On 03/29/2011 02:32 PM, Steven Jones wrote:
Hi,
Yes its a "intermediate CA" In the real world combining them is a huge issue,
ie making a single joined certificate...It not likely many sites would go to the pain to
do that....I think you need to re-visit that assumption.....
It does not appear to be CA cert at all, much less an "intermediate
CA". Someone please correct me if I'm wrong, but the CA does not have
the X509v3 Basic Constraints extension. For example, here is a CA cert
issued by Windows 2008:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6d:e2:9a:21:dd:d5:20:b6:4f:96:be:57:10:62:50:f7
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA
Validity
Not Before: Feb 9 17:44:10 2011 GMT
Not After : Feb 9 17:54:07 2021 GMT
Subject: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA
...
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
The older docs suggested a manual import of the root cert is possible?
regards
________________________________________
From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 30 March 2011 9:27 a.m.
To: Steven Jones
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD setup failure
On 03/29/2011 02:14 PM, Steven Jones wrote:
So I need 2 certificates?
No.
and I have to manually add the root CA with certutil?
No.
to the IPA master as a separate process?
No.
You only need the CA certificate for the CA that issued the MS AD server
certificate.
ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer
will add the CA.
If the MS CA is an intermediate CA, you should ask the administrator to
give you a single CA certificate file (base64 encoded) that contains the
intermediate CA and all of the parent CA up to the root CA.
regards
________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 9:05 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD setup failure
Steven Jones wrote:
Hi,
My Windows person suggests because this is a self signed cert, the client needs
to be forced to trust it....?
That's what we're doing here. You need to provide the CA that issued the
SSL certificate for the AD server we're connecting to.
I'm guessing they didn't give you the root CA cert.
rob
regards
Steven
________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 2:50 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD setup failure
Steven Jones wrote:
Got a bit further.......I was missing "--passsync"
I think you were using the V1 documentation. The "Enterprise Identity
Management Guide" is what you want off freeipa.org in the Documentation
section.
[root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn
cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert
/home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are
required to create a winsync agreement
[root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn
cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync
Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
Added CA certificate /home/jonesst1/domaincert.cer to certificate database for
fed14-64-ipam001.ipa.ac.nz
ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz
ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13',
'desc': 'Connect error'}
unexpected error: Failed to setup winsync replication
[root@fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz
dc0001.ipa.ac.nz has address 192.168.101.2
[root@fed14-64-ipam001 samba]#
But still isnt working.........
I think you have the wrong AD cert. -8179 translates to "Certificate is
signed by an unknown issuer". Can you verify that you have the AD CA
certificate?
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
