[Freeipa-users] AD setup failure
Steven Jones
Steven.Jones at vuw.ac.nz
Tue Mar 29 20:47:40 UTC 2011
some more output,
==========
[root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn "cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz" --bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/Cacrt.cer dc0001.ipa.ac.nz -v
ipa: CRITICAL: Error importing CA cert file named [/home/jonesst1/Cacrt.cer]: Command '/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -A -n Imported CA -t CT,,C -a' returned non-zero exit status 255
Could not load the required CA certificate file [/home/jonesst1/Cacrt.cer]
[root at fed14-64-ipam001 samba]# cd ~jonesst1
[root at fed14-64-ipam001 jonesst1]# ls -l
total 52
-rw-rw-r--. 1 jonesst1 jonesst1 384 Mar 29 15:16 ad-fail
-rwxr--r--. 1 jonesst1 jonesst1 1628 Mar 30 09:16 Cacrt.cer
-rw-rw-r--. 1 jonesst1 jonesst1 984 Mar 29 16:11 client2.fail
-rw-rw-r--. 1 jonesst1 jonesst1 345 Mar 29 15:22 connect-fail
drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Desktop
drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Documents
-rwxr--r--. 1 jonesst1 jonesst1 2020 Mar 29 14:06 domaincert.cer
drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Downloads
drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Music
drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Pictures
drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Public
drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Templates
drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Videos
[root at fed14-64-ipam001 jonesst1]#
=========
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
48:58:cd:99:6c:e4:53:b5:4f:6f:5b:9a:86:21:46:b6
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=nz, DC=ac, DC=ipa, CN=dc0001
Validity
Not Before: Mar 29 00:45:47 2011 GMT
Not After : Mar 29 00:55:22 2016 GMT
Subject: DC=nz, DC=ac, DC=ipa, CN=dc0001
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:f0:2a:e2:a1:f7:6d:6e:96:dc:a8:a1:84:ff:
e8:24:f7:79:de:ad:a9:ac:c4:6d:73:51:ab:7e:fc:
cf:98:d2:85:72:0e:89:7e:df:61:c9:d8:03:1f:9f:
4b:23:bf:29:44:e6:e8:99:87:69:63:09:7e:c6:3e:
ad:99:ac:31:1e:b6:08:80:03:3d:99:6a:e5:85:b1:
ea:77:1e:8c:70:8a:c7:b8:6b:b7:a5:fd:13:15:83:
95:8b:f6:cd:2a:a4:f9:f6:7e:f0:b4:a8:a1:38:ee:
e3:ff:13:00:64:b0:60:01:ac:e8:79:1e:2d:3c:e9:
44:df:17:46:d8:e5:8a:0a:40:53:2e:60:8d:7c:93:
4e:e8:ea:ab:7a:c2:16:45:14:79:57:7c:21:f7:d9:
a2:2c:09:4b:cb:ff:b8:a5:80:d4:b5:a2:f4:03:5f:
3a:b8:8d:1c:14:d6:b7:b5:29:c8:38:80:1b:41:29:
54:0f:6b:6a:80:f5:9c:38:d8:31:51:ae:25:70:06:
2d:f7:5d:90:06:33:b6:93:d9:3a:33:4d:ce:4f:41:
30:df:89:55:87:ee:c1:86:e6:e8:20:3f:c5:58:e8:
fa:7f:40:00:60:f6:10:d7:ec:38:7d:d0:1d:20:f4:
d1:a9:fe:e8:3d:fd:a7:91:b9:0e:2f:f2:fd:0f:e1:
0a:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
CC:D6:15:2E:3F:81:70:17:C5:4B:8D:F9:8E:21:9E:5D:C5:11:F9:DB
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=dc0001,CN=dc0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint
URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.crl
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
1c:69:e5:c3:fe:06:e2:22:86:cf:20:a7:18:7f:49:02:6c:c7:
31:8f:40:84:79:72:20:6c:3f:45:2d:e5:7c:91:33:ad:db:e6:
f2:d9:90:4f:20:0e:ba:1f:63:3c:5c:70:5f:b3:b7:29:75:83:
1f:dd:d4:c7:56:e1:e5:b0:32:a4:cb:70:4f:21:d7:49:3c:cd:
43:c9:2b:e7:02:12:8b:ad:d8:f4:b4:c9:af:69:c2:3d:16:9c:
92:4b:08:45:4a:51:45:01:0d:bb:57:30:95:98:0c:68:14:74:
ee:9f:c1:bb:f1:76:5b:ea:e4:95:d5:83:fc:21:d2:a3:00:1a:
71:bb:fc:90:c6:27:56:e6:ba:73:71:2b:8e:7f:c2:e8:e6:be:
7b:0a:4e:ef:66:6c:62:54:5d:01:61:cd:21:bd:15:3d:f5:a2:
d1:bc:e5:36:a2:4e:c8:22:82:99:e7:0e:17:97:c5:fd:80:39:
59:af:fa:c3:28:b2:22:34:d2:3b:9c:5b:43:80:1a:a9:08:46:
83:2c:56:c0:fc:64:98:03:0b:7a:53:f3:fb:98:a1:62:f2:5d:
8b:6f:d9:81:43:41:ba:31:d2:02:6e:b2:26:3e:63:59:df:d8:
d6:d7:c2:70:5d:18:26:3e:5c:98:11:51:59:a4:52:13:17:80:
74:eb:90:89
-----BEGIN CERTIFICATE-----
MIIEcTCCA1mgAwIBAgIQSFjNmWzkU7VPb1uahiFGtjANBgkqhkiG9w0BAQUFADBO
MRIwEAYKCZImiZPyLGQBGRYCbnoxEjAQBgoJkiaJk/IsZAEZFgJhYzETMBEGCgmS
JomT8ixkARkWA2lwYTEPMA0GA1UEAxMGZGMwMDAxMB4XDTExMDMyOTAwNDU0N1oX
DTE2MDMyOTAwNTUyMlowTjESMBAGCgmSJomT8ixkARkWAm56MRIwEAYKCZImiZPy
LGQBGRYCYWMxEzARBgoJkiaJk/IsZAEZFgNpcGExDzANBgNVBAMTBmRjMDAwMTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLwKuKh921ultyooYT/6CT3
ed6tqazEbXNRq378z5jShXIOiX7fYcnYAx+fSyO/KUTm6JmHaWMJfsY+rZmsMR62
CIADPZlq5YWx6ncejHCKx7hrt6X9ExWDlYv2zSqk+fZ+8LSooTju4/8TAGSwYAGs
6HkeLTzpRN8XRtjligpAUy5gjXyTTujqq3rCFkUUeVd8IffZoiwJS8v/uKWA1LWi
9ANfOriNHBTWt7UpyDiAG0EpVA9raoD1nDjYMVGuJXAGLfddkAYztpPZOjNNzk9B
MN+JVYfuwYbm6CA/xVjo+n9AAGD2ENfsOH3QHSD00an+6D39p5G5Di/y/Q/hCgsC
AwEAAaOCAUkwggFFMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
DgQWBBTM1hUuP4FwF8VLjfmOIZ5dxRH52zCB8wYDVR0fBIHrMIHoMIHloIHioIHf
hoGtbGRhcDovLy9DTj1kYzAwMDEsQ049ZGMwMDAxLENOPUNEUCxDTj1QdWJsaWMl
MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD
PWlwYSxEQz1hYyxEQz1uej9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/
b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLWh0dHA6Ly9kYzAwMDEu
aXBhLmFjLm56L0NlcnRFbnJvbGwvZGMwMDAxLmNybDAQBgkrBgEEAYI3FQEEAwIB
ADANBgkqhkiG9w0BAQUFAAOCAQEAHGnlw/4G4iKGzyCnGH9JAmzHMY9AhHlyIGw/
RS3lfJEzrdvm8tmQTyAOuh9jPFxwX7O3KXWDH93Ux1bh5bAypMtwTyHXSTzNQ8kr
5wISi63Y9LTJr2nCPRackksIRUpRRQENu1cwlZgMaBR07p/Bu/F2W+rkldWD/CHS
owAacbv8kMYnVua6c3Erjn/C6Oa+ewpO72ZsYlRdAWHNIb0VPfWi0bzlNqJOyCKC
mecOF5fF/YA5Wa/6wyiyIjTSO5xbQ4AaqQhGgyxWwPxkmAMLelPz+5ihYvJdi2/Z
gUNBujHSAm6yJj5jWd/Y1tfCcF0YJj5cmBFRWaRSExeAdOuQiQ==
-----END CERTIFICATE-----
________________________________________
From: Rich Megginson [rmeggins at redhat.com]
Sent: Wednesday, 30 March 2011 9:36 a.m.
To: Steven Jones
Cc: Rob Crittenden; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] AD setup failure
On 03/29/2011 02:32 PM, Steven Jones wrote:
> Hi,
>
> Yes its a "intermediate CA" In the real world combining them is a huge issue, ie making a single joined certificate...It not likely many sites would go to the pain to do that....I think you need to re-visit that assumption.....
It does not appear to be CA cert at all, much less an "intermediate
CA". Someone please correct me if I'm wrong, but the CA does not have
the X509v3 Basic Constraints extension. For example, here is a CA cert
issued by Windows 2008:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6d:e2:9a:21:dd:d5:20:b6:4f:96:be:57:10:62:50:f7
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA
Validity
Not Before: Feb 9 17:44:10 2011 GMT
Not After : Feb 9 17:54:07 2021 GMT
Subject: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA
...
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
> The older docs suggested a manual import of the root cert is possible?
>
> regards
> ________________________________________
> From: Rich Megginson [rmeggins at redhat.com]
> Sent: Wednesday, 30 March 2011 9:27 a.m.
> To: Steven Jones
> Cc: Rob Crittenden; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] AD setup failure
>
> On 03/29/2011 02:14 PM, Steven Jones wrote:
>> So I need 2 certificates?
> No.
>> and I have to manually add the root CA with certutil?
> No.
>> to the IPA master as a separate process?
> No.
>
> You only need the CA certificate for the CA that issued the MS AD server
> certificate.
> ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer
> will add the CA.
>
> If the MS CA is an intermediate CA, you should ask the administrator to
> give you a single CA certificate file (base64 encoded) that contains the
> intermediate CA and all of the parent CA up to the root CA.
>> regards
>>
>>
>> ________________________________________
>> From: Rob Crittenden [rcritten at redhat.com]
>> Sent: Wednesday, 30 March 2011 9:05 a.m.
>> To: Steven Jones
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] AD setup failure
>>
>> Steven Jones wrote:
>>> Hi,
>>>
>>> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....?
>> That's what we're doing here. You need to provide the CA that issued the
>> SSL certificate for the AD server we're connecting to.
>>
>> I'm guessing they didn't give you the root CA cert.
>>
>> rob
>>
>>> regards
>>>
>>> Steven
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 30 March 2011 2:50 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] AD setup failure
>>>
>>> Steven Jones wrote:
>>>> Got a bit further.......I was missing "--passsync"
>>> I think you were using the V1 documentation. The "Enterprise Identity
>>> Management Guide" is what you want off freeipa.org in the Documentation
>>> section.
>>>
>>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>>>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement
>>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>>>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz
>>>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz
>>>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'}
>>>> unexpected error: Failed to setup winsync replication
>>>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz
>>>> dc0001.ipa.ac.nz has address 192.168.101.2
>>>> [root at fed14-64-ipam001 samba]#
>>>>
>>>> But still isnt working.........
>>> I think you have the wrong AD cert. -8179 translates to "Certificate is
>>> signed by an unknown issuer". Can you verify that you have the AD CA
>>> certificate?
>>>
>>> rob
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list