate the
> IPA CA and
> server
> cert?
>
> The other part is that you have to
> install
> the AD CA
> cert in
> IPA so that IPA can be the SSL client
> to the
> AD SSL server.
>
> On Mon, Aug
> 16, 2010
> at 5:41 PM, Rich Megginson
> <rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>
> <mailto:rmeggins at redhat.com
> <mailto:rmeggins at redhat.com>>>>>>
>
> wrote:
>
> Shan Kumaraswamy wrote:
>
>
> Hi,
>
> I have deployed FreeIPA
> 1.2.1 in
> RHEL 5.5 and I
> want to sync
> with Active Directory (windows
> 2008 R2). Can
> please
> anyone
> have step-by-step
> configuration
> doc and
> share to me?
> Previously I have done the
> same
> exercise,
> but now
> that is not
> working for me and I am
> facing lot of
> challenges to
> make this
> happen.
>
> Please find the steps what
> exactly I done so
> for:
>
> 1. Installed RHDS
> 8.1 and
> FreeIPA
> 1.2.1 and
> configured
> properly and tested its
> working fine
>
> 2. In AD side, installed
> Active Directory
> certificate
> Server as a Enterprise Root
>
> 3. Copy the “cacert.p12”
> file and
> imported under
> Certificates –Service (Active
> Directory Domain
> service) on
> Local Computer using MMC.
>
> 4. Installed PasSync.msi
> file and
> given all
> the required
> information
>
> 5. Run the command
> “certutil -d . -L
> -n "CA
> certificate"
> -a > dsca.crt” from IPA server
> and copied
> the .crt
> file in to
> AD server and ran this command
> from “cd
> "C:\Program
> Files\Red
> Hat Directory Password
> Synchronization"
>
> 6. certutil.exe -d . -N
>
> 7. certutil.exe -d .
> -A -n
> "DS CA cert" -t
> CT,, -a -i
> \path\to\dsca.crt
>
> 8. certutil.exe -d .
> -L -n
> "DS CA
> cert" and
> rebooted the
> AD server.
>
> After this steps, when try to
> create sync
> agreement
> from IPA
> server I am getting this
> error:
>
> ldap_simple_bind:
> Can't
> contact
> LDAP server
>
> SSL error -8179 (Peer's
> Certificate
> issuer
> is not
> recognized.)
>
> Please share the steps to
> configure AD Sync with
> IPA server.
>
>
> http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Windows_Sync-Configuring_Windows_Sync.html
>
> But it looks as though there is a
> step missing.
> If you
> use MS AD
> CA to generate the AD cert,
> and use
> IPA to
> generate the
> IPA CA and
> server cert, then you have to
> import
> the MS AD
> CA cert
> into IPA.
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> -- Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
>
>
>
>
> --
> Thanks & Regards
> Shan Kumaraswamy
>
More information about the Freeipa-users
mailing list