[Freeipa-users] AD setup failure

Steven Jones Steven.Jones at vuw.ac.nz
Tue Mar 29 20:14:46 UTC 2011 

So I need 2 certificates?

and I have to manually add the root CA with certutil? to the IPA master as a separate process?

regards


________________________________________
From: Rob Crittenden [rcritten at redhat.com]
Sent: Wednesday, 30 March 2011 9:05 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] AD setup failure

Steven Jones wrote:
> Hi,
>
> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....?

That's what we're doing here. You need to provide the CA that issued the
SSL certificate for the AD server we're connecting to.

I'm guessing they didn't give you the root CA cert.

rob

>
> regards
>
> Steven
> ________________________________________
> From: Rob Crittenden [rcritten at redhat.com]
> Sent: Wednesday, 30 March 2011 2:50 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] AD setup failure
>
> Steven Jones wrote:
>> Got a bit further.......I was missing   "--passsync"
>
> I think you were using the V1 documentation. The "Enterprise Identity
> Management Guide" is what you want off freeipa.org in the Documentation
> section.
>
>>
>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement
>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz
>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz
>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'}
>> unexpected error: Failed to setup winsync replication
>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz
>> dc0001.ipa.ac.nz has address 192.168.101.2
>> [root at fed14-64-ipam001 samba]#
>>
>> But still isnt working.........
>
> I think you have the wrong AD cert. -8179 translates to "Certificate is
> signed by an unknown issuer". Can you verify that you have the AD CA
> certificate?
>
> rob

More information about the Freeipa-users mailing list