My windows person tells me that this cert is the root one, which apparently has no permissions to do anything...
regards ________________________________________ From: Rob Crittenden [rcrit...@redhat.com] Sent: Wednesday, 30 March 2011 9:49 a.m. To: Steven Jones Cc: Rich Megginson; freeipa-users@redhat.com Subject: Re: [Freeipa-users] AD setup failure Steven Jones wrote: > some more output, > The new cert looks a lot better. I think you need to remove the old one and this should start working: # certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -D -n Imported CA This is trying to add a new cert with the same nickname. Too bad the error messages out of certutil aren't more helpful. rob > ========== > > [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn > "cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz" --bindpw Qsmith51B --passsync > Qsmith51B --cacert /home/jonesst1/Cacrt.cer dc0001.ipa.ac.nz -v > ipa: CRITICAL: Error importing CA cert file named [/home/jonesst1/Cacrt.cer]: > Command '/usr/bin/certutil -d /etc/dirsrv/slapd-IPA-AC-NZ/ -A -n Imported CA > -t CT,,C -a' returned non-zero exit status 255 > Could not load the required CA certificate file [/home/jonesst1/Cacrt.cer] > [root@fed14-64-ipam001 samba]# cd ~jonesst1 > [root@fed14-64-ipam001 jonesst1]# ls -l > total 52 > -rw-rw-r--. 1 jonesst1 jonesst1 384 Mar 29 15:16 ad-fail > -rwxr--r--. 1 jonesst1 jonesst1 1628 Mar 30 09:16 Cacrt.cer > -rw-rw-r--. 1 jonesst1 jonesst1 984 Mar 29 16:11 client2.fail > -rw-rw-r--. 1 jonesst1 jonesst1 345 Mar 29 15:22 connect-fail > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Desktop > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Documents > -rwxr--r--. 1 jonesst1 jonesst1 2020 Mar 29 14:06 domaincert.cer > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Downloads > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Music > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Pictures > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Public > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Templates > drwxr-xr-x. 2 jonesst1 jonesst1 4096 Mar 23 12:05 Videos > [root@fed14-64-ipam001 jonesst1]# > > ========= > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 48:58:cd:99:6c:e4:53:b5:4f:6f:5b:9a:86:21:46:b6 > Signature Algorithm: sha1WithRSAEncryption > Issuer: DC=nz, DC=ac, DC=ipa, CN=dc0001 > Validity > Not Before: Mar 29 00:45:47 2011 GMT > Not After : Mar 29 00:55:22 2016 GMT > Subject: DC=nz, DC=ac, DC=ipa, CN=dc0001 > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > 00:b2:f0:2a:e2:a1:f7:6d:6e:96:dc:a8:a1:84:ff: > e8:24:f7:79:de:ad:a9:ac:c4:6d:73:51:ab:7e:fc: > cf:98:d2:85:72:0e:89:7e:df:61:c9:d8:03:1f:9f: > 4b:23:bf:29:44:e6:e8:99:87:69:63:09:7e:c6:3e: > ad:99:ac:31:1e:b6:08:80:03:3d:99:6a:e5:85:b1: > ea:77:1e:8c:70:8a:c7:b8:6b:b7:a5:fd:13:15:83: > 95:8b:f6:cd:2a:a4:f9:f6:7e:f0:b4:a8:a1:38:ee: > e3:ff:13:00:64:b0:60:01:ac:e8:79:1e:2d:3c:e9: > 44:df:17:46:d8:e5:8a:0a:40:53:2e:60:8d:7c:93: > 4e:e8:ea:ab:7a:c2:16:45:14:79:57:7c:21:f7:d9: > a2:2c:09:4b:cb:ff:b8:a5:80:d4:b5:a2:f4:03:5f: > 3a:b8:8d:1c:14:d6:b7:b5:29:c8:38:80:1b:41:29: > 54:0f:6b:6a:80:f5:9c:38:d8:31:51:ae:25:70:06: > 2d:f7:5d:90:06:33:b6:93:d9:3a:33:4d:ce:4f:41: > 30:df:89:55:87:ee:c1:86:e6:e8:20:3f:c5:58:e8: > fa:7f:40:00:60:f6:10:d7:ec:38:7d:d0:1d:20:f4: > d1:a9:fe:e8:3d:fd:a7:91:b9:0e:2f:f2:fd:0f:e1: > 0a:0b > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Key Usage: > Digital Signature, Certificate Sign, CRL Sign > X509v3 Basic Constraints: critical > CA:TRUE > X509v3 Subject Key Identifier: > CC:D6:15:2E:3F:81:70:17:C5:4B:8D:F9:8E:21:9E:5D:C5:11:F9:DB > X509v3 CRL Distribution Points: > > Full Name: > > URI:ldap:///CN=dc0001,CN=dc0001,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=ipa,DC=ac,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint > URI:http://dc0001.ipa.ac.nz/CertEnroll/dc0001.crl > > 1.3.6.1.4.1.311.21.1: > ... > Signature Algorithm: sha1WithRSAEncryption > 1c:69:e5:c3:fe:06:e2:22:86:cf:20:a7:18:7f:49:02:6c:c7: > 31:8f:40:84:79:72:20:6c:3f:45:2d:e5:7c:91:33:ad:db:e6: > f2:d9:90:4f:20:0e:ba:1f:63:3c:5c:70:5f:b3:b7:29:75:83: > 1f:dd:d4:c7:56:e1:e5:b0:32:a4:cb:70:4f:21:d7:49:3c:cd: > 43:c9:2b:e7:02:12:8b:ad:d8:f4:b4:c9:af:69:c2:3d:16:9c: > 92:4b:08:45:4a:51:45:01:0d:bb:57:30:95:98:0c:68:14:74: > ee:9f:c1:bb:f1:76:5b:ea:e4:95:d5:83:fc:21:d2:a3:00:1a: > 71:bb:fc:90:c6:27:56:e6:ba:73:71:2b:8e:7f:c2:e8:e6:be: > 7b:0a:4e:ef:66:6c:62:54:5d:01:61:cd:21:bd:15:3d:f5:a2: > d1:bc:e5:36:a2:4e:c8:22:82:99:e7:0e:17:97:c5:fd:80:39: > 59:af:fa:c3:28:b2:22:34:d2:3b:9c:5b:43:80:1a:a9:08:46: > 83:2c:56:c0:fc:64:98:03:0b:7a:53:f3:fb:98:a1:62:f2:5d: > 8b:6f:d9:81:43:41:ba:31:d2:02:6e:b2:26:3e:63:59:df:d8: > d6:d7:c2:70:5d:18:26:3e:5c:98:11:51:59:a4:52:13:17:80: > 74:eb:90:89 > -----BEGIN CERTIFICATE----- > MIIEcTCCA1mgAwIBAgIQSFjNmWzkU7VPb1uahiFGtjANBgkqhkiG9w0BAQUFADBO > MRIwEAYKCZImiZPyLGQBGRYCbnoxEjAQBgoJkiaJk/IsZAEZFgJhYzETMBEGCgmS > JomT8ixkARkWA2lwYTEPMA0GA1UEAxMGZGMwMDAxMB4XDTExMDMyOTAwNDU0N1oX > DTE2MDMyOTAwNTUyMlowTjESMBAGCgmSJomT8ixkARkWAm56MRIwEAYKCZImiZPy > LGQBGRYCYWMxEzARBgoJkiaJk/IsZAEZFgNpcGExDzANBgNVBAMTBmRjMDAwMTCC > ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALLwKuKh921ultyooYT/6CT3 > ed6tqazEbXNRq378z5jShXIOiX7fYcnYAx+fSyO/KUTm6JmHaWMJfsY+rZmsMR62 > CIADPZlq5YWx6ncejHCKx7hrt6X9ExWDlYv2zSqk+fZ+8LSooTju4/8TAGSwYAGs > 6HkeLTzpRN8XRtjligpAUy5gjXyTTujqq3rCFkUUeVd8IffZoiwJS8v/uKWA1LWi > 9ANfOriNHBTWt7UpyDiAG0EpVA9raoD1nDjYMVGuJXAGLfddkAYztpPZOjNNzk9B > MN+JVYfuwYbm6CA/xVjo+n9AAGD2ENfsOH3QHSD00an+6D39p5G5Di/y/Q/hCgsC > AwEAAaOCAUkwggFFMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud > DgQWBBTM1hUuP4FwF8VLjfmOIZ5dxRH52zCB8wYDVR0fBIHrMIHoMIHloIHioIHf > hoGtbGRhcDovLy9DTj1kYzAwMDEsQ049ZGMwMDAxLENOPUNEUCxDTj1QdWJsaWMl > MjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERD > PWlwYSxEQz1hYyxEQz1uej9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/ > b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnSGLWh0dHA6Ly9kYzAwMDEu > aXBhLmFjLm56L0NlcnRFbnJvbGwvZGMwMDAxLmNybDAQBgkrBgEEAYI3FQEEAwIB > ADANBgkqhkiG9w0BAQUFAAOCAQEAHGnlw/4G4iKGzyCnGH9JAmzHMY9AhHlyIGw/ > RS3lfJEzrdvm8tmQTyAOuh9jPFxwX7O3KXWDH93Ux1bh5bAypMtwTyHXSTzNQ8kr > 5wISi63Y9LTJr2nCPRackksIRUpRRQENu1cwlZgMaBR07p/Bu/F2W+rkldWD/CHS > owAacbv8kMYnVua6c3Erjn/C6Oa+ewpO72ZsYlRdAWHNIb0VPfWi0bzlNqJOyCKC > mecOF5fF/YA5Wa/6wyiyIjTSO5xbQ4AaqQhGgyxWwPxkmAMLelPz+5ihYvJdi2/Z > gUNBujHSAm6yJj5jWd/Y1tfCcF0YJj5cmBFRWaRSExeAdOuQiQ== > -----END CERTIFICATE----- > > ________________________________________ > From: Rich Megginson [rmegg...@redhat.com] > Sent: Wednesday, 30 March 2011 9:36 a.m. > To: Steven Jones > Cc: Rob Crittenden; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] AD setup failure > > On 03/29/2011 02:32 PM, Steven Jones wrote: >> Hi, >> >> Yes its a "intermediate CA" In the real world combining them is a huge >> issue, ie making a single joined certificate...It not likely many sites >> would go to the pain to do that....I think you need to re-visit that >> assumption..... > It does not appear to be CA cert at all, much less an "intermediate > CA". Someone please correct me if I'm wrong, but the CA does not have > the X509v3 Basic Constraints extension. For example, here is a CA cert > issued by Windows 2008: > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > 6d:e2:9a:21:dd:d5:20:b6:4f:96:be:57:10:62:50:f7 > Signature Algorithm: sha1WithRSAEncryption > Issuer: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA > Validity > Not Before: Feb 9 17:44:10 2011 GMT > Not After : Feb 9 17:54:07 2021 GMT > Subject: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA > ... > X509v3 extensions: > X509v3 Key Usage: > Digital Signature, Certificate Sign, CRL Sign > X509v3 Basic Constraints: critical > CA:TRUE > >> The older docs suggested a manual import of the root cert is possible? >> >> regards >> ________________________________________ >> From: Rich Megginson [rmegg...@redhat.com] >> Sent: Wednesday, 30 March 2011 9:27 a.m. >> To: Steven Jones >> Cc: Rob Crittenden; freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] AD setup failure >> >> On 03/29/2011 02:14 PM, Steven Jones wrote: >>> So I need 2 certificates? >> No. >>> and I have to manually add the root CA with certutil? >> No. >>> to the IPA master as a separate process? >> No. >> >> You only need the CA certificate for the CA that issued the MS AD server >> certificate. >> ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer >> will add the CA. >> >> If the MS CA is an intermediate CA, you should ask the administrator to >> give you a single CA certificate file (base64 encoded) that contains the >> intermediate CA and all of the parent CA up to the root CA. >>> regards >>> >>> >>> ________________________________________ >>> From: Rob Crittenden [rcrit...@redhat.com] >>> Sent: Wednesday, 30 March 2011 9:05 a.m. >>> To: Steven Jones >>> Cc: freeipa-users@redhat.com >>> Subject: Re: [Freeipa-users] AD setup failure >>> >>> Steven Jones wrote: >>>> Hi, >>>> >>>> My Windows person suggests because this is a self signed cert, the client >>>> needs to be forced to trust it....? >>> That's what we're doing here. You need to provide the CA that issued the >>> SSL certificate for the AD server we're connecting to. >>> >>> I'm guessing they didn't give you the root CA cert. >>> >>> rob >>> >>>> regards >>>> >>>> Steven >>>> ________________________________________ >>>> From: Rob Crittenden [rcrit...@redhat.com] >>>> Sent: Wednesday, 30 March 2011 2:50 a.m. >>>> To: Steven Jones >>>> Cc: freeipa-users@redhat.com >>>> Subject: Re: [Freeipa-users] AD setup failure >>>> >>>> Steven Jones wrote: >>>>> Got a bit further.......I was missing "--passsync" >>>> I think you were using the V1 documentation. The "Enterprise Identity >>>> Management Guide" is what you want off freeipa.org in the Documentation >>>> section. >>>> >>>>> [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync >>>>> --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B >>>>> --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v >>>>> ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are >>>>> required to create a winsync agreement >>>>> [root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync >>>>> --binddn cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B >>>>> --passsync Qsmith51B --cacert /home/jonesst1/domaincert.cer >>>>> dc0001.ipa.ac.nz -v >>>>> Added CA certificate /home/jonesst1/domaincert.cer to certificate >>>>> database for fed14-64-ipam001.ipa.ac.nz >>>>> ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz >>>>> ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f >>>>> 13', 'desc': 'Connect error'} >>>>> unexpected error: Failed to setup winsync replication >>>>> [root@fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz >>>>> dc0001.ipa.ac.nz has address 192.168.101.2 >>>>> [root@fed14-64-ipam001 samba]# >>>>> >>>>> But still isnt working......... >>>> I think you have the wrong AD cert. -8179 translates to "Certificate is >>>> signed by an unknown issuer". Can you verify that you have the AD CA >>>> certificate? >>>> >>>> rob >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
