[Freeipa-users] freeipa cert validation failed, SEC_ERROR_UNTRUSTED_ISSUER

Morgan Marodin morgan at marodin.it
Tue Sep 8 13:09:41 UTC 2015 

I've solved this error, reading this forum:
https://www.redhat.com/archives/freeipa-users/2015-July/msg00247.html

But now when I try to trust to my Active Directory I see these errors:
--------------------
# ipa trust-add --type=ad mydomain.com --admin Administrator --password
Active Directory domain administrator's password:
ipa: ERROR: CIFS server communication error: code "-1073741258",
                  message "The connection was refused" (both may be "None")

Here my logs:
--------------------
==> /var/log/httpd/error_log <==
Failed to connect host 192.168.0.65 on port 135 -
NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.0.65 (srv01.ipa.mydomain.com) on port 135 -
NT_STATUS_CONNECTION_REFUSED.
[Tue Sep 08 15:01:50.859313 2015] [:error] [pid 2221] ipa: INFO:
[jsonserver_kerb] admin at IPA.MYDOMAIN.COM: trust_add(u'mydomain.com',
trust_type=u'ad', realm_admin=u'Administrator', realm_passwd=u'********',
all=False, raw=False, version=u'2.112'): RemoteRetrieveError

==> /var/log/samba/log.192.168.0.65 <==
[2015/09/08 15:01:50.833128,  1]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username IPA\admin is invalid on this system
[2015/09/08 15:01:50.833200,  1]
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2015/09/08 15:01:50.833236,  1]
../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup:
NT_STATUS_ACCESS_DENIED
[2015/09/08 15:01:50.852169,  1]
../source3/auth/user_krb5.c:164(get_user_from_kerberos_info)
  Username IPA\admin is invalid on this system
[2015/09/08 15:01:50.852222,  1]
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
  Failed to map kerberos principal to system user (NT_STATUS_LOGON_FAILURE)
[2015/09/08 15:01:50.852256,  1]
../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup:
NT_STATUS_ACCESS_DENIED
--------------------

I don't see any 135 TCP listening port, doing tcpdump I see that it tryes
to do a connection in its 135 port.
What am I missing?

Thanks, Morgan


> Subject: [Freeipa-users] freeipa cert validation failed,
> SEC_ERROR_UNTRUSTED_ISSUER Date: Tue, 08 Sep 2015 11:00:49 +0200
>
> To: <freeipa-users at redhat.com>
> Hi everyone.
>
> I've a problem with my new freeipa installation, v4.1.0, over RHEL 7 like
> distribution.
>
> The installation was ok, but now I've some problems operating via CLI:
> # ipa user-show admin
> ipa: ERROR: cert validation failed for "CN=srv01.ipa.mydomain.com,O=
> IPA.MYDOMAIN.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer
> has been marked as not trusted by the user.)
> ipa: ERROR: cannot connect to 'https://srv01.ipa.mydomain.com/ipa/json':
> (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as
> not trusted by the user.
>
> I've got the same problem connectiong via curl, but after doing these
> command for curl now it works, but not for ipa cli operations:
> ----------------------
> # certutil -A -d /etc/pki/nssdb -n 'IPA CA' -t CT,C,C -a -i /etc/ipa/ca.crt
> # certutil -L -d /etc/pki/nssdb
> Certificate Nickname                                         Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
> IPA CA                                                       CT,C,C
> # cp /etc/ipa/ca.crt /etc/pki/ca-trust/source/anchors/
> # update-ca-trust extract
> ----------------------
>
> And also this command doesn't work:
> # ipa trust-add --type=ad mydomain.com --admin Administrator --password
> ipa: ERROR: cert validation failed for "CN=srv01.ipa.mydomain.com,O=
> IPA.MYDOMAIN.COM" ((SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer
> has been marked as not trusted by the user.)
> ipa: ERROR: cannot connect to 'https://srv01.ipa.mydomain.com/ipa/json':
> (SEC_ERROR_UNTRUSTED_ISSUER) Peer's certificate issuer has been marked as
> not trusted by the user.
>
> So ... what's the problem?
>
> Let me know, thanks.
> Morgan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150908/23374e3f/attachment.htm>

More information about the Freeipa-users mailing list