[Freeipa-users] IPA 2.2 Windows 2008R2 sync

Baptiste AGASSE baptiste.agasse at lyra-network.com
Mon Aug 6 15:44:21 UTC 2012 

> > Hi,
> >
> >>> Hi,
> >>>
> >>>>> Hi all,
> >>>>>
> >>>>> i've a problem with winsync between ipa 2.2 on centos 6.3 and
> >>>>> Active
> >>>>> directory 2008R2.
> >>>>>
> >>>>> I'm following this documentation to enable synchronization:
> >>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html
> >>>> There is nothing on this page about running certutil? Which link
> >>>> talks
> >>>> about certutil?
> >>> Links present in the documentation talk about commands and options
> >>> for certutil but i don't see anything about this error.
> >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html
> >>
> >>
> >> Can one of the IPA developers explain why it is necessary to
> >> install
> >> the
> >> IPA CA certificate into the Windows Cert Store in order to get
> >> Winsync/PassSync working? I don't believe it is necessary.
> >>
> >> For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active
> >> Directory and IPA CA Certificates
> > - I trusted IPA certificate on AD.
> > To do this, i've launched mmc and added "Certificate" component for
> > "local computer", and then added IPA cert to Trusted root CA.
> >
> > Now when i run "openssl s_client -host ad-server.example.com -port
> > 636" i can see IPA certificate as Trusted client CA.
> >
> > - I tested AD ldap connection:
> > LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE-LOCAL ldapsearch -xLLL
> > -H ldap://ad-server.example.com -ZZ -D
> > "cn=ipasync,cn=users,dc=example,dc=com" -w XXXXX -s base -b ""
> > 'objectclass=*' namingcontexts
> > dn:
> > namingContexts: DC=example,DC=com
> > namingContexts: CN=Configuration,DC=example,DC=com
> > namingContexts: CN=Schema,CN=Configuration,DC=example,DC=com
> > namingContexts: DC=DomainDnsZones,DC=example,DC=com
> > namingContexts: DC=ForestDnsZones,DC=example,DC=com
> >
> > - Now i fall on another problem, when i run:
> >
> > ipa-replica-manage connect --winsync --binddn
> > cn=ipasync,cn=users,dc=example,dc=com --bindpw XXXXX --passsync
> > XXXXX --cacert /etc/openldap/cacerts/ad-ca.crt ad-server.example.com
> > -v
> > Directory Manager password:
> >
> > Added CA certificate /etc/openldap/cacerts/ad-ca.crt to certificate
> > database for ipa.foo.example.local
> > ipa: INFO: AD Suffix is: DC=example,DC=com
> > The user for the Windows PassSync service is
> > uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com
> > Windows PassSync entry exists, not resetting password
> > ipa: INFO: Added new sync agreement, waiting for it to become ready
> > . . .
> > ipa: INFO: Replication Update in progress: FALSE: status: -11 -
> > System error: start: 0: end: 0
> > ipa: INFO: Agreement is ready, starting replication . . .
> > Starting replication, please wait until this has completed.
> > [ipa.foo.example.local] reports: Update failed! Status: [-11 -
> > System error]
> > Failed to start replication
> What platform? What version of 389-ds-base?
> Can you post some excerpts from your 389 errors log from
> /var/log/dirsrv/slapd-YOUR-DOMAIN/errors from around the time of the
> error?

That was an TLS error, uploaded wrong AD CA cert on IPA server. Sorry for the noise.

> 
> >
> >
> >>> I a newbie on Microsoft OSes, but I don't understand why certutil
> >>> don't find my file.
> >>>
> >>> I will ask on a microsoft forum.
> >>>
> >>> Regards
> >>>
> >>>>> When i run as admin 'certutil -installcert -v -config
> >>>>> "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA"
> >>>>> c:\Users\John\Documents\ipa-ca.crt' it returns (translated from
> >>>>> french) :
> >>>>>
> >>>>> CertUtil : -installCert command failure : 0x80070002 (WIN32: 2)
> >>>>> CertUtil: Specified file not found
> >>>>>
> >>>>> someone saw this issue ?
> >>>>>
> >>>>> Have a nice day.
> >>>>>
> >>>>> Regards.
> >>>>>
> >>>>> Baptiste.
> >>>>>
> >>>>> _______________________________________________
> >>>>> Freeipa-users mailing list
> >>>>> Freeipa-users at redhat.com
> >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> > Have a nice day.
> >
> > Regards
> >
> > Baptiste.

More information about the Freeipa-users mailing list