<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 01/24/2012 02:51 PM, Jimmy wrote:
<blockquote
cite="mid:CAG8E47Qd4jaaZ9wcOJd+=COgmiyJWtKsGokznMQxU02y77Tr-Q@mail.gmail.com"
type="cite">The cert I'm using both in the sync agreement and in
the openssl command has the serial
number: 68:10:1c:98:3b:5c:e7:8d:43:ec:e3:e7:6a:e7:de:27
(AD-server-cert.cer.) The serial number that shows in the pcap
coming from AD in both instances is 61:13:fd:30:00:00:00:00:00:04
(line 196 in the fpaste)</blockquote>
61:13:fd:30:00:00:00:00:00:04 looks like the AD server cert, not the
AD CA cert:<br>
<br>
193. Certificate (id-at-commonName=xxx-ad.xxxad.xxx.xxx)<br>
<br>
the one at line 217 looks like the AD CA cert, but unfortunately the
serial number nor any other identifying information is in the pcap
output<br>
217. Distinguished Name:
(id-at-commonName=xxxad-XXX-AD-CA,dc=xxxad,dc=xxx,dc=xxx)<br>
which corresponds to this from the s_client output:<br>
<br>
51. Acceptable client certificate CA names<br>
52. /DC=xxx/DC=xxx/DC=xxxad/CN=xxxad-xxx-AD-CA<br>
<br>
You can use openssl s_client -connect xxx-ad.xxx.xxx:636 -showcerts
-CAfile /home/winsync/AD-server-cert.cer<br>
<br>
which will show the contents of all of the certs, not just the AD
server cert<br>
<blockquote
cite="mid:CAG8E47Qd4jaaZ9wcOJd+=COgmiyJWtKsGokznMQxU02y77Tr-Q@mail.gmail.com"
type="cite">
<div>
<br>
<div>OpenSSL command: openssl s_client -connect
xxx-ad.xxx.xxx:636 -CAfile /home/winsync/AD-server-cert.cer</div>
<div>OpenSSL output- <a moz-do-not-send="true"
href="http://fpaste.org/Zx5N/">http://fpaste.org/Zx5N/</a> <br>
<br>
Both the output of openssl and the pcap of the openssl session
look successful here. <br>
</div>
</div>
</blockquote>
What about the ldapsearch commands?<br>
<blockquote
cite="mid:CAG8E47Qd4jaaZ9wcOJd+=COgmiyJWtKsGokznMQxU02y77Tr-Q@mail.gmail.com"
type="cite">
<div>
<div><br>
</div>
<div>Thanks for your help.</div>
<div>Jimmy<br>
<br>
<div class="gmail_quote">On Tue, Jan 24, 2012 at 4:20 PM, Rich
Megginson <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"> On 01/24/2012 02:07
PM, Jimmy wrote:
<blockquote type="cite">certutil output:
<div><a moz-do-not-send="true"
href="http://fpaste.org/tJDW/" target="_blank">http://fpaste.org/tJDW/</a> </div>
<div><br>
</div>
<div>pcap output (exported from Wireshark, looks
messy):</div>
<div><a moz-do-not-send="true"
href="http://fpaste.org/M3Gr/" target="_blank">http://fpaste.org/M3Gr/</a>
<br>
</div>
</blockquote>
hard to tell from the pcap output, but is<br>
<br>
Serial Number:
68:10:1c:98:3b:5c:e7:8d:43:ec:e3:e7:6a:e7:de:27<br>
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption<br>
Issuer: "CN=xxxad-xxx-AD-CA,DC=xxxad,DC=xxx,DC=xxx"<br>
Validity:<br>
Not Before: Thu Jan 19 17:52:07 2012<br>
Not After : Thu Jan 19 18:02:04 2017<br>
Subject: "CN=xxxad-xxx-AD-CA,DC=xxxad,DC=xxx,DC=xxx"<br>
<br>
the same cert as the cert from the pcap output that is
called<br>
Distinguished Name:
(id-at-commonName=xxxad-XXX-AD-CA,dc=xxxad,dc=xxx,dc=xxx)<br>
<br>
because this appears to be the AD CA cert sent over from
AD as part of the SSL handshake<br>
<br>
There are a couple of good tools to use to
diagnose/debug connection problems between 389 and AD
before you attempt to use winsync with ssl.<br>
<br>
The first is openssl s_client<br>
openssl s_client -connect ADhost:636 -CAfile
/path/to/adca.cer<br>
<br>
The second is mozldap ldapsearch:<br>
/usr/lib64/mozldap/ldapsearch -h ADHost -p 636 -Z -P
/etc/dirsrv/slapd-INST/cert8.db -s base -b ""
"objectclass=*"<br>
<br>
The third is openldap ldapsearch:<br>
LDAPTLS_CACERT=/path/to/adca.cer ldapsearch -x -h ADHost
-p 636 -s base -b "" "objectclass=*"<br>
<br>
For the last you can add "-d 1" to get detailed SSL
error messages<br>
<blockquote type="cite">
<div> <br>
<div class="gmail_quote">On Tue, Jan 24, 2012 at
3:29 PM, Rich Megginson <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt
0pt 0pt 0.8ex; border-left: 1px solid rgb(204,
204, 204); padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000"> On
01/24/2012 01:26 PM, Jimmy wrote:
<blockquote type="cite"><font face="arial,
helvetica, sans-serif">The sync is still
not working so I was going back through
the docs to see what I missed. I know this
is from an older version of IPA but I was
looking here: <a moz-do-not-send="true"
href="http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Prerequisites.html#sect-Installation_and_Deployment_Guide-Prerequisites-Setting_up_Active_Directory"
target="_blank">http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Prerequisites.html#sect-Installation_and_Deployment_Guide-Prerequisites-Setting_up_Active_Directory</a></font>
<div> <font face="arial, helvetica,
sans-serif"><br>
</font></div>
<div><font face="arial, helvetica,
sans-serif">and used this method to get
the AD certificate server cert.</font></div>
</blockquote>
You mean "CA cert" not "server cert", right?<br>
<blockquote type="cite">
<div>
<ol style="line-height: 15px; font-size:
12px;">
<li style="line-height: 1.29em;
padding-top: 0px; margin-top: 0em;
padding-bottom: 0px; margin-bottom:
0.4em;">
<div style="line-height: 1.29em;
padding-top: 0px; margin-top: 0em;
padding-bottom: 0px; margin-bottom:
0.3em;"><font face="arial,
helvetica, sans-serif">Navigate to
My Network Places and drill down
to the CA distribution point. On
Windows 2003 Server this is
typically <code
style="white-space: nowrap;
font-weight: bold;">C:\WINDOWS\system32\certsrv\CertEnroll\</code></font></div>
</li>
<li style="line-height: 1.29em;
padding-top: 0px; margin-top: 0em;
padding-bottom: 0px; margin-bottom:
0.4em;">
<div style="line-height: 1.29em;
padding-top: 0px; margin-top: 0em;
padding-bottom: 0px; margin-bottom:
0.3em;"><font face="arial,
helvetica, sans-serif">
Double-click the security
certificate file (<code
style="white-space: nowrap;
font-weight: bold;">.crt</code> file)
to display the <strong
style="font-weight: bold;
white-space: nowrap;">Certificate</strong> dialog
box.</font></div>
</li>
<li style="line-height: 1.29em;
padding-top: 0px; margin-top: 0em;
padding-bottom: 0px; margin-bottom:
0.4em;">
<div style="line-height: 1.29em;
padding-top: 0px; margin-top: 0em;
padding-bottom: 0px; margin-bottom:
0.3em;"><font face="arial,
helvetica, sans-serif"> On the <strong
style="font-weight: bold;
white-space: nowrap;">Details</strong> tab,
click <strong style="font-weight:
bold; white-space: nowrap;">Copy
to File</strong> to start the <strong>Certificate
Export Wizard</strong>.</font></div>
</li>
<li style="line-height: 1.29em;
padding-top: 0px; margin-top: 0em;
padding-bottom: 0px; margin-bottom:
0.4em;">
<div style="line-height: 1.29em;
padding-top: 0px; margin-top: 0em;
padding-bottom: 0px; margin-bottom:
0.3em;"><font face="arial,
helvetica, sans-serif"> Click <strong
style="font-weight: bold;
white-space: nowrap;">Next</strong>,
select <strong style="font-weight:
bold; white-space: nowrap;">Base-64
encoded X.509 (.CER)</strong> and
then click <strong
style="font-weight: bold;
white-space: nowrap;">Next</strong>.</font></div>
</li>
<li style="line-height: 1.29em;
padding-top: 0px; margin-top: 0em;
padding-bottom: 0px; margin-bottom:
0.4em;">
<div style="line-height: 1.29em;
padding-top: 0px; margin-top: 0em;
padding-bottom: 0px; margin-bottom:
0.3em;"><font face="arial,
helvetica, sans-serif"> Specify a
suitable directory and file name
for the exported file. The file
name is not important. Click <strong
style="font-weight: bold;
white-space: nowrap;">Next</strong> to
export the certificate, and then
click <strong style="font-weight:
bold; white-space: nowrap;">Finish</strong>.
You should receive a message
stating that the export was
successful.</font></div>
</li>
<li style="line-height: 1.29em;
padding-top: 0px; margin-top: 0em;
padding-bottom: 0px; margin-bottom:
0.4em;">
<div style="line-height: 1.29em;
padding-top: 0px; margin-top: 0em;
padding-bottom: 0px; margin-bottom:
0.3em;"><font face="arial,
helvetica, sans-serif"> Click <strong
style="font-weight: bold;
white-space: nowrap;">OK</strong> to
exit the wizard.</font></div>
</li>
</ol>
<font face="arial, helvetica, sans-serif">But
when I run the command to create the
sync agreement(pointing to the cert I
got in the step above) the ssl
connection fails and if I look at
tcpdump of the connection I see that the
AD server is not sending the cert that I
have imported with the sync agreement. I
have used certutil to verify that I have
the same cert(same serial number and
same public key) in the 389 server as
the one in the AD server ( <span
style="font-size: 12px; font-weight:
bold; line-height: 15px; white-space:
nowrap;">C:\WINDOWS\system32\</span><span
style="font-size: 12px; font-weight:
bold; line-height: 15px; white-space:
nowrap;">certsrv\CertEnroll\)</span></font><span
style="font-family:
arial,helvetica,sans-serif;">.</span> The
AD server is sending a completely
different cert, and I have been unable to
find the cert in the certificate stores on
the AD server so I'm not sure where the
bogus cert is coming from. Before I added
the certificate services role the
certsrv\certenroll directory was not
present so I know this was created when I
added that role to the AD server.</div>
<div><br>
</div>
<div>The pcap can be seen here: <a
moz-do-not-send="true"
href="http://www.pcapr.net/view/g17jimmy/2012/0/2/11/ldaps3.pcap.html"
target="_blank">http://www.pcapr.net/view/g17jimmy/2012/0/2/11/ldaps3.pcap.html</a> (sorry,
registration required on that site, I
didn't have anywhere else to put it.)</div>
</blockquote>
Can you try <a moz-do-not-send="true"
href="http://fpaste.org" target="_blank">fpaste.org</a>?<br>
<blockquote type="cite">
<div><br>
</div>
<div>Any idea why AD would be sending me the
wrong cert and where it's coming from?
Yes, I know this isn't MS just trying to
get these 2 systems to talk ;).</div>
<div><br>
</div>
<div>
<div class="gmail_quote"><font
face="arial, helvetica, sans-serif">On
Tue, Jan 24, 2012 at 1:18 PM, Rich
Megginson <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rmeggins@redhat.com"
target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote class="gmail_quote"
style="margin: 0pt 0pt 0pt 0.8ex;
border-left: 1px solid rgb(204, 204,
204); padding-left: 1ex;"> <font
face="arial, helvetica, sans-serif">
</font>
<div bgcolor="#ffffff" text="#000000">
<div><font face="arial, helvetica,
sans-serif"> On 01/24/2012 11:03
AM, Jimmy wrote: </font>
<blockquote type="cite"><font
face="arial, helvetica,
sans-serif">Ok, I just
realized that I only have
passsync and not winsync,
stupid oversight, but now that
I know it I need to get
winsync. Is there a location
to download binaries or must I
compile from source? I see the
binaries for passsync on the
directory server project
downloads but I don't see the
same for winsync.</font></blockquote>
</div>
<font face="arial, helvetica,
sans-serif"> winsync is built-in
to 389 - there isn't any
additional component that you need
to install.</font>
<div>
<div><font face="arial, helvetica,
sans-serif"><br>
</font>
<blockquote type="cite">
<div> <font face="arial,
helvetica, sans-serif"><br>
</font></div>
<div><font face="arial,
helvetica, sans-serif">Thanks,</font></div>
<div><font face="arial,
helvetica, sans-serif">Jim<br>
<br>
</font>
<div class="gmail_quote"><font
face="arial, helvetica,
sans-serif">On Mon, Jan
23, 2012 at 1:33 PM,
Rich Megginson <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote
class="gmail_quote"
style="margin: 0pt 0pt
0pt 0.8ex; border-left:
1px solid rgb(204, 204,
204); padding-left:
1ex;">
<div bgcolor="#ffffff"
text="#000000">
<div><font
face="arial,
helvetica,
sans-serif"> On
01/23/2012 11:34
AM, Jimmy wrote: </font>
<blockquote
type="cite"><font
face="arial,
helvetica,
sans-serif">I
did create the
winsync user and
it is an admin.
</font>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif">I
will fix the
ip
address(change
to hostname,)
I only did it
that was
because this
is currently a
test system so
I can figure
out how to get
it all
working.<br>
</font></div>
</blockquote>
</div>
<font face="arial,
helvetica,
sans-serif"> ok -
once you do that,
you can check the
389 errors log at
/var/log/dirsrv/slapd-INST/errors
to see if winsync is
logging any errors </font>
<div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font>
<blockquote
type="cite">
<div> <font
face="arial,
helvetica,
sans-serif"><br>
</font>
<div
class="gmail_quote"><font
face="arial,
helvetica,
sans-serif">On
Mon, Jan 23,
2012 at 1:06
PM, Rich
Megginson <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote
class="gmail_quote"
style="margin:
0pt 0pt 0pt
0.8ex;
border-left:
1px solid
rgb(204, 204,
204);
padding-left:
1ex;">
<div
bgcolor="#ffffff"
text="#000000">
<div><font
face="arial,
helvetica,
sans-serif">
On 01/23/2012
10:52 AM,
Jimmy wrote: </font>
<blockquote
type="cite"><font
face="arial,
helvetica,
sans-serif">That's
what I was
thinking, and
what I did,
but it still
doesn't
replicate new
users. This is
the command I
used: </font>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif"> ipa-replica-manage
connect
--passsync
--binddn
cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp
--bindpw=********
--cacert
/home/winsync/AD-server-cert.cer
192.168.201.150
-v<br>
</font></div>
</blockquote>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<font
face="arial,
helvetica,
sans-serif">
Did you create
the user
cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp?
And does this
user have the
rights to
perform sync?
(e.g. has to
have
replicator
rights, or be
some sort of
admin) - see <a
moz-do-not-send="true"
href="http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx"
target="_blank">http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx</a>
- the AD user
must have
replication
rights and
write rights.<br>
<br>
In addition,
since this
process uses
SSL, you
cannot use an
IP address,
you must use a
hostname, or
the SSL cert
hostname
checking (for
MITM) will
fail. </font>
<div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font>
<blockquote
type="cite">
<div> <font
face="arial,
helvetica,
sans-serif"><br>
</font>
<div
class="gmail_quote"><font
face="arial,
helvetica,
sans-serif">On
Mon, Jan 23,
2012 at 12:30
PM, Rich
Megginson <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote
class="gmail_quote"
style="margin:
0pt 0pt 0pt
0.8ex;
border-left:
1px solid
rgb(204, 204,
204);
padding-left:
1ex;">
<div
bgcolor="#ffffff"
text="#000000">
<div><font
face="arial,
helvetica,
sans-serif">
On 01/23/2012
10:19 AM,
Jimmy wrote: </font>
<blockquote
type="cite"><font
face="arial,
helvetica,
sans-serif">Here's
what I found
in the DS
admin guide.
Is this all
that's needed
to create the
sync
agreement?</font></blockquote>
</div>
<font
face="arial,
helvetica,
sans-serif">
Not with ipa -
you should use
the
ipa-replica-manage
command
instead </font>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font>
<blockquote
type="cite"><font
face="arial,
helvetica,
sans-serif">
Thanks. </font>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div>
<div><font
face="arial,
helvetica,
sans-serif">add
sync
agreement:</font></div>
<div><font
face="arial,
helvetica,
sans-serif">ldapmodify
-x -D
"cn=Directory
Manager" -W</font></div>
<div><font
face="arial,
helvetica,
sans-serif">Enter
LDAP Password:
*******</font></div>
<div><font
face="arial,
helvetica,
sans-serif">dn:
cn=ExampleSyncAgreement,cn=sync
replica,cn=dc=example\,dc=com,cn=mapping
tree,cn=config</font></div>
</div>
</blockquote>
</div>
<font
face="arial,
helvetica,
sans-serif">
it should be
cn=replica,
not cn=sync
replica - does
it use the
latter in the
Admin Guide? </font>
<div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font>
<blockquote
type="cite">
<div>
<div><font
face="arial,
helvetica,
sans-serif">changetype:
add</font></div>
<div><font
face="arial,
helvetica,
sans-serif">objectclass:
top</font></div>
<div><font
face="arial,
helvetica,
sans-serif">objectclass:
nsDSWindowsReplicationAgreement</font></div>
<div><font
face="arial,
helvetica,
sans-serif">cn:
ExampleSyncAgreement</font></div>
<div><font
face="arial,
helvetica,
sans-serif">nsds7WindowsReplicaSubtree:
cn=Users,dc=ad1</font></div>
<div><font
face="arial,
helvetica,
sans-serif">nsds7DirectoryReplicaSubtree:
ou=People,dc=example,dc=com</font></div>
</div>
</blockquote>
<blockquote
type="cite">
<div>
<div><font
face="arial,
helvetica,
sans-serif">nsds7NewWinUserSyncEnabled:
on</font></div>
<div><font
face="arial,
helvetica,
sans-serif">nsds7NewWinGroupSyncEnabled:
on</font></div>
<div><font
face="arial,
helvetica,
sans-serif">nsds7WindowsDomain:
ad1</font></div>
<div><font
face="arial,
helvetica,
sans-serif">nsDS5ReplicaRoot:
dc=example,dc=com</font></div>
<div><font
face="arial,
helvetica,
sans-serif">nsDS5ReplicaHost:
<a
moz-do-not-send="true"
href="http://ad1.windows-server.com" target="_blank">ad1.windows-server.com</a></font></div>
<div><font
face="arial,
helvetica,
sans-serif">nsDS5ReplicaPort:
389</font></div>
<div><font
face="arial,
helvetica,
sans-serif">nsDS5ReplicaBindDN:
cn=sync
user,cn=config</font></div>
<div><font
face="arial,
helvetica,
sans-serif">nsDS5ReplicaBindCredentials:
{DES}ffGad646dT0nnsT8nJOaMA==</font></div>
<div><font
face="arial,
helvetica,
sans-serif">nsDS5ReplicaTransportInfo:
TLS</font></div>
<div><font
face="arial,
helvetica,
sans-serif">winSyncInterval:
1200</font></div>
<font
face="arial,
helvetica,
sans-serif"><br>
</font>
<div
class="gmail_quote"><font
face="arial,
helvetica,
sans-serif">On
Fri, Jan 20,
2012 at 3:28
PM, Rich
Megginson <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote
class="gmail_quote"
style="margin:
0pt 0pt 0pt
0.8ex;
border-left:
1px solid
rgb(204, 204,
204);
padding-left:
1ex;">
<div
bgcolor="#ffffff"
text="#000000">
<div><font
face="arial,
helvetica,
sans-serif">
On 01/20/2012
01:08 PM,
Jimmy wrote: </font>
<blockquote
type="cite"><font
face="arial,
helvetica,
sans-serif">That
was it! I have
passwords
syncing,
*BUT*(at the
risk of
sounding
stupid)-- is
it not
possible to
also sync(add)
the users from
AD to DS?</font></blockquote>
</div>
<font
face="arial,
helvetica,
sans-serif">
Yes, it is.
Just configure
IPA Windows
Sync </font>
<div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font>
<blockquote
type="cite"><font
face="arial,
helvetica,
sans-serif">I
created a new
user in AD and
it doesn't
propogate to
DS, just says:
</font>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div>
<div><font
face="arial,
helvetica,
sans-serif">attempting
to sync
password for
testuser3</font></div>
<div><font
face="arial,
helvetica,
sans-serif">searching
for
(ntuserdomainid=testuser3)</font></div>
<div><font
face="arial,
helvetica,
sans-serif">There
are no entries
that match:
testuser3</font></div>
<div><font
face="arial,
helvetica,
sans-serif">deferring
password
change for
testuser3</font></div>
<font
face="arial,
helvetica,
sans-serif"><br>
</font>
<div
class="gmail_quote"><font
face="arial,
helvetica,
sans-serif">On
Fri, Jan 20,
2012 at 2:46
PM, Rich
Megginson <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote
class="gmail_quote"
style="margin:
0pt 0pt 0pt
0.8ex;
border-left:
1px solid
rgb(204, 204,
204);
padding-left:
1ex;">
<div
bgcolor="#ffffff"
text="#000000">
<div><font
face="arial,
helvetica,
sans-serif">
On 01/20/2012
12:46 PM,
Jimmy wrote: </font>
<blockquote
type="cite"><font
face="arial,
helvetica,
sans-serif">Getting
close here...
Now I see this
message in the
sync log file:
</font>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div>
<div><font
face="arial,
helvetica,
sans-serif">attempting
to sync
password for
testuser</font></div>
<div><font
face="arial,
helvetica,
sans-serif">searching
for
(ntuserdomainid=testuser)</font></div>
<div><font
face="arial,
helvetica,
sans-serif">ldap
error in
queryusername</font></div>
<div><font
face="arial,
helvetica,
sans-serif"> 32:
no such object</font></div>
<div><font
face="arial,
helvetica,
sans-serif">deferring
password
change for
testuser</font></div>
</div>
</blockquote>
</div>
<font
face="arial,
helvetica,
sans-serif">
This usually
means the
search base is
incorrect or
not found.
You can look
at the 389
access log to
see what it
was using as
the search
criteria. </font>
<div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font>
<blockquote
type="cite">
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font>
<div
class="gmail_quote"><font
face="arial,
helvetica,
sans-serif">On
Fri, Jan 20,
2012 at 12:23
PM, Rich
Megginson <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote
class="gmail_quote"
style="margin:
0pt 0pt 0pt
0.8ex;
border-left:
1px solid
rgb(204, 204,
204);
padding-left:
1ex;">
<div
bgcolor="#ffffff"
text="#000000">
<div><font
face="arial,
helvetica,
sans-serif">
On 01/20/2012
10:23 AM,
Jimmy wrote: </font>
<blockquote
type="cite"><font
face="arial,
helvetica,
sans-serif">You
are correct. I
had installed
as an
Enterprise
root, but the
doc I was
reading(original
link) seemed
to say that I
had to do the
certreq
manually, my
bad. I think
I'm getting
closer I can
establish an
openssl
connection
from DS to AD
but I get
these errors:
</font>
<div> <font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div>
<div><font
face="arial,
helvetica,
sans-serif"> openssl
s_client
-connect <a
moz-do-not-send="true"
href="http://192.168.201.150:636" target="_blank">192.168.201.150:636</a>
-showcerts
-CAfile
dsca.crt</font></div>
<div><font
face="arial,
helvetica,
sans-serif">CONNECTED(00000003)</font></div>
<div><font
face="arial,
helvetica,
sans-serif">depth=0
CN =
csp-ad.cspad.pdh.csp</font></div>
<div><font
face="arial,
helvetica,
sans-serif">
verify
error:num=20:unable
to get local
issuer
certificate</font></div>
<div><font
face="arial,
helvetica,
sans-serif">verify
return:1</font></div>
<div><font
face="arial,
helvetica,
sans-serif">depth=0
CN =
csp-ad.cspad.pdh.csp</font></div>
<div><font
face="arial,
helvetica,
sans-serif">verify
error:num=27:certificate
not trusted</font></div>
<div><font
face="arial,
helvetica,
sans-serif">verify
return:1</font></div>
<div><font
face="arial,
helvetica,
sans-serif">depth=0
CN =
csp-ad.cspad.pdh.csp</font></div>
<div><font
face="arial,
helvetica,
sans-serif">verify
error:num=21:unable
to verify the
first
certificate</font></div>
<div><font
face="arial,
helvetica,
sans-serif">verify
return:1</font></div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif">I
thought I had
imported the
cert from AD
but it doesn't
seem so. I'm
still
researching
but if you
guys have a
suggestion let
me know.</font></div>
</div>
</blockquote>
</div>
<font
face="arial,
helvetica,
sans-serif">
Is dsca.crt
the CA that
issued the DS
server cert?
If so, that
won't work.
You need the
CA cert from
the CA that
issued the AD
server cert
(i.e. the CA
cert from the
MS Enterprise
Root CA). </font>
<div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font>
<blockquote
type="cite">
<div>
<div><font
face="arial,
helvetica,
sans-serif">-J</font></div>
<font
face="arial,
helvetica,
sans-serif"><br>
</font>
<div
class="gmail_quote"><font
face="arial,
helvetica,
sans-serif">
On Thu, Jan
19, 2012 at
5:04 PM, Rich
Megginson <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote
class="gmail_quote"
style="margin:
0pt 0pt 0pt
0.8ex;
border-left:
1px solid
rgb(204, 204,
204);
padding-left:
1ex;">
<div
bgcolor="#ffffff"
text="#000000">
<div><font
face="arial,
helvetica,
sans-serif">
On 01/19/2012
02:59 PM,
Jimmy wrote: </font>
<blockquote
type="cite"><font
face="arial,
helvetica,
sans-serif">ok.
I started from
scratch this
week on this
and I think
I've got the
right doc and
understand
better where
this is going.
My problem now
is that when
configuring
SSL on the AD
server (step c
in this url:
<a
moz-do-not-send="true"
href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service"
target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service</a> )
</font>
<div><font
face="arial,
helvetica,
sans-serif"> I
get this
error: </font></div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div>
<div><font
face="arial,
helvetica,
sans-serif">certreq
-submit
request.req
certnew.cer</font></div>
<div><font
face="arial,
helvetica,
sans-serif">Active
Directory
Enrollment
Policy</font></div>
<div><font
face="arial,
helvetica,
sans-serif">
{25DDA1E7-3A99-4893-BA32-9955AC9EAC42}</font></div>
<div><font
face="arial,
helvetica,
sans-serif">
ldap:</font></div>
<div><font
face="arial,
helvetica,
sans-serif">RequestId:
3</font></div>
<div><font
face="arial,
helvetica,
sans-serif">RequestId:
"3"</font></div>
<div><font
face="arial,
helvetica,
sans-serif">Certificate
not issued
(Denied)
Denied by
Policy Module
0x80094801,
The request
does not
contain a
certificate
template
extension or
the
CertificateTemplate
request
attribute.</font></div>
<div><font
face="arial,
helvetica,
sans-serif"> The
request
contains no
certificate
template
information.
0x80094801 <a
moz-do-not-send="true" href="tel:%28-2146875391" value="+12146875391"
target="_blank">(-2146875391</a>)</font></div>
<div><font
face="arial,
helvetica,
sans-serif">Certificate
Request
Processor: The
request
contains no
certificate
template
information.
0x80094801 <a
moz-do-not-send="true" href="tel:%28-2146875391" value="+12146875391"
target="_blank">(-2146875391</a>)</font></div>
<div><font
face="arial,
helvetica,
sans-serif">
Denied by
Policy Module
0x80094801,
The request
does not
contain a
certificate
template
extension or
the
CertificateTemplate
request
attribute.</font></div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif">The
RH doc says to
use the
browser if an
error occurs
and IIS is
running but
I'm not
running IIS. I
researched
that error but
didn't find
anything that
helps with
FreeIPA and
passsync.</font></div>
</div>
</blockquote>
</div>
<font
face="arial,
helvetica,
sans-serif">
Hmm - try
installing
Microsoft
Certificate
Authority in
Enterprise
Root CA mode -
it will
usually
automatically
create and
install the AD
server cert.
<a
moz-do-not-send="true"
href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync"
target="_blank">http://directory.fedoraproject.org/wiki/Howto:WindowsSync</a>
</font>
<div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font>
<blockquote
type="cite">
<div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif">Jimmy</font></div>
<div><font
face="arial,
helvetica,
sans-serif"><br>
</font>
<div
class="gmail_quote"><font
face="arial,
helvetica,
sans-serif">On
Wed, Jan 11,
2012 at 3:32
PM, Rich
Megginson <span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote
class="gmail_quote"
style="margin:
0pt 0pt 0pt
0.8ex;
border-left:
1px solid
rgb(204, 204,
204);
padding-left:
1ex;">
<div
bgcolor="#ffffff"
text="#000000">
<div><font
face="arial,
helvetica,
sans-serif">
On 01/11/2012
11:22 AM,
Jimmy wrote: </font>
<blockquote
type="cite"><font
face="arial,
helvetica,
sans-serif">We
need to be
able to
replicate
user/pass
between
Windows 2008
AD and
FreeIPA.</font></blockquote>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<font
face="arial,
helvetica,
sans-serif">
That's what
IPA Windows
Sync is
supposed to
do. </font>
<div><font
face="arial,
helvetica,
sans-serif"><br>
<br>
</font>
<blockquote
type="cite"><font
face="arial,
helvetica,
sans-serif">I
have followed
many different
documents and
posted here
about it and
from what I've
read and
procedures
I've followed
we are unable
to accomplish
this.</font></blockquote>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<font
face="arial,
helvetica,
sans-serif">
What have you
tried, and
what problems
have you run
into?<br>
<br>
</font>
<blockquote
type="cite">
<div><font
face="arial,
helvetica,
sans-serif">It
doesn't need
to be a full
trust. </font>
<div> <font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font
face="arial,
helvetica,
sans-serif">Thanks<br>
<br>
</font>
<div
class="gmail_quote"><font
face="arial,
helvetica,
sans-serif">On
Tue, Jan 10,
2012 at 3:03
AM, Jan Zelený
<span
dir="ltr"><<a
moz-do-not-send="true" href="mailto:jzeleny@redhat.com" target="_blank">jzeleny@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote
class="gmail_quote"
style="margin:
0pt 0pt 0pt
0.8ex;
border-left:
1px solid
rgb(204, 204,
204);
padding-left:
1ex;">
<div>
<div><font
face="arial,
helvetica,
sans-serif">>
Just wondering
if there was
anyone
listening on
the list that
might be<br>
> available
for little
work
integrating
FreeIPA with
Active
Directory<br>
>
(preferrably
in the south
east US.) I
hope this
isn't against
the list<br>
> rules, I
just thought
one of you
guys could
help or point
me in the
right<br>
>
direction.<br>
<br>
</font></div>
</div>
<font
face="arial,
helvetica,
sans-serif">
If you want
some help, it
is certainly
not against
list rules ;-)
But in that<br>
case, it would
be much better
if you asked
what exactly
do you need.<br>
<br>
I'm not an AD
expert, but a
couple tips:
If you are
looking for
cross-domain<br>
(cross-realm)
trust, then
you might be a
bit
disappointed,
it is still in<br>
development,
so it probably
won't be 100%
functional at
this moment.<br>
<br>
If you are
looking for
something
else, could
you be a
little more
specific what<br>
it is?<br>
<br>
I also
recommend
starting with
reading some
doc:<br>
<a
moz-do-not-send="true"
href="http://freeipa.org/page/DocumentationPortal" target="_blank">http://freeipa.org/page/DocumentationPortal</a><br>
<br>
Thanks<br>
<span><font
color="#888888">Jan<br>
</font></span></font></blockquote>
</div>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
<pre><fieldset></fieldset><font face="arial, helvetica, sans-serif">
_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></font></pre>
</blockquote>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</blockquote>
</div>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
</blockquote>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</blockquote>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</blockquote>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</blockquote>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</blockquote>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</blockquote>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<font
face="arial,
helvetica,
sans-serif"><br>
</font></div>
</blockquote>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<font face="arial,
helvetica, sans-serif"><br>
</font></div>
</blockquote>
<font face="arial, helvetica,
sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>