[Freeipa-users] IPA 2.2 Windows 2008R2 sync
Rich Megginson
rmeggins at redhat.com
Mon Aug 6 14:02:20 UTC 2012
On 08/06/2012 02:28 AM, Baptiste AGASSE wrote:
> Hi,
>
>>> Hi,
>>>
>>>>> Hi all,
>>>>>
>>>>> i've a problem with winsync between ipa 2.2 on centos 6.3 and
>>>>> Active
>>>>> directory 2008R2.
>>>>>
>>>>> I'm following this documentation to enable synchronization:
>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html
>>>> There is nothing on this page about running certutil? Which link
>>>> talks
>>>> about certutil?
>>> Links present in the documentation talk about commands and options
>>> for certutil but i don't see anything about this error.
>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html
>>
>>
>> Can one of the IPA developers explain why it is necessary to install
>> the
>> IPA CA certificate into the Windows Cert Store in order to get
>> Winsync/PassSync working? I don't believe it is necessary.
>>
>> For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active
>> Directory and IPA CA Certificates
> - I trusted IPA certificate on AD.
> To do this, i've launched mmc and added "Certificate" component for "local computer", and then added IPA cert to Trusted root CA.
>
> Now when i run "openssl s_client -host ad-server.example.com -port 636" i can see IPA certificate as Trusted client CA.
>
> - I tested AD ldap connection:
> LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE-LOCAL ldapsearch -xLLL -H ldap://ad-server.example.com -ZZ -D "cn=ipasync,cn=users,dc=example,dc=com" -w XXXXX -s base -b "" 'objectclass=*' namingcontexts
> dn:
> namingContexts: DC=example,DC=com
> namingContexts: CN=Configuration,DC=example,DC=com
> namingContexts: CN=Schema,CN=Configuration,DC=example,DC=com
> namingContexts: DC=DomainDnsZones,DC=example,DC=com
> namingContexts: DC=ForestDnsZones,DC=example,DC=com
>
> - Now i fall on another problem, when i run:
>
> ipa-replica-manage connect --winsync --binddn cn=ipasync,cn=users,dc=example,dc=com --bindpw XXXXX --passsync XXXXX --cacert /etc/openldap/cacerts/ad-ca.crt ad-server.example.com -v
> Directory Manager password:
>
> Added CA certificate /etc/openldap/cacerts/ad-ca.crt to certificate database for ipa.foo.example.local
> ipa: INFO: AD Suffix is: DC=example,DC=com
> The user for the Windows PassSync service is uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com
> Windows PassSync entry exists, not resetting password
> ipa: INFO: Added new sync agreement, waiting for it to become ready . . .
> ipa: INFO: Replication Update in progress: FALSE: status: -11 - System error: start: 0: end: 0
> ipa: INFO: Agreement is ready, starting replication . . .
> Starting replication, please wait until this has completed.
> [ipa.foo.example.local] reports: Update failed! Status: [-11 - System error]
> Failed to start replication
What platform? What version of 389-ds-base?
Can you post some excerpts from your 389 errors log from
/var/log/dirsrv/slapd-YOUR-DOMAIN/errors from around the time of the error?
>
>
>>> I a newbie on Microsoft OSes, but I don't understand why certutil
>>> don't find my file.
>>>
>>> I will ask on a microsoft forum.
>>>
>>> Regards
>>>
>>>>> When i run as admin 'certutil -installcert -v -config
>>>>> "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA"
>>>>> c:\Users\John\Documents\ipa-ca.crt' it returns (translated from
>>>>> french) :
>>>>>
>>>>> CertUtil : -installCert command failure : 0x80070002 (WIN32: 2)
>>>>> CertUtil: Specified file not found
>>>>>
>>>>> someone saw this issue ?
>>>>>
>>>>> Have a nice day.
>>>>>
>>>>> Regards.
>>>>>
>>>>> Baptiste.
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> Have a nice day.
>
> Regards
>
> Baptiste.
More information about the Freeipa-users
mailing list