On 03/29/2011 02:58 PM, Steven Jones wrote:
uh, this is a AD 2003 domain, so this stuff only works with 2008 AD?
No, should not matter. The example I gave was from a Windows 2008 Enterprise CA - a CA cert from a Windows 2003 Enterprise CA looks very similar.
regards
________________________________________
From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 30 March 2011 9:36 a.m.
To: Steven Jones
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD setup failure

On 03/29/2011 02:32 PM, Steven Jones wrote:
Hi,

Yes its a "intermediate CA" In the real world combining them is a huge issue, 
ie making a single joined certificate...It not likely many sites would go to the pain to 
do that....I think you need to re-visit that assumption.....
It does not appear to be CA cert at all, much less an "intermediate
CA".  Someone please correct me if I'm wrong, but the CA does not have
the X509v3 Basic Constraints extension.  For example, here is a CA cert
issued by Windows 2008:
Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number:
              6d:e2:9a:21:dd:d5:20:b6:4f:96:be:57:10:62:50:f7
          Signature Algorithm: sha1WithRSAEncryption
          Issuer: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA
          Validity
              Not Before: Feb  9 17:44:10 2011 GMT
              Not After : Feb  9 17:54:07 2021 GMT
          Subject: DC=com, DC=testdomain, CN=testdomain-W2K8X8664-CA
...
          X509v3 extensions:
              X509v3 Key Usage:
                  Digital Signature, Certificate Sign, CRL Sign
              X509v3 Basic Constraints: critical
                  CA:TRUE

The older docs suggested a manual import of the root cert is possible?

regards
________________________________________
From: Rich Megginson [rmegg...@redhat.com]
Sent: Wednesday, 30 March 2011 9:27 a.m.
To: Steven Jones
Cc: Rob Crittenden; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD setup failure

On 03/29/2011 02:14 PM, Steven Jones wrote:
So I need 2 certificates?
No.
and I have to manually add the root CA with certutil?
No.
to the IPA master as a separate process?
No.

You only need the CA certificate for the CA that issued the MS AD server
certificate.
ipa-replica-manage ... --winsync ... -cacert=/path/to/msadca.cer
will add the CA.

If the MS CA is an intermediate CA, you should ask the administrator to
give you a single CA certificate file (base64 encoded) that contains the
intermediate CA and all of the parent CA up to the root CA.
regards


________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 9:05 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD setup failure

Steven Jones wrote:
Hi,

My Windows person suggests because this is a self signed cert, the client needs 
to be forced to trust it....?
That's what we're doing here. You need to provide the CA that issued the
SSL certificate for the AD server we're connecting to.

I'm guessing they didn't give you the root CA cert.

rob

regards

Steven
________________________________________
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Wednesday, 30 March 2011 2:50 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] AD setup failure

Steven Jones wrote:
Got a bit further.......I was missing   "--passsync"
I think you were using the V1 documentation. The "Enterprise Identity
Management Guide" is what you want off freeipa.org in the Documentation
section.

[root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn 
cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --cacert 
/home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
ipa: ERROR: The arguments --binddn, --bindpw, --passsync and --cacert are 
required to create a winsync agreement
[root@fed14-64-ipam001 samba]# ipa-replica-manage connect --winsync --binddn 
cn=administrator,cn=users,dc=ipa,dc-ac,dc=nz \--bindpw Qsmith51B --passsync 
Qsmith51B --cacert /home/jonesst1/domaincert.cer dc0001.ipa.ac.nz -v
Added CA certificate /home/jonesst1/domaincert.cer to certificate database for 
fed14-64-ipam001.ipa.ac.nz
ipa: INFO: Failed to connect to AD server dc0001.ipa.ac.nz
ipa: INFO: The error was: {'info': 'TLS error -8179:Unknown code ___f 13', 
'desc': 'Connect error'}
unexpected error: Failed to setup winsync replication
[root@fed14-64-ipam001 samba]# host dc0001.ipa.ac.nz
dc0001.ipa.ac.nz has address 192.168.101.2
[root@fed14-64-ipam001 samba]#

But still isnt working.........
I think you have the wrong AD cert. -8179 translates to "Certificate is
signed by an unknown issuer". Can you verify that you have the AD CA
certificate?

rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to