certutil output:<div><a href="http://fpaste.org/tJDW/">http://fpaste.org/tJDW/</a> </div><div><br></div><div>pcap output (exported from Wireshark, looks messy):</div><div><a href="http://fpaste.org/M3Gr/">http://fpaste.org/M3Gr/</a> <br>
<br><div class="gmail_quote">On Tue, Jan 24, 2012 at 3:29 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com">rmeggins@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<u></u>
<div bgcolor="#ffffff" text="#000000">
On 01/24/2012 01:26 PM, Jimmy wrote:
<blockquote type="cite"><font face="arial, helvetica, sans-serif">The sync is
still not working so I was going back through the docs to see
what I missed. I know this is from an older version of IPA but I
was looking here:
<a href="http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Prerequisites.html#sect-Installation_and_Deployment_Guide-Prerequisites-Setting_up_Active_Directory" target="_blank">http://freeipa.org/docs/1.2/Installation_Deployment_Guide/en-US/html/sect-Installation_and_Deployment_Guide-Setting_up_Synchronization_Between_IPA_and_Active_Directory-Prerequisites.html#sect-Installation_and_Deployment_Guide-Prerequisites-Setting_up_Active_Directory</a></font>
<div>
<font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">and used this
method to get the AD certificate server cert.</font></div>
</blockquote>
You mean "CA cert" not "server cert", right?<br>
<blockquote type="cite">
<div>
<ol style="line-height:15px;font-size:12px">
<li style="line-height:1.29em;padding-top:0px;margin-top:0em;padding-bottom:0px;margin-bottom:0.4em">
<div style="line-height:1.29em;padding-top:0px;margin-top:0em;padding-bottom:0px;margin-bottom:0.3em"><font face="arial, helvetica, sans-serif">Navigate
to My Network Places and drill down to the CA
distribution point. On Windows 2003 Server this is
typically <code style="white-space:nowrap;font-weight:bold">C:\WINDOWS\system32\certsrv\CertEnroll\</code></font></div>
</li>
<li style="line-height:1.29em;padding-top:0px;margin-top:0em;padding-bottom:0px;margin-bottom:0.4em">
<div style="line-height:1.29em;padding-top:0px;margin-top:0em;padding-bottom:0px;margin-bottom:0.3em"><font face="arial, helvetica, sans-serif">
Double-click the security certificate file (<code style="white-space:nowrap;font-weight:bold">.crt</code> file)
to display the <strong style="font-weight:bold;white-space:nowrap">Certificate</strong> dialog box.</font></div>
</li>
<li style="line-height:1.29em;padding-top:0px;margin-top:0em;padding-bottom:0px;margin-bottom:0.4em">
<div style="line-height:1.29em;padding-top:0px;margin-top:0em;padding-bottom:0px;margin-bottom:0.3em"><font face="arial, helvetica, sans-serif">
On the <strong style="font-weight:bold;white-space:nowrap">Details</strong> tab, click <strong style="font-weight:bold;white-space:nowrap">Copy
to File</strong> to start the <strong>Certificate
Export Wizard</strong>.</font></div>
</li>
<li style="line-height:1.29em;padding-top:0px;margin-top:0em;padding-bottom:0px;margin-bottom:0.4em">
<div style="line-height:1.29em;padding-top:0px;margin-top:0em;padding-bottom:0px;margin-bottom:0.3em"><font face="arial, helvetica, sans-serif">
Click <strong style="font-weight:bold;white-space:nowrap">Next</strong>, select <strong style="font-weight:bold;white-space:nowrap">Base-64
encoded X.509 (.CER)</strong> and then click <strong style="font-weight:bold;white-space:nowrap">Next</strong>.</font></div>
</li>
<li style="line-height:1.29em;padding-top:0px;margin-top:0em;padding-bottom:0px;margin-bottom:0.4em">
<div style="line-height:1.29em;padding-top:0px;margin-top:0em;padding-bottom:0px;margin-bottom:0.3em"><font face="arial, helvetica, sans-serif">
Specify a suitable directory and file name for the
exported file. The file name is not important. Click <strong style="font-weight:bold;white-space:nowrap">Next</strong> to
export the certificate, and then click <strong style="font-weight:bold;white-space:nowrap">Finish</strong>.
You should receive a message stating that the export was
successful.</font></div>
</li>
<li style="line-height:1.29em;padding-top:0px;margin-top:0em;padding-bottom:0px;margin-bottom:0.4em">
<div style="line-height:1.29em;padding-top:0px;margin-top:0em;padding-bottom:0px;margin-bottom:0.3em"><font face="arial, helvetica, sans-serif">
Click <strong style="font-weight:bold;white-space:nowrap">OK</strong> to exit the wizard.</font></div>
</li>
</ol>
<font face="arial, helvetica, sans-serif">But when I run the
command to create the sync agreement(pointing to the cert I
got in the step above) the ssl connection fails and if I look
at tcpdump of the connection I see that the AD server is not
sending the cert that I have imported with the sync agreement.
I have used certutil to verify that I have the same cert(same
serial number and same public key) in the 389 server as the
one in the AD server (
<span style="font-size:12px;font-weight:bold;line-height:15px;white-space:nowrap">C:\WINDOWS\system32\</span><span style="font-size:12px;font-weight:bold;line-height:15px;white-space:nowrap">certsrv\CertEnroll\)</span></font><span style="font-family:arial,helvetica,sans-serif">.</span> The
AD server is sending a completely different cert, and I have
been unable to find the cert in the certificate stores on the AD
server so I'm not sure where the bogus cert is coming from.
Before I added the certificate services role the
certsrv\certenroll directory was not present so I know this was
created when I added that role to the AD server.</div>
<div><br>
</div>
<div>The pcap can be seen here: <a href="http://www.pcapr.net/view/g17jimmy/2012/0/2/11/ldaps3.pcap.html" target="_blank">http://www.pcapr.net/view/g17jimmy/2012/0/2/11/ldaps3.pcap.html</a> (sorry,
registration required on that site, I didn't have anywhere else
to put it.)</div>
</blockquote>
Can you try <a href="http://fpaste.org" target="_blank">fpaste.org</a>?<br>
<blockquote type="cite">
<div><br>
</div>
<div>Any idea why AD would be sending me the wrong cert and where
it's coming from? Yes, I know this isn't MS just trying to get
these 2 systems to talk ;).</div>
<div><br>
</div>
<div>
<div class="gmail_quote"><font face="arial, helvetica,
sans-serif">On Tue, Jan 24, 2012 at 1:18 PM, Rich Megginson
<span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<font face="arial, helvetica, sans-serif"> </font>
<div bgcolor="#ffffff" text="#000000">
<div><font face="arial, helvetica, sans-serif"> On
01/24/2012 11:03 AM, Jimmy wrote: </font>
<blockquote type="cite"><font face="arial, helvetica,
sans-serif">Ok, I just realized that I only have
passsync and not winsync, stupid oversight, but now
that I know it I need to get winsync. Is there a
location to download binaries or must I compile from
source? I see the binaries for passsync on the
directory server project downloads but I don't see
the same for winsync.</font></blockquote>
</div>
<font face="arial, helvetica, sans-serif"> winsync is
built-in to 389 - there isn't any additional component
that you need to install.</font>
<div>
<div><font face="arial, helvetica, sans-serif"><br>
</font>
<blockquote type="cite">
<div> <font face="arial, helvetica, sans-serif"><br>
</font></div>
<div><font face="arial, helvetica, sans-serif">Thanks,</font></div>
<div><font face="arial, helvetica, sans-serif">Jim<br>
<br>
</font>
<div class="gmail_quote"><font face="arial,
helvetica, sans-serif">On Mon, Jan 23, 2012 at
1:33 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div><font face="arial, helvetica,
sans-serif"> On 01/23/2012 11:34 AM,
Jimmy wrote: </font>
<blockquote type="cite"><font face="arial,
helvetica, sans-serif">I did create
the winsync user and it is an admin.
</font>
<div><font face="arial, helvetica,
sans-serif"><br>
</font></div>
<div><font face="arial, helvetica,
sans-serif">I will fix the ip
address(change to hostname,) I only
did it that was because this is
currently a test system so I can
figure out how to get it all
working.<br>
</font></div>
</blockquote>
</div>
<font face="arial, helvetica, sans-serif">
ok - once you do that, you can check the
389 errors log at
/var/log/dirsrv/slapd-INST/errors to see
if winsync is logging any errors </font>
<div>
<div><font face="arial, helvetica,
sans-serif"><br>
</font>
<blockquote type="cite">
<div> <font face="arial, helvetica,
sans-serif"><br>
</font>
<div class="gmail_quote"><font face="arial, helvetica,
sans-serif">On Mon, Jan 23, 2012
at 1:06 PM, Rich Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div><font face="arial,
helvetica, sans-serif"> On
01/23/2012 10:52 AM, Jimmy
wrote: </font>
<blockquote type="cite"><font face="arial, helvetica,
sans-serif">That's what
I was thinking, and what
I did, but it still
doesn't replicate new
users. This is the
command I used: </font>
<div><font face="arial,
helvetica, sans-serif"><br>
</font></div>
<div><font face="arial,
helvetica, sans-serif"> ipa-replica-manage
connect --passsync
--binddn
cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp
--bindpw=********
--cacert
/home/winsync/AD-server-cert.cer
192.168.201.150 -v<br>
</font></div>
</blockquote>
<font face="arial,
helvetica, sans-serif"><br>
</font></div>
<font face="arial, helvetica,
sans-serif"> Did you create
the user
cn=winsync,cn=Users,dc=cspad,dc=pdh,dc=csp?
And does this user have the
rights to perform sync?
(e.g. has to have replicator
rights, or be some sort of
admin) - see <a href="http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx" target="_blank">http://msdn.microsoft.com/en-us/library/ms677626%28VS.85%29.aspx</a>
- the AD user must have
replication rights and write
rights.<br>
<br>
In addition, since this
process uses SSL, you cannot
use an IP address, you must
use a hostname, or the SSL
cert hostname checking (for
MITM) will fail. </font>
<div>
<div><font face="arial,
helvetica, sans-serif"><br>
</font>
<blockquote type="cite">
<div> <font face="arial,
helvetica,
sans-serif"><br>
</font>
<div class="gmail_quote"><font face="arial,
helvetica,
sans-serif">On
Mon, Jan 23, 2012
at 12:30 PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div><font face="arial,
helvetica,
sans-serif">
On 01/23/2012
10:19 AM,
Jimmy wrote: </font>
<blockquote type="cite"><font face="arial,
helvetica,
sans-serif">Here's
what I found
in the DS
admin guide.
Is this all
that's needed
to create the
sync
agreement?</font></blockquote>
</div>
<font face="arial,
helvetica,
sans-serif">
Not with ipa -
you should use
the
ipa-replica-manage
command
instead </font>
<div><font face="arial,
helvetica,
sans-serif"><br>
</font>
<blockquote type="cite"><font face="arial,
helvetica,
sans-serif">
Thanks. </font>
<div><font face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div>
<div><font face="arial,
helvetica,
sans-serif">add
sync
agreement:</font></div>
<div><font face="arial,
helvetica,
sans-serif">ldapmodify
-x -D
"cn=Directory
Manager" -W</font></div>
<div><font face="arial,
helvetica,
sans-serif">Enter
LDAP Password:
*******</font></div>
<div><font face="arial,
helvetica,
sans-serif">dn:
cn=ExampleSyncAgreement,cn=sync
replica,cn=dc=example\,dc=com,cn=mapping
tree,cn=config</font></div>
</div>
</blockquote>
</div>
<font face="arial,
helvetica,
sans-serif">
it should be
cn=replica,
not cn=sync
replica - does
it use the
latter in the
Admin Guide? </font>
<div>
<div><font face="arial,
helvetica,
sans-serif"><br>
</font>
<blockquote type="cite">
<div>
<div><font face="arial,
helvetica,
sans-serif">changetype:
add</font></div>
<div><font face="arial,
helvetica,
sans-serif">objectclass:
top</font></div>
<div><font face="arial,
helvetica,
sans-serif">objectclass:
nsDSWindowsReplicationAgreement</font></div>
<div><font face="arial,
helvetica,
sans-serif">cn:
ExampleSyncAgreement</font></div>
<div><font face="arial,
helvetica,
sans-serif">nsds7WindowsReplicaSubtree:
cn=Users,dc=ad1</font></div>
<div><font face="arial,
helvetica,
sans-serif">nsds7DirectoryReplicaSubtree:
ou=People,dc=example,dc=com</font></div>
</div>
</blockquote>
<blockquote type="cite">
<div>
<div><font face="arial,
helvetica,
sans-serif">nsds7NewWinUserSyncEnabled:
on</font></div>
<div><font face="arial,
helvetica,
sans-serif">nsds7NewWinGroupSyncEnabled:
on</font></div>
<div><font face="arial,
helvetica,
sans-serif">nsds7WindowsDomain:
ad1</font></div>
<div><font face="arial,
helvetica,
sans-serif">nsDS5ReplicaRoot:
dc=example,dc=com</font></div>
<div><font face="arial,
helvetica,
sans-serif">nsDS5ReplicaHost:
<a href="http://ad1.windows-server.com" target="_blank">ad1.windows-server.com</a></font></div>
<div><font face="arial,
helvetica,
sans-serif">nsDS5ReplicaPort:
389</font></div>
<div><font face="arial,
helvetica,
sans-serif">nsDS5ReplicaBindDN:
cn=sync
user,cn=config</font></div>
<div><font face="arial,
helvetica,
sans-serif">nsDS5ReplicaBindCredentials:
{DES}ffGad646dT0nnsT8nJOaMA==</font></div>
<div><font face="arial,
helvetica,
sans-serif">nsDS5ReplicaTransportInfo:
TLS</font></div>
<div><font face="arial,
helvetica,
sans-serif">winSyncInterval:
1200</font></div>
<font face="arial,
helvetica,
sans-serif"><br>
</font>
<div class="gmail_quote"><font face="arial,
helvetica,
sans-serif">On
Fri, Jan 20,
2012 at 3:28
PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div><font face="arial,
helvetica,
sans-serif">
On 01/20/2012
01:08 PM,
Jimmy wrote: </font>
<blockquote type="cite"><font face="arial,
helvetica,
sans-serif">That
was it! I have
passwords
syncing,
*BUT*(at the
risk of
sounding
stupid)-- is
it not
possible to
also sync(add)
the users from
AD to DS?</font></blockquote>
</div>
<font face="arial,
helvetica,
sans-serif">
Yes, it is.
Just configure
IPA Windows
Sync </font>
<div>
<div><font face="arial,
helvetica,
sans-serif"><br>
</font>
<blockquote type="cite"><font face="arial,
helvetica,
sans-serif">I
created a new
user in AD and
it doesn't
propogate to
DS, just says:
</font>
<div><font face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div>
<div><font face="arial,
helvetica,
sans-serif">attempting
to sync
password for
testuser3</font></div>
<div><font face="arial,
helvetica,
sans-serif">searching
for
(ntuserdomainid=testuser3)</font></div>
<div><font face="arial,
helvetica,
sans-serif">There
are no entries
that match:
testuser3</font></div>
<div><font face="arial,
helvetica,
sans-serif">deferring
password
change for
testuser3</font></div>
<font face="arial,
helvetica,
sans-serif"><br>
</font>
<div class="gmail_quote"><font face="arial,
helvetica,
sans-serif">On
Fri, Jan 20,
2012 at 2:46
PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div><font face="arial,
helvetica,
sans-serif">
On 01/20/2012
12:46 PM,
Jimmy wrote: </font>
<blockquote type="cite"><font face="arial,
helvetica,
sans-serif">Getting
close here...
Now I see this
message in the
sync log file:
</font>
<div><font face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div>
<div><font face="arial,
helvetica,
sans-serif">attempting
to sync
password for
testuser</font></div>
<div><font face="arial,
helvetica,
sans-serif">searching
for
(ntuserdomainid=testuser)</font></div>
<div><font face="arial,
helvetica,
sans-serif">ldap
error in
queryusername</font></div>
<div><font face="arial,
helvetica,
sans-serif"> 32:
no such object</font></div>
<div><font face="arial,
helvetica,
sans-serif">deferring
password
change for
testuser</font></div>
</div>
</blockquote>
</div>
<font face="arial,
helvetica,
sans-serif">
This usually
means the
search base is
incorrect or
not found.
You can look
at the 389
access log to
see what it
was using as
the search
criteria. </font>
<div>
<div><font face="arial,
helvetica,
sans-serif"><br>
</font>
<blockquote type="cite">
<div><font face="arial,
helvetica,
sans-serif"><br>
</font>
<div class="gmail_quote"><font face="arial,
helvetica,
sans-serif">On
Fri, Jan 20,
2012 at 12:23
PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div><font face="arial,
helvetica,
sans-serif">
On 01/20/2012
10:23 AM,
Jimmy wrote: </font>
<blockquote type="cite"><font face="arial,
helvetica,
sans-serif">You
are correct. I
had installed
as an
Enterprise
root, but the
doc I was
reading(original
link) seemed
to say that I
had to do the
certreq
manually, my
bad. I think
I'm getting
closer I can
establish an
openssl
connection
from DS to AD
but I get
these errors:
</font>
<div> <font face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div>
<div><font face="arial,
helvetica,
sans-serif"> openssl
s_client
-connect <a href="http://192.168.201.150:636" target="_blank">192.168.201.150:636</a>
-showcerts
-CAfile
dsca.crt</font></div>
<div><font face="arial,
helvetica,
sans-serif">CONNECTED(00000003)</font></div>
<div><font face="arial,
helvetica,
sans-serif">depth=0
CN =
csp-ad.cspad.pdh.csp</font></div>
<div><font face="arial,
helvetica,
sans-serif">
verify
error:num=20:unable
to get local
issuer
certificate</font></div>
<div><font face="arial,
helvetica,
sans-serif">verify
return:1</font></div>
<div><font face="arial,
helvetica,
sans-serif">depth=0
CN =
csp-ad.cspad.pdh.csp</font></div>
<div><font face="arial,
helvetica,
sans-serif">verify
error:num=27:certificate
not trusted</font></div>
<div><font face="arial,
helvetica,
sans-serif">verify
return:1</font></div>
<div><font face="arial,
helvetica,
sans-serif">depth=0
CN =
csp-ad.cspad.pdh.csp</font></div>
<div><font face="arial,
helvetica,
sans-serif">verify
error:num=21:unable
to verify the
first
certificate</font></div>
<div><font face="arial,
helvetica,
sans-serif">verify
return:1</font></div>
<div><font face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font face="arial,
helvetica,
sans-serif">I
thought I had
imported the
cert from AD
but it doesn't
seem so. I'm
still
researching
but if you
guys have a
suggestion let
me know.</font></div>
</div>
</blockquote>
</div>
<font face="arial,
helvetica,
sans-serif">
Is dsca.crt
the CA that
issued the DS
server cert?
If so, that
won't work.
You need the
CA cert from
the CA that
issued the AD
server cert
(i.e. the CA
cert from the
MS Enterprise
Root CA). </font>
<div>
<div><font face="arial,
helvetica,
sans-serif"><br>
</font>
<blockquote type="cite">
<div>
<div><font face="arial,
helvetica,
sans-serif">-J</font></div>
<font face="arial,
helvetica,
sans-serif"><br>
</font>
<div class="gmail_quote"><font face="arial,
helvetica,
sans-serif">
On Thu, Jan
19, 2012 at
5:04 PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div><font face="arial,
helvetica,
sans-serif">
On 01/19/2012
02:59 PM,
Jimmy wrote: </font>
<blockquote type="cite"><font face="arial,
helvetica,
sans-serif">ok.
I started from
scratch this
week on this
and I think
I've got the
right doc and
understand
better where
this is going.
My problem now
is that when
configuring
SSL on the AD
server (step c
in this url:
<a href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service" target="_blank">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html-single/Administration_Guide/index.html#Install_and_Configure_the_Password_Sync_Service</a> )
</font>
<div><font face="arial,
helvetica,
sans-serif"> I
get this
error: </font></div>
<div><font face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div>
<div><font face="arial,
helvetica,
sans-serif">certreq
-submit
request.req
certnew.cer</font></div>
<div><font face="arial,
helvetica,
sans-serif">Active
Directory
Enrollment
Policy</font></div>
<div><font face="arial,
helvetica,
sans-serif">
{25DDA1E7-3A99-4893-BA32-9955AC9EAC42}</font></div>
<div><font face="arial,
helvetica,
sans-serif">
ldap:</font></div>
<div><font face="arial,
helvetica,
sans-serif">RequestId:
3</font></div>
<div><font face="arial,
helvetica,
sans-serif">RequestId:
"3"</font></div>
<div><font face="arial,
helvetica,
sans-serif">Certificate
not issued
(Denied)
Denied by
Policy Module
0x80094801,
The request
does not
contain a
certificate
template
extension or
the
CertificateTemplate
request
attribute.</font></div>
<div><font face="arial,
helvetica,
sans-serif"> The
request
contains no
certificate
template
information.
0x80094801 <a href="tel:%28-2146875391" value="+12146875391" target="_blank">(-2146875391</a>)</font></div>
<div><font face="arial,
helvetica,
sans-serif">Certificate
Request
Processor: The
request
contains no
certificate
template
information.
0x80094801 <a href="tel:%28-2146875391" value="+12146875391" target="_blank">(-2146875391</a>)</font></div>
<div><font face="arial,
helvetica,
sans-serif">
Denied by
Policy Module
0x80094801,
The request
does not
contain a
certificate
template
extension or
the
CertificateTemplate
request
attribute.</font></div>
<div><font face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font face="arial,
helvetica,
sans-serif">The
RH doc says to
use the
browser if an
error occurs
and IIS is
running but
I'm not
running IIS. I
researched
that error but
didn't find
anything that
helps with
FreeIPA and
passsync.</font></div>
</div>
</blockquote>
</div>
<font face="arial,
helvetica,
sans-serif">
Hmm - try
installing
Microsoft
Certificate
Authority in
Enterprise
Root CA mode -
it will
usually
automatically
create and
install the AD
server cert.
<a href="http://directory.fedoraproject.org/wiki/Howto:WindowsSync" target="_blank">http://directory.fedoraproject.org/wiki/Howto:WindowsSync</a>
</font>
<div>
<div><font face="arial,
helvetica,
sans-serif"><br>
</font>
<blockquote type="cite">
<div>
<div><font face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font face="arial,
helvetica,
sans-serif">Jimmy</font></div>
<div><font face="arial,
helvetica,
sans-serif"><br>
</font>
<div class="gmail_quote"><font face="arial,
helvetica,
sans-serif">On
Wed, Jan 11,
2012 at 3:32
PM, Rich
Megginson <span dir="ltr"><<a href="mailto:rmeggins@redhat.com" target="_blank">rmeggins@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#ffffff" text="#000000">
<div><font face="arial,
helvetica,
sans-serif">
On 01/11/2012
11:22 AM,
Jimmy wrote: </font>
<blockquote type="cite"><font face="arial,
helvetica,
sans-serif">We
need to be
able to
replicate
user/pass
between
Windows 2008
AD and
FreeIPA.</font></blockquote>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
<font face="arial,
helvetica,
sans-serif">
That's what
IPA Windows
Sync is
supposed to
do. </font>
<div><font face="arial,
helvetica,
sans-serif"><br>
<br>
</font>
<blockquote type="cite"><font face="arial,
helvetica,
sans-serif">I
have followed
many different
documents and
posted here
about it and
from what I've
read and
procedures
I've followed
we are unable
to accomplish
this.</font></blockquote>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
<font face="arial,
helvetica,
sans-serif">
What have you
tried, and
what problems
have you run
into?<br>
<br>
</font>
<blockquote type="cite">
<div><font face="arial,
helvetica,
sans-serif">It
doesn't need
to be a full
trust. </font>
<div> <font face="arial,
helvetica,
sans-serif"><br>
</font></div>
<div><font face="arial,
helvetica,
sans-serif">Thanks<br>
<br>
</font>
<div class="gmail_quote"><font face="arial,
helvetica,
sans-serif">On
Tue, Jan 10,
2012 at 3:03
AM, Jan Zelený
<span dir="ltr"><<a href="mailto:jzeleny@redhat.com" target="_blank">jzeleny@redhat.com</a>></span>
wrote:<br>
</font>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div><font face="arial,
helvetica,
sans-serif">>
Just wondering
if there was
anyone
listening on
the list that
might be<br>
> available
for little
work
integrating
FreeIPA with
Active
Directory<br>
>
(preferrably
in the south
east US.) I
hope this
isn't against
the list<br>
> rules, I
just thought
one of you
guys could
help or point
me in the
right<br>
>
direction.<br>
<br>
</font></div>
</div>
<font face="arial,
helvetica,
sans-serif">
If you want
some help, it
is certainly
not against
list rules ;-)
But in that<br>
case, it would
be much better
if you asked
what exactly
do you need.<br>
<br>
I'm not an AD
expert, but a
couple tips:
If you are
looking for
cross-domain<br>
(cross-realm)
trust, then
you might be a
bit
disappointed,
it is still in<br>
development,
so it probably
won't be 100%
functional at
this moment.<br>
<br>
If you are
looking for
something
else, could
you be a
little more
specific what<br>
it is?<br>
<br>
I also
recommend
starting with
reading some
doc:<br>
<a href="http://freeipa.org/page/DocumentationPortal" target="_blank">http://freeipa.org/page/DocumentationPortal</a><br>
<br>
Thanks<br>
<span><font color="#888888">Jan<br>
</font></span></font></blockquote>
</div>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
<pre><fieldset></fieldset><font face="arial, helvetica, sans-serif">
_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></font></pre>
</blockquote>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
</blockquote>
</div>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
</blockquote>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
</blockquote>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
</blockquote>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
</blockquote>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
</blockquote>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<font face="arial,
helvetica,
sans-serif"><br>
</font></div>
</blockquote>
<font face="arial,
helvetica, sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<font face="arial, helvetica,
sans-serif"><br>
</font></div>
</blockquote>
<font face="arial, helvetica,
sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<font face="arial, helvetica, sans-serif"><br>
</font></div>
</blockquote>
<font face="arial, helvetica, sans-serif"><br>
</font></div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</blockquote></div><br></div>