[Freeipa-users] AD setup failure

Rich Megginson rmeggins at redhat.com
Tue Mar 29 21:04:45 UTC 2011 

On 03/29/2011 02:58 PM, Steven Jones wrote:
> uh, this is a AD 2003 domain, so this stuff only works with 2008 AD?
No, should not matter.  The example I gave was from a Windows 2008 
Enterprise CA - a CA cert from a Windows 2003 Enterprise CA looks very 
similar.
> regards
> ________________________________________
> From: Rich Megginson [rmeggins at redhat.com]
> Sent: Wednesday, 30 March 2011 9:36 a.m.
> To: Steven Jones
> Cc: Rob Crittenden; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] AD setup failure
>
> On 03/29/2011 02:32 PM, Steven Jones wrote:
>> Hi,
>>
>> Yes its a "intermediate CA" In the real world combining them is a huge issue, ie making a single joined certificate...It not likely many sites would go to the pain to do that....I think you need to re-visit that assumption.....
> It does not appear to be CA cert at all, much less an "intermediate
> CA".  Someone please correct me if I'm wrong, but the CA does not have
> the X509v3 Basic Constraints extension.  For example, here is a CA cert
> issued by Windows 2008:
> Certificate:
>       Data:
>           Version: 3 (0x2)
>           Serial Number:
>               6d:e2:9a:21:dd:d5:20:b6:4f:96:be:57:10:62:50:f7
>           Signature Algorithm: sha1WithRSAEncryption
>           Issuer: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA
>           Validity
>               Not Before: Feb  9 17:44:10 2011 GMT
>               Not After : Feb  9 17:54:07 2021 GMT
>           Subject: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA
> ...
>           X509v3 extensions:
>               X509v3 Key Usage:
>                   Digital Signature, Certificate Sign, CRL Sign
>               X509v3 Basic Constraints: critical
>                   CA:TRUE
>
>> The older docs suggested a manual import of the root cert is possible?
>>
>> regards
>> ________________________________________
>> From: Rich Megginson [rmeggins at redhat.com]
>> Sent: Wednesday, 30 March 2011 9:27 a.m.
>> To: Steven Jones
>> Cc: Rob Crittenden; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] AD setup failure
>>
>> On 03/29/2011 02:14 PM, Steven Jones wrote:
>>> So I need 2 certificates?
>> No.
>>> and I have to manually add the root CA with certutil?
>> No.
>>> to the IPA master as a separate process?
>> No.
>>
>> You only need the CA certificate for the CA that issued the MS AD server
>> certificate.
>> ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer
>> will add the CA.
>>
>> If the MS CA is an intermediate CA, you should ask the administrator to
>> give you a single CA certificate file (base64 encoded) that contains the
>> intermediate CA and all of the parent CA up to the root CA.
>>> regards
>>>
>>>
>>> ________________________________________
>>> From: Rob Crittenden [rcritten at redhat.com]
>>> Sent: Wednesday, 30 March 2011 9:05 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] AD setup failure
>>>
>>> Steven Jones wrote:
>>>> Hi,
>>>>
>>>> My Windows person suggests because this is a self signed cert, the client needs to be forced to trust it....?
>>> That's what we're doing here. You need to provide the CA that issued the
>>> SSL certificate for the AD server we're connecting to.
>>>
>>> I'm guessing they didn't give you the root CA cert.
>>>
>>> rob
>>>
>>>> regards
>>>>
>>>> Steven
>>>> ________________________________________
>>>> From: Rob Crittenden [rcritten at redhat.com]
>>>> Sent: Wednesday, 30 March 2011 2:50 a.m.
>>>> To: Steven Jones
>>>> Cc: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] AD setup failure
>>>>
>>>> Steven Jones wrote:
>>>>> Got a bit further.......I was missing   "--passsync"
>>>> I think you were using the V1 documentation. The "Enterprise Identity
>>>> Management Guide" is what you want off freeipa.org in the Documentation
>>>> section.
>>>>
>>>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>>>>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are required to create a winsync agreement
>>>>> [root at fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
>>>>> Added CA certificate /home/jonesst1/domaincert.cer to certificate database for fed14-64-ipam001.ipa.ac.nz
>>>>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz
>>>>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 'desc': 'Connect error'}
>>>>> unexpected error: Failed to setup winsync replication
>>>>> [root at fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz
>>>>> dc0001.ipa.ac.nz has address 192.168.101.2
>>>>> [root at fed14-64-ipam001 samba]#
>>>>>
>>>>> But still isnt working.........
>>>> I think you have the wrong AD cert. -8179 translates to "Certificate is
>>>> signed by an unknown issuer". Can you verify that you have the AD CA
>>>> certificate?
>>>>
>>>> rob
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list