On 03/29/2011 02:26 PM, Steven Jones wrote:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
12:fb:5c:b4:00:00:00:00:00:02
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=nz, DC=ac, DC=ipa, CN=dc0001
Validity
Not Before: Mar 29 00:54:45 2011 GMT
Not After : Mar 28 00:54:45 2012 GMT
Subject: CN=dc0001.ipa.ac.nz
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:9b:68:bb:1f:8d:62:c4:7c:08:65:f2:ec:c0:32:
0a:99:17:b6:02:1a:02:90:e1:d7:64:38:de:ef:f0:
58:b0:bb:06:6a:6f:82:ed:c1:8c:9e:ae:44:91:6e:
8e:3c:6f:5b:04:44:92:40:cd:af:3e:a2:2f:c8:ad:
1f:7a:7f:d7:53:25:2b:f9:b7:c7:ac:c4:cc:3d:92:
05:47:a7:96:25:e9:d5:78:a1:4d:e1:a0:65:1d:66:
03:d3:e1:11:f6:d5:cc:c5:e5:73:e3:e3:98:ee:c1:
23:c2:32:5c:4f:5f:66:ef:98:61:4b:e0:2a:3a:e6:
55:67:08:ed:2a:ae:6b:db:ab
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
S/MIME Capabilities:
050...*.H..
......0...*.H..
......0...+....0
..*.H..
..
X509v3 Subject Key Identifier:
7F:03:DF:87:27:A7:F2:59:C7:17:E8:CF:19:01:51:1B:FA:EF:D7:D3
1.3.6.1.4.1.311.20.2:
. .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
X509v3 Authority Key Identifier:
keyid:CC:D6:15:2E:3F:81:70:17:C5:4B:8D:F9:8E:21:9E:5D:C5:11:F9:DB
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=dc0001,CN=dc0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint
URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.crl
Authority Information Access:
CA Issuers -
URI:ldap:///CN=dc0001,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?cACertificate?base?objectClass=certificationAuthority
CA Issuers -
URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.ipa.ac.nz_dc0001.crt
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Alternative Name:
othername:<unsupported>, DNS:dc0001.ipa.ac.nz
Signature Algorithm: sha1WithRSAEncryption
6e:11:ea:99:64:72:59:56:71:e8:6d:ab:cd:ee:93:be:cd:d4:
94:d4:cb:b4:d1:e1:ad:d3:02:a6:1c:15:db:e6:13:6c:74:07:
21:a0:1d:65:81:de:27:0d:8b:65:9c:5b:e2:2f:8e:67:fb:3f:
63:7c:a4:a3:ab:15:3d:57:fc:b8:2c:5c:e2:75:fd:71:68:73:
1d:14:49:cc:a8:5c:fb:62:5d:fd:61:b3:57:6f:18:d7:46:b7:
5c:7d:6d:5a:ee:5c:8c:66:b6:45:cb:62:8d:72:20:40:b1:cb:
fa:e8:f5:06:44:19:d1:fc:f3:b7:a0:86:52:39:20:6b:4f:20:
c5:8f:7f:5c:0d:2f:a3:a1:d7:4f:c7:5e:36:1a:d4:22:33:ea:
59:31:eb:9e:6a:31:9f:8d:7a:3a:b8:dc:b2:09:4e:64:d5:17:
14:28:09:c0:b0:48:ff:38:00:4f:cd:01:e1:62:7e:82:dc:4d:
d6:62:3c:54:e9:c2:ff:7d:9d:c7:b0:cf:ee:f7:6f:0a:e0:c8:
ec:f0:c0:01:b2:41:56:01:22:a4:31:4d:cd:98:6b:a1:83:db:
10:de:4d:43:59:b1:d3:4c:2a:16:03:9c:91:97:98:92:23:15:
04:41:3f:9d:77:9b:fd:b2:32:0d:36:35:06:64:ff:80:6a:e8:
a0:5b:12:85
-----BEGIN CERTIFICATE-----
MIIFjzCCBHegAwIBAgIKEvtctAAAAAAAAjANBgkqhkiG9w0BAQUFADBOMRIwEAYK
CZImiZPyLGQBGRYCbnoxEjAQBgoJkiaJk/IsZAEZFgJhYzETMBEGCgmSJomT8ixk
ARkWA2lwYTEPMA0GA1UEAxMGZGMwMDAxMB4XDTExMDMyOTAwNTQ0NVoXDTEyMDMy
ODAwNTQ0NVowGzEZMBcGA1UEAxMQZGMwMDAxLmlwYS5hYy5uejCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAm2i7H41ixHwIZfLswDIKmRe2AhoCkOHXZDje7/BY
sLsGam+C7cGMnq5EkW6OPG9bBESSQM2vPqIvyK0fen/XUyUr+bfHrMTMPZIFR6eW
JenVeKFN4aBlHWYD0+ER9tXMxeVz4+OY7sEjwjJcT19m75hhS+AqOuZVZwjtKq5r
26sCAwEAAaOCAyQwggMgMAsGA1UdDwQEAwIFoDBEBgkqhkiG9w0BCQ8ENzA1MA4G
CCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcN
AwcwHQYDVR0OBBYEFH8D34cnp/JZxxfozxkBURv679fTMC8GCSsGAQQBgjcUAgQi
HiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAfBgNVHSMEGDAWgBTM
1hUuP4FwF8VLjfmOIZ5dxRH52zCB8wYDVR0fBIHrMIHoMIHloIHioIHfhoGtbGRh
cDovLy9DTj1kYzAwMDEsQ049ZGMwMDAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXkl
MjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWlwYSxE
Qz1hYyxEQz1uej9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0
Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLWh0dHA6Ly9kYzAwMDEuaXBhLmFj
Lm56L0NlcnRFbnJvbGwvZGMwMDAxLmNybDCCAQUGCCsGAQUFBwEBBIH4MIH1MIGm
BggrBgEFBQcwAoaBmWxkYXA6Ly8vQ049ZGMwMDAxLENOPUFJQSxDTj1QdWJsaWMl
MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD
PWlwYSxEQz1hYyxEQz1uej9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9
Y2VydGlmaWNhdGlvbkF1dGhvcml0eTBKBggrBgEFBQcwAoY+aHR0cDovL2RjMDAw
MS5pcGEuYWMubnovQ2VydEVucm9sbC9kYzAwMDEuaXBhLmFjLm56X2RjMDAwMS5j
cnQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMDwGA1UdEQQ1MDOgHwYJ
KwYBBAGCNxkBoBIEEAdtYFw3yQ9DmIgdDBjdl92CEGRjMDAwMS5pcGEuYWMubnow
DQYJKoZIhvcNAQEFBQADggEBAG4R6plkcllWcehtq83uk77N1JTUy7TR4a3TAqYc
FdvmE2x0ByGgHWWB3icNi2WcW+Ivjmf7P2N8pKOrFT1X/LgsXOJ1/XFocx0UScyo
XPtiXf1hs1dvGNdGt1x9bVruXIxmtkXLYo1yIECxy/ro9QZEGdH887eghlI5IGtP
IMWPf1wNL6Oh10/HXjYa1CIz6lkx655qMZ+Nejq43LIJTmTVFxQoCcCwSP84AE/N
AeFifoLcTdZiPFTpwv99ncewz+73bwrgyOzwwAGyQVYBIqQxTc2Ya6GD2xDeTUNZ
sdNMKhYDnJGXmJIjFQRBP513m/2yMg02NQZk/4Bq6KBbEoU=
-----END CERTIFICATE-----
This is the MS AD server cert, not the CA cert for the CA that issued MS
AD server cert.
You need the CA cert
________________________________________
From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 30 March 2011 9:04 a.m.
To: Steven Jones
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD setup failure
On 03/29/2011 02:02 PM, Steven Jones wrote:
Hi,
My Windows person suggests because this is a self signed cert, the client needs
to be forced to trust it....?
can you paste the output of
openssl x509 -in /home/jonesst1/domaincert.cer -text
?
regards
Steven
________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 2:50 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD setup failure
Steven Jones wrote:
Got a bit further.......I was missing "--passsync"
I think you were using the V1 documentation. The "Enterprise Identity
Management Guide" is what you want off freeipa.org in the Documentation
section.
[root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn
cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert
/home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are
required to create a winsync agreement
[root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn
cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync
Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
Added CA certificate /home/jonesst1/domaincert.cer to certificate database for
fed14-64-ipam001.ipa.ac.nz
ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz
ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13',
'desc': 'Connect error'}
unexpected error: Failed to setup winsync replication
[root@fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz
dc0001.ipa.ac.nz has address 192.168.101.2
[root@fed14-64-ipam001 samba]#
But still isnt working.........
I think you have the wrong AD cert. -8179 translates to "Certificate is
signed by an unknown issuer". Can you verify that you have the AD CA
certificate?
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
