[Freeipa-users] consulting?
Jimmy
g17jimmy at gmail.com
Tue Jan 24 21:07:22 UTC 2012
certutil output:
http://fpaste.org/tJDW/
pcap output (exported from Wireshark, looks messy):
http://fpaste.org/M3Gr/
On Tue, Jan 24, 2012 at 3:29 PM, Rich Megginson <rmeggins at redhat.com> wrote:
> **
> On 01/24/2012 01:26 PM, Jimmy wrote:
>
> The sync is still not working so I was going back through the docs to see
> what I missed. I know this is from an older version of IPA but I was
> looking here:
> http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Prerequisites.html#sect-Installation_and_Deployment_Guide-Prerequisites-Setting_up_Active_Directory
>
> and used this method to get the AD certificate server cert.
>
> You mean "CA cert" not "server cert", right?
>
>
> 1. Navigate to My Network Places and drill down to the CA distribution
> point. On Windows 2003 Server this is typically
> C:\WINDOWS\system32\certsrv\CertEnroll\
> 2. Double-click the security certificate file (.crt file) to display
> the *Certificate* dialog box.
> 3. On the *Details* tab, click *Copy to File* to start the *Certificate
> Export Wizard*.
> 4. Click *Next*, select *Base-64 encoded X.509 (.CER)* and then
> click *Next*.
> 5. Specify a suitable directory and file name for the exported file.
> The file name is not important. Click *Next* to export the
> certificate, and then click *Finish*. You should receive a message
> stating that the export was successful.
> 6. Click *OK* to exit the wizard.
>
> But when I run the command to create the sync agreement(pointing to the
> cert I got in the step above) the ssl connection fails and if I look at
> tcpdump of the connection I see that the AD server is not sending the cert
> that I have imported with the sync agreement. I have used certutil to
> verify that I have the same cert(same serial number and same public key) in
> the 389 server as the one in the AD server ( C:\WINDOWS\system32\
> certsrv\CertEnroll\). The AD server is sending a completely different
> cert, and I have been unable to find the cert in the certificate stores on
> the AD server so I'm not sure where the bogus cert is coming from. Before I
> added the certificate services role the certsrv\certenroll directory was
> not present so I know this was created when I added that role to the AD
> server.
>
> The pcap can be seen here:
> http://www.pcapr.net/view/g17jimmy/2012/0/2/11/ldaps3.pcap.html (sorry,
> registration required on that site, I didn't have anywhere else to put it.)
>
> Can you try fpaste.org?
>
>
> Any idea why AD would be sending me the wrong cert and where it's coming
> from? Yes, I know this isn't MS just trying to get these 2 systems to talk
> ;).
>
> On Tue, Jan 24, 2012 at 1:18 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>
>> On 01/24/2012 11:03 AM, Jimmy wrote:
>>
>> Ok, I just realized that I only have passsync and not winsync, stupid
>> oversight, but now that I know it I need to get winsync. Is there a
>> location to download binaries or must I compile from source? I see the
>> binaries for passsync on the directory server project downloads but I don't
>> see the same for winsync.
>>
>> winsync is built-in to 389 - there isn't any additional component that
>> you need to install.
>>
>>
>> Thanks,
>> Jim
>>
>> On Mon, Jan 23, 2012 at 1:33 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>
>>> On 01/23/2012 11:34 AM, Jimmy wrote:
>>>
>>> I did create the winsync user and it is an admin.
>>>
>>> I will fix the ip address(change to hostname,) I only did it that was
>>> because this is currently a test system so I can figure out how to get it
>>> all working.
>>>
>>> ok - once you do that, you can check the 389 errors log at
>>> /var/log/dirsrv/slapd-INST/errors to see if winsync is logging any errors
>>>
>>>
>>> On Mon, Jan 23, 2012 at 1:06 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>>
>>>> On 01/23/2012 10:52 AM, Jimmy wrote:
>>>>
>>>> That's what I was thinking, and what I did, but it still doesn't
>>>> replicate new users. This is the command I used:
>>>>
>>>> ipa-replica-manage connect --passsync --binddn
>>>> cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp --bindpw=******** --cacert
>>>> /home/winsync/AD-server-cert.cer 192.168.201.150 -v
>>>>
>>>>
>>>> Did you create the user cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp?
>>>> And does this user have the rights to perform sync? (e.g. has to have
>>>> replicator rights, or be some sort of admin) - see
>>>> http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx - the
>>>> AD user must have replication rights and write rights.
>>>>
>>>> In addition, since this process uses SSL, you cannot use an IP address,
>>>> you must use a hostname, or the SSL cert hostname checking (for MITM) will
>>>> fail.
>>>>
>>>>
>>>> On Mon, Jan 23, 2012 at 12:30 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>>>
>>>>> On 01/23/2012 10:19 AM, Jimmy wrote:
>>>>>
>>>>> Here's what I found in the DS admin guide. Is this all that's needed
>>>>> to create the sync agreement?
>>>>>
>>>>> Not with ipa - you should use the ipa-replica-manage command instead
>>>>>
>>>>> Thanks.
>>>>>
>>>>> add sync agreement:
>>>>> ldapmodify -x -D "cn=Directory Manager" -W
>>>>> Enter LDAP Password: *******
>>>>> dn: cn=ExampleSyncAgreement,cn=sync
>>>>> replica,cn=dc=example\,dc=com,cn=mapping tree,cn=config
>>>>>
>>>>> it should be cn=replica, not cn=sync replica - does it use the
>>>>> latter in the Admin Guide?
>>>>>
>>>>> changetype: add
>>>>> objectclass: top
>>>>> objectclass: nsDSWindowsReplicationAgreement
>>>>> cn: ExampleSyncAgreement
>>>>> nsds7WindowsReplicaSubtree: cn=Users,dc=ad1
>>>>> nsds7DirectoryReplicaSubtree: ou=People,dc=example,dc=com
>>>>>
>>>>> nsds7NewWinUserSyncEnabled: on
>>>>> nsds7NewWinGroupSyncEnabled: on
>>>>> nsds7WindowsDomain: ad1
>>>>> nsDS5ReplicaRoot: dc=example,dc=com
>>>>> nsDS5ReplicaHost: ad1.windows-server.com
>>>>> nsDS5ReplicaPort: 389
>>>>> nsDS5ReplicaBindDN: cn=sync user,cn=config
>>>>> nsDS5ReplicaBindCredentials: {DES}ffGad646dT0nnsT8nJOaMA==
>>>>> nsDS5ReplicaTransportInfo: TLS
>>>>> winSyncInterval: 1200
>>>>>
>>>>> On Fri, Jan 20, 2012 at 3:28 PM, Rich Megginson <rmeggins at redhat.com>wrote:
>>>>>
>>>>>> On 01/20/2012 01:08 PM, Jimmy wrote:
>>>>>>
>>>>>> That was it! I have passwords syncing, *BUT*(at the risk of sounding
>>>>>> stupid)-- is it not possible to also sync(add) the users from AD to DS?
>>>>>>
>>>>>> Yes, it is. Just configure IPA Windows Sync
>>>>>>
>>>>>> I created a new user in AD and it doesn't propogate to DS, just
>>>>>> says:
>>>>>>
>>>>>> attempting to sync password for testuser3
>>>>>> searching for (ntuserdomainid=testuser3)
>>>>>> There are no entries that match: testuser3
>>>>>> deferring password change for testuser3
>>>>>>
>>>>>> On Fri, Jan 20, 2012 at 2:46 PM, Rich Megginson <rmeggins at redhat.com
>>>>>> > wrote:
>>>>>>
>>>>>>> On 01/20/2012 12:46 PM, Jimmy wrote:
>>>>>>>
>>>>>>> Getting close here... Now I see this message in the sync log file:
>>>>>>>
>>>>>>> attempting to sync password for testuser
>>>>>>> searching for (ntuserdomainid=testuser)
>>>>>>> ldap error in queryusername
>>>>>>> 32: no such object
>>>>>>> deferring password change for testuser
>>>>>>>
>>>>>>> This usually means the search base is incorrect or not found. You
>>>>>>> can look at the 389 access log to see what it was using as the search
>>>>>>> criteria.
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jan 20, 2012 at 12:23 PM, Rich Megginson <
>>>>>>> rmeggins at redhat.com> wrote:
>>>>>>>
>>>>>>>> On 01/20/2012 10:23 AM, Jimmy wrote:
>>>>>>>>
>>>>>>>> You are correct. I had installed as an Enterprise root, but the doc
>>>>>>>> I was reading(original link) seemed to say that I had to do the certreq
>>>>>>>> manually, my bad. I think I'm getting closer I can establish an openssl
>>>>>>>> connection from DS to AD but I get these errors:
>>>>>>>>
>>>>>>>> openssl s_client -connect 192.168.201.150:636 -showcerts -CAfile
>>>>>>>> dsca.crt
>>>>>>>> CONNECTED(00000003)
>>>>>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>>>>>> verify error:num=20:unable to get local issuer certificate
>>>>>>>> verify return:1
>>>>>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>>>>>> verify error:num=27:certificate not trusted
>>>>>>>> verify return:1
>>>>>>>> depth=0 CN = csp-ad.cspad.pdh.csp
>>>>>>>> verify error:num=21:unable to verify the first certificate
>>>>>>>> verify return:1
>>>>>>>>
>>>>>>>> I thought I had imported the cert from AD but it doesn't seem so.
>>>>>>>> I'm still researching but if you guys have a suggestion let me know.
>>>>>>>>
>>>>>>>> Is dsca.crt the CA that issued the DS server cert? If so, that
>>>>>>>> won't work. You need the CA cert from the CA that issued the AD server
>>>>>>>> cert (i.e. the CA cert from the MS Enterprise Root CA).
>>>>>>>>
>>>>>>>> -J
>>>>>>>>
>>>>>>>> On Thu, Jan 19, 2012 at 5:04 PM, Rich Megginson <
>>>>>>>> rmeggins at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> On 01/19/2012 02:59 PM, Jimmy wrote:
>>>>>>>>>
>>>>>>>>> ok. I started from scratch this week on this and I think I've got
>>>>>>>>> the right doc and understand better where this is going. My problem now is
>>>>>>>>> that when configuring SSL on the AD server (step c in this url:
>>>>>>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service )
>>>>>>>>>
>>>>>>>>> I get this error:
>>>>>>>>>
>>>>>>>>> certreq -submit request.req certnew.cer
>>>>>>>>> Active Directory Enrollment Policy
>>>>>>>>> {25DDA1E7-3A99-4893-BA32-9955AC9EAC42}
>>>>>>>>> ldap:
>>>>>>>>> RequestId: 3
>>>>>>>>> RequestId: "3"
>>>>>>>>> Certificate not issued (Denied) Denied by Policy Module
>>>>>>>>> 0x80094801, The request does not contain a certificate template extension
>>>>>>>>> or the CertificateTemplate request attribute.
>>>>>>>>> The request contains no certificate template information.
>>>>>>>>> 0x80094801 (-2146875391)
>>>>>>>>> Certificate Request Processor: The request contains no certificate
>>>>>>>>> template information. 0x80094801 (-2146875391)
>>>>>>>>> Denied by Policy Module 0x80094801, The request does not contain
>>>>>>>>> a certificate template extension or the CertificateTemplate request
>>>>>>>>> attribute.
>>>>>>>>>
>>>>>>>>> The RH doc says to use the browser if an error occurs and IIS is
>>>>>>>>> running but I'm not running IIS. I researched that error but didn't find
>>>>>>>>> anything that helps with FreeIPA and passsync.
>>>>>>>>>
>>>>>>>>> Hmm - try installing Microsoft Certificate Authority in
>>>>>>>>> Enterprise Root CA mode - it will usually automatically create and install
>>>>>>>>> the AD server cert.
>>>>>>>>> http://directory.fedoraproject.org/wiki/Howto:WindowsSync
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jimmy
>>>>>>>>>
>>>>>>>>> On Wed, Jan 11, 2012 at 3:32 PM, Rich Megginson <
>>>>>>>>> rmeggins at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> On 01/11/2012 11:22 AM, Jimmy wrote:
>>>>>>>>>>
>>>>>>>>>> We need to be able to replicate user/pass between Windows 2008 AD
>>>>>>>>>> and FreeIPA.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> That's what IPA Windows Sync is supposed to do.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I have followed many different documents and posted here about
>>>>>>>>>> it and from what I've read and procedures I've followed we are unable to
>>>>>>>>>> accomplish this.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> What have you tried, and what problems have you run into?
>>>>>>>>>>
>>>>>>>>>> It doesn't need to be a full trust.
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>>
>>>>>>>>>> On Tue, Jan 10, 2012 at 3:03 AM, Jan Zelený <jzeleny at redhat.com>wrote:
>>>>>>>>>>
>>>>>>>>>>> > Just wondering if there was anyone listening on the list
>>>>>>>>>>> that might be
>>>>>>>>>>> > available for little work integrating FreeIPA with Active
>>>>>>>>>>> Directory
>>>>>>>>>>> > (preferrably in the south east US.) I hope this isn't against
>>>>>>>>>>> the list
>>>>>>>>>>> > rules, I just thought one of you guys could help or point me
>>>>>>>>>>> in the right
>>>>>>>>>>> > direction.
>>>>>>>>>>>
>>>>>>>>>>> If you want some help, it is certainly not against list rules
>>>>>>>>>>> ;-) But in that
>>>>>>>>>>> case, it would be much better if you asked what exactly do you
>>>>>>>>>>> need.
>>>>>>>>>>>
>>>>>>>>>>> I'm not an AD expert, but a couple tips: If you are looking for
>>>>>>>>>>> cross-domain
>>>>>>>>>>> (cross-realm) trust, then you might be a bit disappointed, it is
>>>>>>>>>>> still in
>>>>>>>>>>> development, so it probably won't be 100% functional at this
>>>>>>>>>>> moment.
>>>>>>>>>>>
>>>>>>>>>>> If you are looking for something else, could you be a little
>>>>>>>>>>> more specific what
>>>>>>>>>>> it is?
>>>>>>>>>>>
>>>>>>>>>>> I also recommend starting with reading some doc:
>>>>>>>>>>> http://freeipa.org/page/DocumentationPortal
>>>>>>>>>>>
>>>>>>>>>>> Thanks
>>>>>>>>>>> Jan
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120124/c94b7b31/attachment.htm>
More information about the Freeipa-users
mailing list