[Freeipa-users] AD setup failure
Rich Megginson
rmeggins at redhat.com
Tue Mar 29 20:28:54 UTC 2011
On 03/29/2011 02:26 PM, Steven Jones wrote:
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number:
> 12:fb:5c:b4:00:00:00:00:00:02
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: DC=nz, DC=ac, DC=ipa, CN=dc0001
> Validity
> Not Before: Mar 29 00:54:45 2011 GMT
> Not After : Mar 28 00:54:45 2012 GMT
> Subject: CN=dc0001.ipa.ac.nz
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> Public-Key: (1024 bit)
> Modulus:
> 00:9b:68:bb:1f:8d:62:c4:7c:08:65:f2:ec:c0:32:
> 0a:99:17:b6:02:1a:02:90:e1:d7:64:38:de:ef:f0:
> 58:b0:bb:06:6a:6f:82:ed:c1:8c:9e:ae:44:91:6e:
> 8e:3c:6f:5b:04:44:92:40:cd:af:3e:a2:2f:c8:ad:
> 1f:7a:7f:d7:53:25:2b:f9:b7:c7:ac:c4:cc:3d:92:
> 05:47:a7:96:25:e9:d5:78:a1:4d:e1:a0:65:1d:66:
> 03:d3:e1:11:f6:d5:cc:c5:e5:73:e3:e3:98:ee:c1:
> 23:c2:32:5c:4f:5f:66:ef:98:61:4b:e0:2a:3a:e6:
> 55:67:08:ed:2a:ae:6b:db:ab
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Key Usage:
> Digital Signature, Key Encipherment
> S/MIME Capabilities:
> 050...*.H..
> ......0...*.H..
> ......0...+....0
> ..*.H..
> ..
> X509v3 Subject Key Identifier:
> 7F:03:DF:87:27:A7:F2:59:C7:17:E8:CF:19:01:51:1B:FA:EF:D7:D3
> 1.3.6.1.4.1.311.20.2:
> . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
> X509v3 Authority Key Identifier:
> keyid:CC:D6:15:2E:3F:81:70:17:C5:4B:8D:F9:8E:21:9E:5D:C5:11:F9:DB
>
> X509v3 CRL Distribution Points:
>
> Full Name:
> URI:ldap:///CN=dc0001,CN=dc0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint
> URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.crl
>
> Authority Information Access:
> CA Issuers - URI:ldap:///CN=dc0001,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?cACertificate?base?objectClass=certificationAuthority
> CA Issuers - URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.ipa.ac.nz_dc0001.crt
>
> X509v3 Extended Key Usage:
> TLS Web Client Authentication, TLS Web Server Authentication
> X509v3 Subject Alternative Name:
> othername:<unsupported>, DNS:dc0001.ipa.ac.nz
> Signature Algorithm: sha1WithRSAEncryption
> 6e:11:ea:99:64:72:59:56:71:e8:6d:ab:cd:ee:93:be:cd:d4:
> 94:d4:cb:b4:d1:e1:ad:d3:02:a6:1c:15:db:e6:13:6c:74:07:
> 21:a0:1d:65:81:de:27:0d:8b:65:9c:5b:e2:2f:8e:67:fb:3f:
> 63:7c:a4:a3:ab:15:3d:57:fc:b8:2c:5c:e2:75:fd:71:68:73:
> 1d:14:49:cc:a8:5c:fb:62:5d:fd:61:b3:57:6f:18:d7:46:b7:
> 5c:7d:6d:5a:ee:5c:8c:66:b6:45:cb:62:8d:72:20:40:b1:cb:
> fa:e8:f5:06:44:19:d1:fc:f3:b7:a0:86:52:39:20:6b:4f:20:
> c5:8f:7f:5c:0d:2f:a3:a1:d7:4f:c7:5e:36:1a:d4:22:33:ea:
> 59:31:eb:9e:6a:31:9f:8d:7a:3a:b8:dc:b2:09:4e:64:d5:17:
> 14:28:09:c0:b0:48:ff:38:00:4f:cd:01:e1:62:7e:82:dc:4d:
> d6:62:3c:54:e9:c2:ff:7d:9d:c7:b0:cf:ee:f7:6f:0a:e0:c8:
> ec:f0:c0:01:b2:41:56:01:22:a4:31:4d:cd:98:6b:a1:83:db:
> 10:de:4d:43:59:b1:d3:4c:2a:16:03:9c:91:97:98:92:23:15:
> 04:41:3f:9d:77:9b:fd:b2:32:0d:36:35:06:64:ff:80:6a:e8:
> a0:5b:12:85
> -----BEGIN CERTIFICATE-----
> MIIFjzCCBHegAwIBAgIKEvtctAAAAAAAAjANBgkqhkiG9w0BAQUFADBOMRIwEAYK
> CZImiZPyLGQBGRYCbnoxEjAQBgoJkiaJk/IsZAEZFgJhYzETMBEGCgmSJomT8ixk
> ARkWA2lwYTEPMA0GA1UEAxMGZGMwMDAxMB4XDTExMDMyOTAwNTQ0NVoXDTEyMDMy
> ODAwNTQ0NVowGzEZMBcGA1UEAxMQZGMwMDAxLmlwYS5hYy5uejCBnzANBgkqhkiG
> 9w0BAQEFAAOBjQAwgYkCgYEAm2i7H41ixHwIZfLswDIKmRe2AhoCkOHXZDje7/BY
> sLsGam+C7cGMnq5EkW6OPG9bBESSQM2vPqIvyK0fen/XUyUr+bfHrMTMPZIFR6eW
> JenVeKFN4aBlHWYD0+ER9tXMxeVz4+OY7sEjwjJcT19m75hhS+AqOuZVZwjtKq5r
> 26sCAwEAAaOCAyQwggMgMAsGA1UdDwQEAwIFoDBEBgkqhkiG9w0BCQ8ENzA1MA4G
> CCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcN
> AwcwHQYDVR0OBBYEFH8D34cnp/JZxxfozxkBURv679fTMC8GCSsGAQQBgjcUAgQi
> HiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAfBgNVHSMEGDAWgBTM
> 1hUuP4FwF8VLjfmOIZ5dxRH52zCB8wYDVR0fBIHrMIHoMIHloIHioIHfhoGtbGRh
> cDovLy9DTj1kYzAwMDEsQ049ZGMwMDAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl
> MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWlwYSxE
> Qz1hYyxEQz1uej9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0
> Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLWh0dHA6Ly9kYzAwMDEuaXBhLmFj
> Lm56L0NlcnRFbnJvbGwvZGMwMDAxLmNybDCCAQUGCCsGAQUFBwEBBIH4MIH1MIGm
> BggrBgEFBQcwAoaBmWxkYXA6Ly8vQ049ZGMwMDAxLENOPUFJQSxDTj1QdWJsaWMl
> MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD
> PWlwYSxEQz1hYyxEQz1uej9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9
> Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBKBggrBgEFBQcwAoY+aHR0cDovL2RjMDAw
> MS5pcGEuYWMubnovQ2VydEVucm9sbC9kYzAwMDEuaXBhLmFjLm56X2RjMDAwMS5j
> cnQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDwGA1UdEQQ1MDOgHwYJ
> KwYBBAGCNxkBoBIEEAdtYFw3yQ9DmIgdDBjdl92CEGRjMDAwMS5pcGEuYWMubnow
> DQYJKoZIhvcNAQEFBQADggEBAG4R6plkcllWcehtq83uk77N1JTUy7TR4a3TAqYc
> FdvmE2x0ByGgHWWB3icNi2WcW+Ivjmf7P2N8pKOrFT1X/LgsXOJ1/XFocx0UScyo
> XPtiXf1hs1dvGNdGt1x9bVruXIxmtkXLYo1yIECxy/ro9QZEGdH887eghlI5IGtP
> IMWPf1wNL6Oh10/HXjYa1CIz6lkx655qMZ+Nejq43LIJTmTVFxQoCcCwSP84AE/N
> AeFifoLcTdZiPFTpwv99ncewz+73bwrgyOzwwAGyQVYBIqQxTc2Ya6GD2xDeTUNZ
> sdNMKhYDnJGXmJIjFQRBP513m/2yMg02NQZk/4Bq6KBbEoU=
> -----END CERTIFICATE-----
This is the MS AD server cert, not the CA cert for the CA that issued MS
AD server cert.
You need the CA cert
> ________________________________________
> From: Rich Megginson [rmeggins at redhat.com]
> Sent: Wednesday, 30 March 2011 9:04 a.m.
> To: Steven Jones
> Cc: Rob Crittenden; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] AD setup failure
>
> On 03/29/2011 02:02 PM, Steven Jones wrote:
>> Hi,
>>
>> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....?
> can you paste the output of
> openssl x509 -in /home/jonesst1/domaincert.cer -text
> ?
>> regards
>>
>> Steven
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 30 March 2011 2:50 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] AD setup failure
>>
>> Steven Jones wrote:
>>> Got a bit further.......I was missing "--passsync"
>> I think you were using the V1 documentation. The "Enterprise Identity
>> Management Guide" is what you want off freeipa.org in the Documentation
>> section.
>>
>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement
>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz
>>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz
>>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'}
>>> unexpected error: Failed to setup winsync replication
>>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz
>>> dc0001.ipa.ac.nz has address 192.168.101.2
>>> [root at fed14-64-ipam001 samba]#
>>>
>>> But still isnt working.........
>> I think you have the wrong AD cert. -8179 translates to "Certificate is
>> signed by an unknown issuer". Can you verify that you have the AD CA
>> certificate?
>>
>> rob
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list