> > Hi, > > > >>> Hi, > >>> > >>>>> Hi all, > >>>>> > >>>>> i've a problem with winsync between ipa 2.2 on centos 6.3 and > >>>>> Active > >>>>> directory 2008R2. > >>>>> > >>>>> I'm following this documentation to enable synchronization: > >>>>> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Setting_up_Active_Directory.html > >>>> There is nothing on this page about running certutil? Which link > >>>> talks > >>>> about certutil? > >>> Links present in the documentation talk about commands and options > >>> for certutil but i don't see anything about this error. > >> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/managing-sync-agmt.html > >> > >> > >> Can one of the IPA developers explain why it is necessary to > >> install > >> the > >> IPA CA certificate into the Windows Cert Store in order to get > >> Winsync/PassSync working? I don't believe it is necessary. > >> > >> For now, just skip steps 1 and 2 under 8.4.1. Trusting the Active > >> Directory and IPA CA Certificates > > - I trusted IPA certificate on AD. > > To do this, i've launched mmc and added "Certificate" component for > > "local computer", and then added IPA cert to Trusted root CA. > > > > Now when i run "openssl s_client -host ad-server.example.com -port > > 636" i can see IPA certificate as Trusted client CA. > > > > - I tested AD ldap connection: > > LDAPTLS_CACERTDIR=/etc/dirsrv/slapd-EXAMPLE-LOCAL ldapsearch -xLLL > > -H ldap://ad-server.example.com -ZZ -D > > "cn=ipasync,cn=users,dc=example,dc=com" -w XXXXX -s base -b "" > > 'objectclass=*' namingcontexts > > dn: > > namingContexts: DC=example,DC=com > > namingContexts: CN=Configuration,DC=example,DC=com > > namingContexts: CN=Schema,CN=Configuration,DC=example,DC=com > > namingContexts: DC=DomainDnsZones,DC=example,DC=com > > namingContexts: DC=ForestDnsZones,DC=example,DC=com > > > > - Now i fall on another problem, when i run: > > > > ipa-replica-manage connect --winsync --binddn > > cn=ipasync,cn=users,dc=example,dc=com --bindpw XXXXX --passsync > > XXXXX --cacert /etc/openldap/cacerts/ad-ca.crt ad-server.example.com > > -v > > Directory Manager password: > > > > Added CA certificate /etc/openldap/cacerts/ad-ca.crt to certificate > > database for ipa.foo.example.local > > ipa: INFO: AD Suffix is: DC=example,DC=com > > The user for the Windows PassSync service is > > uid=passsync,cn=sysaccounts,cn=etc,dc=example,dc=com > > Windows PassSync entry exists, not resetting password > > ipa: INFO: Added new sync agreement, waiting for it to become ready > > . . . > > ipa: INFO: Replication Update in progress: FALSE: status: -11 - > > System error: start: 0: end: 0 > > ipa: INFO: Agreement is ready, starting replication . . . > > Starting replication, please wait until this has completed. > > [ipa.foo.example.local] reports: Update failed! Status: [-11 - > > System error] > > Failed to start replication > What platform? What version of 389-ds-base? > Can you post some excerpts from your 389 errors log from > /var/log/dirsrv/slapd-YOUR-DOMAIN/errors from around the time of the > error?
That was an TLS error, uploaded wrong AD CA cert on IPA server. Sorry for the noise. > > > > > > >>> I a newbie on Microsoft OSes, but I don't understand why certutil > >>> don't find my file. > >>> > >>> I will ask on a microsoft forum. > >>> > >>> Regards > >>> > >>>>> When i run as admin 'certutil -installcert -v -config > >>>>> "ipa.foo.example.local\EXAMPLE.LOCAL Domain CA" > >>>>> c:\Users\John\Documents\ipa-ca.crt' it returns (translated from > >>>>> french) : > >>>>> > >>>>> CertUtil : -installCert command failure : 0x80070002 (WIN32: 2) > >>>>> CertUtil: Specified file not found > >>>>> > >>>>> someone saw this issue ? > >>>>> > >>>>> Have a nice day. > >>>>> > >>>>> Regards. > >>>>> > >>>>> Baptiste. > >>>>> > >>>>> _______________________________________________ > >>>>> Freeipa-users mailing list > >>>>> [email protected] > >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users > > Have a nice day. > > > > Regards > > > > Baptiste. _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
